D0z.me — the Evil URL Shortener 116
supernothing writes "DDoS attacks seem to be in vogue today, especially considering the skirmishes over WikiLeaks in the past few weeks. The size of a DDoS attacks, however, has historically been limited by how many computers one has managed to recruit into a botnet. These botnets almost universally require code to be executed on the participants' local systems, whether they are willing or unwilling. A new approach has been emerging recently, however, which uses some simple JavaScript to achieve similar ends. d0z.me is a new service that utilizes these techniques, but provides a unique twist on the idea. Posing as a legitimate URL shortening service, it serves users the requested pages in an iFrame, while simultaneously participating in a DDoS attack in the background. No interaction is required beyond clicking the link and staying on the page. This makes it relatively trivial to quickly mount large-scale DDoS attacks, and affords willing participants plausible deniability in the assault."
Re:The joy of being a programmer... (Score:5, Interesting)
The image tag display:block and position:absolute was to fix a bug I was seeing in one of the browsers (don't remember which) that pushed the iframe down slightly. I know the display:block was necessary, don't remember about the position:absolute. That might be a holdover from some other stuff I was messing with.
As for the Javascript, I like using Array() for readability. With the setTimeout, yeah, that was incompetence.
You are indeed correct, I am by no means a Javascript expert, and never claimed to be. I actually mention in the post that web development is not my strong suit, and what few skills I have are outdated. I got the idea for the attack after reading an interesting post by Attack and Defense Labs, and just wanted to hack something together in an hour or two to see if a.) I could reproduce their results and b.) my twist on it was a feasible idea. It seems so far that it was. But yeah, any suggestions you have are definitely welcome. Always love getting input from those smarter than me. Thanks
Re:Since its a redirect... (Score:3, Interesting)
I used similar methods to this to take down multiple ISPs back in the mid-late 90s. When you have enough traffic, you can pretty much choose what their browser does in the background and take down smaller ISPs... Thousands of unsuspecting website visitors all day long trying to load the biggest file I could link to on their server as an image 1x1 pixel or background to some table with a question mark and random trash at the end to cut down on caching. What worked even better once was using their own terrible high cpu usage cgi programming as the 1x1 pixel, that way their cpu was maxed out. It is funny what one pissed off kid can do to a whole ISP or site... Those were the days.
Of course this relies on them not being smart enough to remove the file, add simple apache lines in the config to block referral, etc. Last place that tried something similar to one of my servers had the attack redirected back to them using the apache config and redirects. It did slow my sever a tiny bit but theirs just stopped..
Re:Since its a redirect... (Score:4, Interesting)
So this bit in .htaccess should suffice to alleviate the DDoS attack?
.* - [F]
RewriteEngine on
RewriteCond %{HTTP_REFERER} d0z\.me [NC]
RewriteRule