Categories
Security

Request parameter _sm_by ZScaler

During a DDoS attack, I found a large amount of a HTTP request parameter “_sm_byp=” in my logs. However, this parameter is not native to my app.

_sm_byp=

Modified example:
https://www.example.com:443/manifest.json?_sm_byp=iVVt9H5dRMP8Lb3F
https://www.example.com:443/test.html?_sm_byp=iVVc8ZT1kQFvX6Nr

After doing some research on the internet, it seems that this is related to a product from Zscaler. I do not understand how this is used in Zscaler, but this makes sense as I analyzed a DDoS attack originating largely from Zscaler networks.

DDoS analysis: Networks from Zscaler originating DDoS traffic (2024)

I am not sure if Zscaler is generally known for that kind of attack traffic. Interestingly, Zscaler is an IT security company that describes itself in this way:

Zscaler is universally recognized as the leader in zero trust. Leveraging the largest security cloud on the planet, Zscaler anticipates, secures, and simplifies the experience of doing business for the world’s most established companies.

https://www.zscaler.com/ (2024-04-30)

In my case i took measures to prevent Zscaler as an attack vector by blocking those 2 ASN.

AS53813 ZSCALER-INC	
AS62044 Zscaler Switzerland GmbH	

More on the topic