Sunday, December 26, 2010

Proof-of-concept URL shortener creates DDoS attacks

A proof-of-concept URL shortener has been created that, in addition to sending end users to users to the appropriate actual destination, also unleashes a DoS attack on a previously specified server.

The shortener, called d0z.me, works as follows: potential attackers visit the site and enter a link they wish to share as well as the URL of a server they wish to attack. When the shortened link is clicked on, users are redirected to the destination, but still more happens:
When users click on the link, they appear to be redirected to the requested content, but they are in fact looking at the page in an embedded iframe. This is identical to how those rather annoying Digg and Stumbleupon toolbars work, except the embedding is invisible to the user (minus the location URL in the toolbar). While the users are busy viewing the page, a malicious Javascript DoS runs in the background, hammering the targeted server with an deluge of requests from these unsuspecting clients. If these clients continue browsing from that page, we can maintain our DoS in the background the entire time.
It's an interesting concept. As developer Ben Schmidt says, with the advent of Twitter, more folks are relying on URL shorteners to spread links virally. Of course, his shortener requires that a person stay in the iframe, meaning the redirected site, to keep the attack running. Schmidt also admits how "fun" some might consider it to attack a site that has offered up such a tool (his) with a DDoS attack, and he pleads for mercy.
Finally, yes, to all you a-holes out there, I know, it would be ironic/funny to dos a site that is demonstrating a dos attack. Please don't. I know you can, and that it would be trivial to do, as this server isn't exactly hardened. Let's just save each other the time and hassle and say that you win, theoretical attacker. Congratulations.
GoDaddy.com


No comments: