Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

D0z.me — the Evil URL Shortener

Soulskill posted more than 2 years ago | from the has-its-own-goatee dept.

Security 116

supernothing writes "DDoS attacks seem to be in vogue today, especially considering the skirmishes over WikiLeaks in the past few weeks. The size of a DDoS attacks, however, has historically been limited by how many computers one has managed to recruit into a botnet. These botnets almost universally require code to be executed on the participants' local systems, whether they are willing or unwilling. A new approach has been emerging recently, however, which uses some simple JavaScript to achieve similar ends. d0z.me is a new service that utilizes these techniques, but provides a unique twist on the idea. Posing as a legitimate URL shortening service, it serves users the requested pages in an iFrame, while simultaneously participating in a DDoS attack in the background. No interaction is required beyond clicking the link and staying on the page. This makes it relatively trivial to quickly mount large-scale DDoS attacks, and affords willing participants plausible deniability in the assault."

cancel ×

116 comments

Sorry! There are no comments related to the filter you selected.

I Don't Need To Do Anything? (4, Funny)

WrongSizeGlass (838941) | more than 2 years ago | (#34622224)

Dr Zoidberg: Hurray! I can do no less!!

Re:I Don't Need To Do Anything? (0)

Anonymous Coward | more than 2 years ago | (#34622408)

Zoidberg never said that!

Re:I Don't Need To Do Anything? (0)

Anonymous Coward | more than 2 years ago | (#34622434)

Join me or die! Can you do any less?

Re:I Don't Need To Do Anything? (-1)

Anonymous Coward | more than 2 years ago | (#34622566)

Once again the conservative sandwich-heavy portfolio pays of for the hungry investor!

Re:I Don't Need To Do Anything? (1)

eugene ts wong (231154) | more than 2 years ago | (#34622908)

That doesn't make me happy. I want to do less than nothing.

Re:I Don't Need To Do Anything? (1)

ldobehardcore (1738858) | more than 3 years ago | (#34622986)

Dr. Zoidberg: What a Captain! I'd follow that man to hell and back I would!

Since its a redirect... (1)

Haedrian (1676506) | more than 2 years ago | (#34622238)

Wouldn't it be possible for an admin to simply block all traffic which came from that website?

Re:Since its a redirect... (1)

Stregano (1285764) | more than 2 years ago | (#34622246)

Unless that website is tied into a full on botnet

Re:Since its a redirect... (4, Informative)

Hatta (162192) | more than 2 years ago | (#34622260)

No. If you visit the site, it loads javascript on your machine which does the DDOS from your machine. It's not a proxy.

Re:Since its a redirect... (1)

increment1 (1722312) | more than 2 years ago | (#34622336)

The referrer should still be present in the request though, which would seem to make filtering trivial (if not for the site itself, for the upstream providers). A DDOS like this would then work well in the short term, but fall apart completely once the site operators were in touch with the upstream providers.

Of course, I could be wrong about the referrer being present in requests made from Javascript, but I assume it should be there.

Re:Since its a redirect... (3, Informative)

Monkeedude1212 (1560403) | more than 2 years ago | (#34622398)

Of course, I could be wrong about the referrer being present in requests made from Javascript, but I assume it should be there.

Thats where you're wrong. Hooray for iFrames!

Re:Since its a redirect... (1)

increment1 (1722312) | more than 2 years ago | (#34622582)

I have not checked how d0z.me invokes its targets since I do not plan on loading that site from work, but if it is via an IFrame, then there will be a referrer, at least in all of the web browsers that I am familiar with (excluding browsers that allow you to disable the referrer).

Re:Since its a redirect... (1)

increment1 (1722312) | more than 2 years ago | (#34622662)

Scratch that, IFrames don't send the framing page as a referrer, at least in the tests I just tried.

Re:Since its a redirect... (3, Informative)

tdobson (1391501) | more than 2 years ago | (#34622862)

this is how it shows up in my apache logs:

r00t.me.tld.fail:80 x.x.x.x - - [20/Dec/2010:23:04:08 +0000] "GET /?v=1292886248174 HTTP/1.1" 200 1888 "http://d0z.me/worker.js" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Ubuntu/10.10 Chromium/8.0.552.215 Chrome/8.0.552.215 Safari/534.10"
r00t.me.tld.fail:80 x.x.x.x - - [20/Dec/2010:23:04:11 +0000] "GET /?v=1292886251634 HTTP/1.1" 200 1888 "http://d0z.me/worker.js" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Ubuntu/10.10 Chromium/8.0.552.215 Chrome/8.0.552.215 Safari/534.10"

Re:Since its a redirect... (3, Interesting)

mwvdlee (775178) | more than 3 years ago | (#34625918)

So this bit in .htaccess should suffice to alleviate the DDoS attack?

RewriteEngine on
RewriteCond %{HTTP_REFERER} d0z\.me [NC]
RewriteRule .* - [F]

Re:Since its a redirect... (1)

jimicus (737525) | more than 3 years ago | (#34626970)

Not really. It'll help if the weak point is dynamic content being generated by your own app, but if the weak point is anywhere else (eg. your link to the Internet), it'll achieve precisely nothing.

Re:Since its a redirect... (1)

somersault (912633) | more than 2 years ago | (#34622430)

So spoof it?

Re:Since its a redirect... (2)

spazdor (902907) | more than 2 years ago | (#34622488)

The referrer should still be present in the request though, which would seem to make filtering trivial (if not for the site itself, for the upstream providers)

This would require that the upstream providers perform deep packet inspection and look at HTTP payload data - which is an awkward and expensive thing for an upstream provider to have to do. Filtering at the site itself would be ineffectual; by the time the HTTP request has been examined and discarded, it's already done its job, jamming up the internet connection feeding that server.

Re:Since its a redirect... (1)

tlhIngan (30335) | more than 2 years ago | (#34622936)

This would require that the upstream providers perform deep packet inspection and look at HTTP payload data - which is an awkward and expensive thing for an upstream provider to have to do.

Really? I think the other day there was articles about charging per site based on DPI. And years ago ISPs ues DPI to throttle Bittorrent traffic. And others uses it to swap out ads and stuff.

No, it's not expensive, and most ISPs probably already have the equipment already. It's just that it's not making the ISP any potential profit.

The technology exists. It's in use right now. It could be used to do good, but so far, it's used to chase the almighty dollar instead.

Re:Since its a redirect... (0)

icebike (68054) | more than 3 years ago | (#34623234)

You could easily block this at the DNS level.

I think OpenDNS allows you to do this if you don't run your own DNS system. If you do run your own DNS system, you would handle this in house redirecting the host to 127.0.0.1 or something.

Simply block doz.me (or all of .me if you wish).
If your users can't get there, they can't get the iframe back.

Re:Since its a redirect... (2)

socsoc (1116769) | more than 3 years ago | (#34623678)

Sure, there are multiple ways to prevent your users from accessing the site. What about when the rest of the world is loading it against your machines?

Re:Since its a redirect... (4, Insightful)

icebike (68054) | more than 3 years ago | (#34623746)

Well, like any other DDOS, you are screwed. Your ISP won't even help you if you are just a small fry, figuring anything you did to piss that many people off is your own damn fault.

If you are a big customer, and the traffic generated by the DDOS is easily distinguishable from normal traffic (does not look like legitimate web hits) they might help.

It really is amazing that after all these years, there is no DDOS defense.

Re:Since its a redirect... (3, Interesting)

uolamer (957159) | more than 3 years ago | (#34624846)

I used similar methods to this to take down multiple ISPs back in the mid-late 90s. When you have enough traffic, you can pretty much choose what their browser does in the background and take down smaller ISPs... Thousands of unsuspecting website visitors all day long trying to load the biggest file I could link to on their server as an image 1x1 pixel or background to some table with a question mark and random trash at the end to cut down on caching. What worked even better once was using their own terrible high cpu usage cgi programming as the 1x1 pixel, that way their cpu was maxed out. It is funny what one pissed off kid can do to a whole ISP or site... Those were the days.

Of course this relies on them not being smart enough to remove the file, add simple apache lines in the config to block referral, etc. Last place that tried something similar to one of my servers had the attack redirected back to them using the apache config and redirects. It did slow my sever a tiny bit but theirs just stopped..

Re:Since its a redirect... (0)

Anonymous Coward | more than 3 years ago | (#34627144)

Well aren't you just the coolest, most leet person on here today.

Props to winning today's Kiddie award. Don't redirects any traffics back to meees!

Re:Since its a redirect... (0)

Anonymous Coward | more than 3 years ago | (#34626064)

There is one, it's called disconnect.

Re:Since its a redirect... (1)

i8degrees (410294) | more than 3 years ago | (#34627686)

In fact, OpenDNS does block this very web site at the DNS level, without bothering to ask the end user beforehand. When I go to d0z.me, I get the following message:

This site was blocked by OpenDNS in response to either the Conficker virus, the Microsoft IE zero-day vulnerability, or some equally serious vulnerability.

If you think this shouldn't be blocked, please email us at contact@opendns.com.

Re:Since its a redirect... (1)

Tim the Gecko (745081) | more than 3 years ago | (#34627782)

Simply block doz.me (or all of .me if you wish).

All of .me, simply block all of .me,

Can't you see I'm no good without .yu?

Re:Since its a redirect... (3, Insightful)

Anonymous Coward | more than 2 years ago | (#34622404)

"loads javascript ... which does the DDOS"

And as I keep trying to explain to my friends, letting Some Random Website run whatever random shit on your machine is simply **idiotic**. Really, there's no other way to describe it. It's as idiotic as letting a crack gang have the run of your apartment. You have to be almost wilfully ignorant to not see the issues with the "run anything from anywhere without having the slightest damn idea what it's for" model of security.

I'm sure this is an amazing coincidence, but they're the ones always getting malware, and I never do. They complain about the malware, but show no inclination to listen to me why I try to explain the ways they are getting jacked.

Re:Since its a redirect... (1)

Anonymous Coward | more than 2 years ago | (#34622708)

letting Some Random Website run whatever random shit on your machine is simply **idiotic**.

As much as I try to give people the benefit of the doubt, I have to agree on this point. The only problem is that there are all of these legitimate websites that have jillions of scripts running, and if you turn them off, the website breaks. You could be on a legitimate website that's running a bunch of completely benign scripts (say, slashdot trying to update the news feed), and buried somewhere in the mess is a malicious script that's doing a DDoS or whatever. Now, for most slashdotters, it's trivial to install NoScript and narrow it down to only stuff that's running from websites you trust, but for the unwashed masses, they have no idea how to do that, or even that they need to.

It's a combination of users who refuse to learn internet safety and websites that splatter scripts all over the place, providing cover for stuff like this. But ya, if people would be suspicious of what they run instead of having the attitude "oh hey, a script, let's run it and see what it does!" Okay, maybe not the same thing, but the principle remains.

As far as how to block this type of attack? Well, it seems to me it may be a short-lived attack. It's sort of dependent on how many people just *happen* to leave their internet browsers open on just the right page for long periods of time. How many would that be? To be quite honest, I have no idea. I would suspect that they would make some kind of attraction to do just that (stock ticker, for one). However, any of those ideas would need to have some kind of refresh. Blocking the website would make the user say something like, "oh, it must be down, I'll come back later". On the other hand, it would be trivial to have the web page try the original site first, and then refresh from a preconfigured fallback page instead if that one gets blocked. I think if someone got hold of the original web page, however, it would also be trivial to figure out what the new one is from that.

Not sure how that would pan out.

Re:Since its a redirect... (1)

Captain Hook (923766) | more than 3 years ago | (#34626554)

it seems to me it may be a short-lived attack. It's sort of dependent on how many people just *happen* to leave their internet browsers open on just the right page for long periods of time. How many would that be?

Since the attack is being run by the top level page, and the page the user is looking at is in an iframe, wouldn't following most links in the iframe loaded page just load the new page in the iframe as well. i.e. the frameset page is still in the background running the attack even after the user has moved away from the original URL shorten link.

To break out of it, the user would have to either type an address in the address bar, or follow a bookmark, or restart the browser.

Re:Since its a redirect... (1)

MichaelSmith (789609) | more than 3 years ago | (#34623978)

letting Some Random Website run whatever random shit on your machine is simply **idiotic**

Java applets originally only permitted socket connections to the host they were loaded from. I believe security is more fine grained now. Thats far better than the approach which seems to work with javascript.

Re:Since its a redirect... (1)

jimicus (737525) | more than 3 years ago | (#34626964)

Absolutely right, and something I've been thinking a bit about lately.

Even if you succeed in telling people not to click on every silly little advert and run random software that you don't really need, most web browsers these days save them the trouble. It's not stupid, it's downright insanity. You've got an application which - by design - downloads and executes code from random locations with more-or-less zero oversight.

Re:Since its a redirect... (0)

Anonymous Coward | more than 3 years ago | (#34623784)

What are you talking about? And +4 Insightful?! Isn't /. supposed to be populated largely by IT people?

The answer is yes, if your admin blocks the site you never reach D0z.me, so you never load any javascript or participate in the DDOS attack. Blocked is blocked.

Jebus people, c'mon now.

Re:Since its a redirect... (0)

Anonymous Coward | more than 3 years ago | (#34626222)

But legitimate browsers still send the Referer [wikipedia.org] , don't they?

Re:Since its a redirect... (1)

caluml (551744) | more than 2 years ago | (#34622264)

No, because the traffic comes from the visitors' browsers.

Re:Since its a redirect... (1)

dwarfsoft (461760) | more than 2 years ago | (#34622274)

Depends if the DDoS comes from the client or the server. The way I read it the redirect page opens in an iFrame but the JS runs on the client in the background DDoSing whichever target(s).

Re:Since its a redirect... (1)

beakerMeep (716990) | more than 2 years ago | (#34622442)

Can JS make an HTTP request without sending the referrer?

Re:Since its a redirect... (5, Informative)

TheRaven64 (641858) | more than 2 years ago | (#34622468)

The JS can create and destroy iframes pointed at the site. The browser will then load the site into the iframe, but the security model prevents the referrer field from being present in the iframe to avoid leaking sensitive information (for example, if you load adverts into an iframe while you have a URL with a session ID in it). If this isn't the default, then a silent redirect of the outer frame to an HTTPS URL will do it (aside from a recently-fixed bug in Safari, referrer is not provided to an HTTP URL when it is an HTTPS URL).

Re:Since its a redirect... (1)

beakerMeep (716990) | more than 2 years ago | (#34622644)

Ah I see, thanks. Seems the real culprit here is iframes. Sometimes I wonder if they cause more harm than good. But really i guess it's hidden iframes causing the problem? Guess I'm just wondering what's the solution here. Should iframes send a limited header with just a domain name? Should they be removed? Are they really necessary? Or should there be a minimum size that can't be covered with other content or made visible? This is a pretty clever hack I'll have to admit.

Re:Since its a redirect... (1)

Vectormatic (1759674) | more than 3 years ago | (#34625800)

any of these in-browser security checks on iframe would require users to run a well-maintained frequently updated browser to have any effect within a few years, guess what browser most people still use?

I have to say this is quite a cool attack, and even without iframes you can still use any javascript running client to do a DOS attack using simple ajax style code, the real problem here, as pointed out before, is that the internet evolved into a place where running 3rd party code on your own machine without any validation is the norm (and thus breaks many legit sites when it you disable it)

Re:Since its a redirect... (1)

FunnyLookinHat (718270) | more than 2 years ago | (#34622296)

No... if you check out what it does, it uses Javascript to have YOUR computer request random files from whatever the target site is - so you would have to block all legitimate browser traffic.

Re:Since its a redirect... (0)

Anonymous Coward | more than 2 years ago | (#34622540)

Yep... and despite things like this DDOS, and near weekly stories of local exploits and drive-by malware downloads, people STILL persist in running unknown scripts from completely unknown sites.

Go figure. Apparently even after the virtual equivalent of getting hit *repeatedly* in the face, nobody is interested in ducking or not walking through that same door any more. They'll keep complaining though, as if the next time is somehow a surprise.

*Walk through door marked JS* -> *WHACK* -> *Ouch!*
*Walk through door marked JS* -> *WHACK* -> *Ouch!*
*Walk through door marked JS* -> *WHACK* -> *Ouch!*
[repeat a few hundred more times]

At what point do you learn to avoid that particular door? Or at least frickin' duck next time?

Re:Since its a redirect... (1)

camperdave (969942) | more than 3 years ago | (#34623208)

Thing is... It's never marked, and the *WHACK*->*Ouch!* is missing most of the time, so it's like:
Visit website. Click link. Music plays.
Visit website. Click link. Document displayed.
Visit website. Click link. Document displayed. [JS malware loaded]
Visit website. Click link. Music plays.
Visit website. Click link. Funny video clip plays.[JS malware loaded]
Visit website. Click link. Funny video clip plays.

Next day: Visit website. Click link. Sudoku game.
Visit website. Click link. [JS malware loaded]
Visit website. Click link. Funny video clip plays.
[JS Malware loads more malware]
Visit website. Click link. Funny video clip plays.
Hmm... system seems slower.
Visit website. Click link. Sudoku game.
Visit website. Click link. Music plays.
Visit website. Click link. Funny video clip plays.[JS malware loaded]

Next day: Visit website. Click link. Sudoku game.
Visit website. Click link. Music plays.
Virus scan runs: 3 malicious programs found. Delete? (Y/n)
WTF?... Y
Virus scan runs: No malicious programs found.
[JS Malware loads more malware]
Visit website. Click link. Sudoku game.
Visit website. Click link. Music plays.

Re:Since its a redirect... (1)

PatPending (953482) | more than 2 years ago | (#34622364)

From his "Mitigation" section:

The HTML5 CORS attack, according to A&RL's research, can be blocked if your server doesn't allow cross origin requests by making a rule in your WAF that blocks all requests with Origin in the headers. However, given enough people doing this attack, it could become overwhelmed regardless.

Re:Since its a redirect... (1)

John Hasler (414242) | more than 2 years ago | (#34622458)

So what legitimate reason is there for CORS to exist?

Am I doing it right? (5, Funny)

Shikaku (1129753) | more than 2 years ago | (#34622248)

Re:Am I doing it right? (2)

Shikaku (1129753) | more than 2 years ago | (#34622270)

Holy shit, it's working all 4 of my cores just visiting the link. Nice, it has worker threads in it.

Re:Am I doing it right? (1)

FunnyLookinHat (718270) | more than 2 years ago | (#34622312)

And.... that site is down!

Re:Am I doing it right? (0)

Anonymous Coward | more than 2 years ago | (#34622828)

This is what we call ... "slashdotting"!

Re:Am I doing it right? (1)

Anonymous Coward | more than 2 years ago | (#34622858)

Nice to know malware is more capably programmed than almost all else.

Re:Am I doing it right? (0)

Anonymous Coward | more than 2 years ago | (#34622348)

what website is this DoSing?

Re:Am I doing it right? (3, Informative)

Shikaku (1129753) | more than 2 years ago | (#34622362)

http://d0z.me/ [d0z.me]

Re:Am I doing it right? (0)

Anonymous Coward | more than 2 years ago | (#34622486)

Nope, the IMG url is wrong. It's apparently their fault, though. The site doesn't work:

Has a superfluous http://

Re:Am I doing it right? (2)

cbhacking (979169) | more than 3 years ago | (#34623056)

Not quite. Knowing what the site does, I probably wouldn't click that URL. Try something like http://bit.ly/eaHU1C [bit.ly] instead.

Re:Am I doing it right? (1)

he-sk (103163) | more than 3 years ago | (#34624628)

curl http://bit.ly/eaHU1C [bit.ly]

I see what you did there. Interestingly, the author mentions that bigger url shorteners such as bit.ly offer more trust than your mom-and-pop url shortener. Kinda disproves his point entirely. Also, e.g. on Twitter, if you mouse over a shortened URL it displays the target as a tooltip. (But which Twitter user is patient enough to wait?)

Re:Am I doing it right? (1)

perryizgr8 (1370173) | more than 3 years ago | (#34624798)

no, it was meant to be used against a website not a user.

Plausible deniability (0)

Anonymous Coward | more than 2 years ago | (#34622278)

This makes it relatively trivial to quickly mount large-scale DDoS attacks, and affords willing participants This makes it relatively trivial to quickly mount large-scale DDoS attacks, and affords willing participants plausible deniability in the assault.in the assault.

You'd still have to explain why you enabled Javascript.

Re:Plausible deniability (1)

monkyyy (1901940) | more than 2 years ago | (#34622460)

most people wouldnt know

Re:Plausible deniability (0)

Anonymous Coward | more than 3 years ago | (#34623162)

Because 99.9999% of people using javascript by default won't give you plausible deniability?

The joy of being a programmer... (1)

Stregano (1285764) | more than 2 years ago | (#34622284)

...we talk about our techniques for doing all of our fun stuff, and make it a single button click for users. I have not been to the website, but if it has a way so that you can view the source (unless it truly does it all through JS) then that might be interested just to see. Point it at a site you know can't be taken down from a simple DDoS Web app like Amazon and then view the code of what it is actually doing.

Re:The joy of being a programmer... (4, Informative)

Haedrian (1676506) | more than 2 years ago | (#34622354)

You're going to be happy about it.

"All code used on this site is released under the GPLv3, and is available here. "

http://spareclockcycles.org/downloads/code/dosme.tar.gz [spareclockcycles.org]

Re:The joy of being a programmer... (3, Insightful)

Mad Merlin (837387) | more than 3 years ago | (#34623124)

...but if it has a way so that you can view the source (unless it truly does it all through JS) then that might be interested just to see.

curl http://d0z.me/weFZ

Basically, they have an img tag pointed at the site with an onload function that just keeps reloading the image with a new cachebuster value. If your browser supports HTML5 Web Workers, it also spawns 4 of those and repeatedly AJAXes requests to the site.

It's also painfully obvious that the author isn't fluent in Javascript. The obvious clues being the use of new Array() instead of [] or {} and using setTimeout() with implicit eval instead of passing a function. The initial URL in the img tag is also wrong (it has an extra http:/// [http] prepended.) They also set position: absolute; on the img tag, but don't actually position it anywhere, however, the iframe appears to be on top anyways.

Re:The joy of being a programmer... (5, Interesting)

supernothing (1661929) | more than 3 years ago | (#34624386)

Thank you for pointing out the extra http:/// [http] issue, it's been fixed in the live version. Bug leftover from an earlier test version.

The image tag display:block and position:absolute was to fix a bug I was seeing in one of the browsers (don't remember which) that pushed the iframe down slightly. I know the display:block was necessary, don't remember about the position:absolute. That might be a holdover from some other stuff I was messing with.

As for the Javascript, I like using Array() for readability. With the setTimeout, yeah, that was incompetence.

You are indeed correct, I am by no means a Javascript expert, and never claimed to be. I actually mention in the post that web development is not my strong suit, and what few skills I have are outdated. I got the idea for the attack after reading an interesting post by Attack and Defense Labs, and just wanted to hack something together in an hour or two to see if a.) I could reproduce their results and b.) my twist on it was a feasible idea. It seems so far that it was. But yeah, any suggestions you have are definitely welcome. Always love getting input from those smarter than me. Thanks

Evil? No. (0)

Anonymous Coward | more than 2 years ago | (#34622298)

DDOS is merely a tool, sending bytes over a data stream. It is not evil in itself, although some may try to use it in the service of good or evil.

Re:Evil? No. (1)

dwarfsoft (461760) | more than 2 years ago | (#34622382)

In fact, there is a legitimate DDoS effect that occurs when a site is linked from Slashdot. The DDoS is not intentional, but the result is the same :)

Re:Evil? No. (1)

insertwackynamehere (891357) | more than 3 years ago | (#34626476)

Distributed denial of service is a TOOL people
its NOT inherently "bad"

HTML5 browsers (1)

PatPending (953482) | more than 2 years ago | (#34622446)

I just got off the phone with AnonOps and he said he won't be able to employ this HTML5 Cross Origin exploit because he's using IE6.

Ducks and runs.

Re:HTML5 browsers (0)

Anonymous Coward | more than 2 years ago | (#34622806)

Oh the irony... hack doesn't work in IE6, because IE6 doesn't support HTML5.
You're vulnerable only if you use Firefox or Safari or Chrome or IE8.

Oxygen of publicity (0, Troll)

carou (88501) | more than 2 years ago | (#34622474)

And slashdot is advertising this... why, exactly?

Re:Oxygen of publicity (0)

Anonymous Coward | more than 2 years ago | (#34622490)

Lulz

Re:Oxygen of publicity (2)

Pharmboy (216950) | more than 2 years ago | (#34622510)

Because there are fewer slashdotters than ever, so slashdotting is getting harder to do. We need code to cheat.

Re:Oxygen of publicity (3, Insightful)

gman003 (1693318) | more than 2 years ago | (#34622628)

Because it's an interesting proof-of-concept that DDoS is no longer bound to botnets, as well as proof-of-concept of DDoSing in Javascript.

Re:Oxygen of publicity (1)

PatPending (953482) | more than 2 years ago | (#34622740)

...and (furthermore) how social networking sites could be used to spread this URL, in effect creating an ad-hoc botnet.

Re:Oxygen of publicity (1)

drcheap (1897540) | more than 2 years ago | (#34622872)

Not really ad hoc, they are just using a different vector to spread the malware. This time it's purely the users' actions instead of relying on exploiting the mistakes of a few programmers.

And as long as you attach teh cute kitteh or some other such nonsense, it's way easier to convince someone to "join" the botnot willingly than it is to exploit their computer from behind.

Ask any psychologist, there are way more "exploits" in human brains than even Microsoft can come up with for Windows =)

Re:Oxygen of publicity (1)

Duradin (1261418) | more than 2 years ago | (#34622784)

In other words, useful idiots ARE useful.

Re:Oxygen of publicity (2)

Homburg (213427) | more than 3 years ago | (#34623822)

It sounds like an interesting implementation, but I don't know about "proof of concept" - this concept has been in use for years. I remember in the late nineties activists putting together websites using javascript to repeatedly load web pages of political targets in order to DOS them; I think there was one directed at the WTO site, intended to be used as a kind of virtual support for the protests in Seattle in 1999. Of course, I'm not sure how much damage we could actually do with our 56k modems.

Is it up? (1)

blair1q (305137) | more than 2 years ago | (#34622482)

Just tell me that the DDoS site is slashdotted.

Re:Is it up? (2)

muphin (842524) | more than 2 years ago | (#34622624)

the irony, a DDoS site was DDoS's by us simple slashdotters

Re:Is it up? (2)

PatPending (953482) | more than 2 years ago | (#34622804)

From his "Final Notes" section (last paragraph of TFA):

Finally, yes, to all you a-holes out there, I know, it would be ironic/funny to dos a site that is demonstrating a dos attack. Please don't. I know you can, and that it would be trivial to do, as this server isn't exactly hardened. Let's just save each other the time and hassle and say that you win, theoretical attacker. Congratulations.

Easy to check/verify/stop in Safari (1)

gordguide (307383) | more than 3 years ago | (#34623062)

I normally don't go to URL shortener links at all, having long ago seen how easy they are to hid the real URL of suspicious sites. Also, I've been using Safari for years, and although Firefox is installed it's my preferred browser. Normally I have the download window and the activity window active on the right side of my desktop. The Activity window in particular is very handy for monitoring any and all surfing activity.

Similarly, I have been a long-time user of Little Snitch to monitor and authorize/deauthorize outgoing connections, with the network activity window always showing upon outgoing network activity. I suspected one, or both, of these tools would be useful.

Little Snitch, as expected, shows the network activity as a fairly constant level of network activity, but since it's an authorized outgoing connection (your web browser, naturally, has to be allowed to make connections to the usual internet ports like 80, etc, or no browsing for you) there isn't much that would really seem unusual. Many requests and deliveries of data are of course visible, but this is relatively normal and probably would not really alert anyone; for example it is similar to what you would see with a streaming server delivering content on a page. It's there, but it's not obvious something nefarious is going on unless you were really paying attention, and there's really no reason to be, since it's a standard browser operation, more or less.

Safari's Activity window, however, reveals the activity quite obviously. In a few moments using the sample page outlined in the original article, you see a huge amount of requests to the target url. A normal webpage might have up to 100 or even 200 different components, but not a constant stream that gets to 100 in a few seconds, and keeps going. The urls are fairly obvious as well, taking the form of:
http://www.example.com/?v=1292889926999 [example.com] ...{continuous stream of ... example/com/?v= [some incremental number]} ...
http://www.example.com/?v=1292889877790 [example.com]

The webpage does not fully load, but the stream continues until you close the page { [Command-W] or mouse click on the close button }

With the Activity Window open you should be able to monitor and react to being an unwitting party to the DDoS.

Clearly the first fun thing to try... (1)

Anonymous Coward | more than 3 years ago | (#34623256)

... is a d0z.me link that points to & targets d0z.me!

http://d0z.me/7iWC [d0z.me]

Re:Clearly the first fun thing to try... (1)

mug funky (910186) | more than 3 years ago | (#34623744)

time paradox.

Re:Clearly the first fun thing to try... (1)

PatPending (953482) | more than 3 years ago | (#34623932)

Here, read this [slashdot.org] --he's clearly referring to you.

This was implemented 5 years ago. (0)

Anonymous Coward | more than 3 years ago | (#34623952)

See

http://en.wikipedia.org/wiki/Lad_Vampire

WTF? (1)

galvanash (631838) | more than 3 years ago | (#34623986)

affords willing participants plausible deniability in the assault.

Seriously? There are actually enough people that willingly want to do this kind of thing that it deserves a post on slashdot?

Please, if you care about the internet at all don't be coerced into doing this kind of thing - it is the digital equivalent of pissing in the pool...

Re:WTF? (1)

asticia (1623063) | more than 3 years ago | (#34624842)

OTOH I am glad /. informed about this, at least I know which shortcut URL to avoid and installing noscript in browser was useful. Because this says willing participants - b ut you never know how many will be unwillingly ddosing from some other sites using this technique.

Interesting (3, Insightful)

shiftless (410350) | more than 3 years ago | (#34624086)

Interesting proof of concept. How long until someone hacks into a major site, cnn.com, nytimes, etc, and sneaks this code in there? With a little obfuscation it could be buried and hidden pretty easily in the mounds of Javascript most sites are running these days, and be set to activate only when and where the hacker chooses. How long would it take before someone finally figured out what's causing the target to get massively DDoS'ed? Especially if the attacks are staggered, not made to run constantly, and multiple sites are involved at different random times? Virus scan each of the computers involved, and you turn up nothing! No worms or trojans found. Very clever!

Re:Interesting (0)

Anonymous Coward | more than 3 years ago | (#34624416)

In that case, why not just do a drive by download, add the computers to a botnet and perform a traditional DDoS attack. I guess the advantage would be that it only requires JS not a vulnerability to the browser/OS/Flash, but a botnet would be more effective in the long run for someone savvy enough to pull off this type of attack in the first place.

Re:Interesting (1)

Inda (580031) | more than 3 years ago | (#34626358)

I used to visit an anti-spam website. It would load all the images of an offending site over and over and over.

This type of DDOS is not new.

Something similar from the past (0)

Anonymous Coward | more than 3 years ago | (#34624326)

I remember seeing a similar trick in the past but the user's CPU time was used rather than their bandwidth (distributed computing through the browser).

Basically the javascript on the page would fetch work units off a central server and feedback the results in the background while the user was viewing the site.

Combining the URL forwarder + distributed computing element would be a good way to use this for good instead of eeeeevil (unless you use it to crack passwords!) especially with the amount of spare CPU cycles desktops have.

OpenDNS blocked it... (1)

alexpalmer (1769038) | more than 3 years ago | (#34624370)

OpenDNS blocked it as malware because someone here decided to report it... Looks like I'm getting rid of OpenDNS

Re:OpenDNS blocked it... (1)

blacklint (985235) | more than 3 years ago | (#34625282)

The full text of the block message, for those of you not on a network using OpenDNS:

"This site was blocked by OpenDNS in response to either the Conficker virus, the Microsoft IE zero-day vulnerability, or some equally serious vulnerability.

If you think this shouldn't be blocked, please email us at contact@opendns.com."

Re:OpenDNS blocked it... (1)

supernothing (1661929) | more than 3 years ago | (#34625338)

I'm not sure if I should be flattered or worried that my PoC got lumped in with Conficker and IE 0-days...

Re:OpenDNS blocked it... (1)

alexpalmer (1769038) | more than 3 years ago | (#34625402)

I wouldn't be worried. Someone here posted in their forums and they added it to the list. Check it out here forums.opendns.com/comments.php?DiscussionID=8381. It's a pretty cool concept. Like someone else here said, imagine a hacker hiding it in the code of The New York Times or some other big site. It could do some serious damage.

this is not NEW (1)

chronoss2010 (1825454) | more than 3 years ago | (#34624550)

in fact i showed somehting almost exactly like that to a friend TEN YEARS AGO. WHOSE the twerp stealing my ideas ill show him my upgrade.... j/k

Time for more browser level help here (1)

slashkitty (21637) | more than 3 years ago | (#34624714)

IFRAME and IMG SRC and similiar spam like this could and should be easily preventable. Browsers however don't normally pass information on the nature of the request. That is, it could tell the server it's coming from a click, a javascript, an iframe, and img src or whatever. Sites should be able to refuse incoming requests that are from an iframe. A simple HTTP header with the type of request would help greatly. It wasn't created as a method of attack, but it's used that way.

Finally... (1)

dargaud (518470) | more than 3 years ago | (#34625600)

...Finally we are now able to slashdot slashdot [d0z.me] ...

partinchina (0)

Anonymous Coward | more than 3 years ago | (#34626368)

http://www.partinchina.com

Web of Trust Warning (1)

AP31R0N (723649) | more than 3 years ago | (#34626674)

The FF plugin Web of Trust warns that this shortener site is dangerous.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?