Forgot your password?
typodupeerror
Security The Internet IT

D0z.me — the Evil URL Shortener 116

Posted by Soulskill
from the has-its-own-goatee dept.
supernothing writes "DDoS attacks seem to be in vogue today, especially considering the skirmishes over WikiLeaks in the past few weeks. The size of a DDoS attacks, however, has historically been limited by how many computers one has managed to recruit into a botnet. These botnets almost universally require code to be executed on the participants' local systems, whether they are willing or unwilling. A new approach has been emerging recently, however, which uses some simple JavaScript to achieve similar ends. d0z.me is a new service that utilizes these techniques, but provides a unique twist on the idea. Posing as a legitimate URL shortening service, it serves users the requested pages in an iFrame, while simultaneously participating in a DDoS attack in the background. No interaction is required beyond clicking the link and staying on the page. This makes it relatively trivial to quickly mount large-scale DDoS attacks, and affords willing participants plausible deniability in the assault."
This discussion has been archived. No new comments can be posted.

D0z.me — the Evil URL Shortener

Comments Filter:
  • by WrongSizeGlass (838941) on Monday December 20, 2010 @06:50PM (#34622224)
    Dr Zoidberg: Hurray! I can do no less!!
  • Wouldn't it be possible for an admin to simply block all traffic which came from that website?

    • by Stregano (1285764)
      Unless that website is tied into a full on botnet
    • by Hatta (162192) on Monday December 20, 2010 @06:53PM (#34622260) Journal

      No. If you visit the site, it loads javascript on your machine which does the DDOS from your machine. It's not a proxy.

      • The referrer should still be present in the request though, which would seem to make filtering trivial (if not for the site itself, for the upstream providers). A DDOS like this would then work well in the short term, but fall apart completely once the site operators were in touch with the upstream providers.

        Of course, I could be wrong about the referrer being present in requests made from Javascript, but I assume it should be there.

        • by Monkeedude1212 (1560403) on Monday December 20, 2010 @07:02PM (#34622398) Journal

          Of course, I could be wrong about the referrer being present in requests made from Javascript, but I assume it should be there.

          Thats where you're wrong. Hooray for iFrames!

          • I have not checked how d0z.me invokes its targets since I do not plan on loading that site from work, but if it is via an IFrame, then there will be a referrer, at least in all of the web browsers that I am familiar with (excluding browsers that allow you to disable the referrer).

            • Scratch that, IFrames don't send the framing page as a referrer, at least in the tests I just tried.

          • Re: (Score:3, Informative)

            by tdobson (1391501)

            this is how it shows up in my apache logs:

            r00t.me.tld.fail:80 x.x.x.x - - [20/Dec/2010:23:04:08 +0000] "GET /?v=1292886248174 HTTP/1.1" 200 1888 "http://d0z.me/worker.js" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Ubuntu/10.10 Chromium/8.0.552.215 Chrome/8.0.552.215 Safari/534.10"
            r00t.me.tld.fail:80 x.x.x.x - - [20/Dec/2010:23:04:11 +0000] "GET /?v=1292886251634 HTTP/1.1" 200 1888 "http://d0z.me/worker.js" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Ubuntu/10.10 Chromium/8.0.552.215 Chrome/8.0.552.215 Safari/534.10"

            • by mwvdlee (775178) on Tuesday December 21, 2010 @04:23AM (#34625918) Homepage

              So this bit in .htaccess should suffice to alleviate the DDoS attack?

              RewriteEngine on
              RewriteCond %{HTTP_REFERER} d0z\.me [NC]
              RewriteRule .* - [F]

              • by jimicus (737525)

                Not really. It'll help if the weak point is dynamic content being generated by your own app, but if the weak point is anywhere else (eg. your link to the Internet), it'll achieve precisely nothing.

                • by LiENUS (207736)
                  depends, if the weak point is them fetching a large image off your site it'll let you serve up a smaller response alleviating the load on your link.
              • So this bit in .htaccess should suffice to alleviate the DDoS attack?

                RewriteEngine on
                RewriteCond %{HTTP_REFERER} d0z\.me [NC]
                RewriteRule .* - [F]

                It says "\. me"

        • So spoof it?

        • by spazdor (902907)

          The referrer should still be present in the request though, which would seem to make filtering trivial (if not for the site itself, for the upstream providers)

          This would require that the upstream providers perform deep packet inspection and look at HTTP payload data - which is an awkward and expensive thing for an upstream provider to have to do. Filtering at the site itself would be ineffectual; by the time the HTTP request has been examined and discarded, it's already done its job, jamming up the internet connection feeding that server.

          • by tlhIngan (30335)

            This would require that the upstream providers perform deep packet inspection and look at HTTP payload data - which is an awkward and expensive thing for an upstream provider to have to do.

            Really? I think the other day there was articles about charging per site based on DPI. And years ago ISPs ues DPI to throttle Bittorrent traffic. And others uses it to swap out ads and stuff.

            No, it's not expensive, and most ISPs probably already have the equipment already. It's just that it's not making the ISP any potent

        • by icebike (68054)

          You could easily block this at the DNS level.

          I think OpenDNS allows you to do this if you don't run your own DNS system. If you do run your own DNS system, you would handle this in house redirecting the host to 127.0.0.1 or something.

          Simply block doz.me (or all of .me if you wish).
          If your users can't get there, they can't get the iframe back.

          • by socsoc (1116769)
            Sure, there are multiple ways to prevent your users from accessing the site. What about when the rest of the world is loading it against your machines?
            • by icebike (68054) on Monday December 20, 2010 @09:22PM (#34623746)

              Well, like any other DDOS, you are screwed. Your ISP won't even help you if you are just a small fry, figuring anything you did to piss that many people off is your own damn fault.

              If you are a big customer, and the traffic generated by the DDOS is easily distinguishable from normal traffic (does not look like legitimate web hits) they might help.

              It really is amazing that after all these years, there is no DDOS defense.

              • Re: (Score:3, Interesting)

                by uolamer (957159)

                I used similar methods to this to take down multiple ISPs back in the mid-late 90s. When you have enough traffic, you can pretty much choose what their browser does in the background and take down smaller ISPs... Thousands of unsuspecting website visitors all day long trying to load the biggest file I could link to on their server as an image 1x1 pixel or background to some table with a question mark and random trash at the end to cut down on caching. What worked even better once was using their own terribl

              • you could run in the cloud.. seemed to work well for Amazon
          • by i8degrees (410294)

            In fact, OpenDNS does block this very web site at the DNS level, without bothering to ask the end user beforehand. When I go to d0z.me, I get the following message:

            This site was blocked by OpenDNS in response to either the Conficker virus, the Microsoft IE zero-day vulnerability, or some equally serious vulnerability.

            If you think this shouldn't be blocked, please email us at contact@opendns.com.

          • Simply block doz.me (or all of .me if you wish).

            All of .me, simply block all of .me,

            Can't you see I'm no good without .yu?

      • Re: (Score:3, Insightful)

        by Anonymous Coward

        "loads javascript ... which does the DDOS"

        And as I keep trying to explain to my friends, letting Some Random Website run whatever random shit on your machine is simply **idiotic**. Really, there's no other way to describe it. It's as idiotic as letting a crack gang have the run of your apartment. You have to be almost wilfully ignorant to not see the issues with the "run anything from anywhere without having the slightest damn idea what it's for" model of security.

        I'm sure this is an amazing coincidence,

        • by Anonymous Coward

          letting Some Random Website run whatever random shit on your machine is simply **idiotic**.

          As much as I try to give people the benefit of the doubt, I have to agree on this point. The only problem is that there are all of these legitimate websites that have jillions of scripts running, and if you turn them off, the website breaks. You could be on a legitimate website that's running a bunch of completely benign scripts (say, slashdot trying to update the news feed), and buried somewhere in the mess is a malicious script that's doing a DDoS or whatever. Now, for most slashdotters, it's trivial t

          • it seems to me it may be a short-lived attack. It's sort of dependent on how many people just *happen* to leave their internet browsers open on just the right page for long periods of time. How many would that be?

            Since the attack is being run by the top level page, and the page the user is looking at is in an iframe, wouldn't following most links in the iframe loaded page just load the new page in the iframe as well. i.e. the frameset page is still in the background running the attack even after the user ha

        • letting Some Random Website run whatever random shit on your machine is simply **idiotic**

          Java applets originally only permitted socket connections to the host they were loaded from. I believe security is more fine grained now. Thats far better than the approach which seems to work with javascript.

        • by jimicus (737525)

          Absolutely right, and something I've been thinking a bit about lately.

          Even if you succeed in telling people not to click on every silly little advert and run random software that you don't really need, most web browsers these days save them the trouble. It's not stupid, it's downright insanity. You've got an application which - by design - downloads and executes code from random locations with more-or-less zero oversight.

    • by caluml (551744)
      No, because the traffic comes from the visitors' browsers.
    • by dwarfsoft (461760)

      Depends if the DDoS comes from the client or the server. The way I read it the redirect page opens in an iFrame but the JS runs on the client in the background DDoSing whichever target(s).

      • Can JS make an HTTP request without sending the referrer?

        • by TheRaven64 (641858) on Monday December 20, 2010 @07:11PM (#34622468) Journal
          The JS can create and destroy iframes pointed at the site. The browser will then load the site into the iframe, but the security model prevents the referrer field from being present in the iframe to avoid leaking sensitive information (for example, if you load adverts into an iframe while you have a URL with a session ID in it). If this isn't the default, then a silent redirect of the outer frame to an HTTPS URL will do it (aside from a recently-fixed bug in Safari, referrer is not provided to an HTTP URL when it is an HTTPS URL).
          • Ah I see, thanks. Seems the real culprit here is iframes. Sometimes I wonder if they cause more harm than good. But really i guess it's hidden iframes causing the problem? Guess I'm just wondering what's the solution here. Should iframes send a limited header with just a domain name? Should they be removed? Are they really necessary? Or should there be a minimum size that can't be covered with other content or made visible? This is a pretty clever hack I'll have to admit.

            • any of these in-browser security checks on iframe would require users to run a well-maintained frequently updated browser to have any effect within a few years, guess what browser most people still use?

              I have to say this is quite a cool attack, and even without iframes you can still use any javascript running client to do a DOS attack using simple ajax style code, the real problem here, as pointed out before, is that the internet evolved into a place where running 3rd party code on your own machine without

        • Er, answering my own question -- it seems like it's quite difficult, but not impossible, to spoof the referrer: http://en.wikipedia.org/wiki/Cross-site_request_forgery [wikipedia.org]

    • No... if you check out what it does, it uses Javascript to have YOUR computer request random files from whatever the target site is - so you would have to block all legitimate browser traffic.
    • From his "Mitigation" section:

      The HTML5 CORS attack, according to A&RL's research, can be blocked if your server doesn't allow cross origin requests by making a rule in your WAF that blocks all requests with Origin in the headers. However, given enough people doing this attack, it could become overwhelmed regardless.

  • by Shikaku (1129753) on Monday December 20, 2010 @06:52PM (#34622248)
  • ...we talk about our techniques for doing all of our fun stuff, and make it a single button click for users. I have not been to the website, but if it has a way so that you can view the source (unless it truly does it all through JS) then that might be interested just to see. Point it at a site you know can't be taken down from a simple DDoS Web app like Amazon and then view the code of what it is actually doing.
    • by Haedrian (1676506) on Monday December 20, 2010 @06:59PM (#34622354)

      You're going to be happy about it.

      "All code used on this site is released under the GPLv3, and is available here. "

      http://spareclockcycles.org/downloads/code/dosme.tar.gz [spareclockcycles.org]

    • by Mad Merlin (837387) on Monday December 20, 2010 @08:15PM (#34623124) Homepage

      ...but if it has a way so that you can view the source (unless it truly does it all through JS) then that might be interested just to see.

      curl http://d0z.me/weFZ

      Basically, they have an img tag pointed at the site with an onload function that just keeps reloading the image with a new cachebuster value. If your browser supports HTML5 Web Workers, it also spawns 4 of those and repeatedly AJAXes requests to the site.

      It's also painfully obvious that the author isn't fluent in Javascript. The obvious clues being the use of new Array() instead of [] or {} and using setTimeout() with implicit eval instead of passing a function. The initial URL in the img tag is also wrong (it has an extra http:/// [http] prepended.) They also set position: absolute; on the img tag, but don't actually position it anywhere, however, the iframe appears to be on top anyways.

      • by supernothing (1661929) on Monday December 20, 2010 @11:09PM (#34624386) Homepage
        Thank you for pointing out the extra http:/// [http] issue, it's been fixed in the live version. Bug leftover from an earlier test version.

        The image tag display:block and position:absolute was to fix a bug I was seeing in one of the browsers (don't remember which) that pushed the iframe down slightly. I know the display:block was necessary, don't remember about the position:absolute. That might be a holdover from some other stuff I was messing with.

        As for the Javascript, I like using Array() for readability. With the setTimeout, yeah, that was incompetence.

        You are indeed correct, I am by no means a Javascript expert, and never claimed to be. I actually mention in the post that web development is not my strong suit, and what few skills I have are outdated. I got the idea for the attack after reading an interesting post by Attack and Defense Labs, and just wanted to hack something together in an hour or two to see if a.) I could reproduce their results and b.) my twist on it was a feasible idea. It seems so far that it was. But yeah, any suggestions you have are definitely welcome. Always love getting input from those smarter than me. Thanks
        • As for the Javascript, I like using Array() for readability.

          I'd agree with you there, but the real downfall with new Array() is what happens when you start trying to initialize something other than an empty array. new Array(5, 4) creates a new array of size 2, with elements 5 and 4, but new Array(5) creates an array of size 5 (with undefined values). Needless to say, the headdesk potential is high in this case as the error isn't obvious until you've been bit by it before (and especially so if you happen to replace that 5 with a 1).

  • I just got off the phone with AnonOps and he said he won't be able to employ this HTML5 Cross Origin exploit because he's using IE6.

    Ducks and runs.

  • And slashdot is advertising this... why, exactly?

    • by Pharmboy (216950)

      Because there are fewer slashdotters than ever, so slashdotting is getting harder to do. We need code to cheat.

    • by gman003 (1693318) on Monday December 20, 2010 @07:27PM (#34622628)
      Because it's an interesting proof-of-concept that DDoS is no longer bound to botnets, as well as proof-of-concept of DDoSing in Javascript.
      • ...and (furthermore) how social networking sites could be used to spread this URL, in effect creating an ad-hoc botnet.
        • by drcheap (1897540)

          Not really ad hoc, they are just using a different vector to spread the malware. This time it's purely the users' actions instead of relying on exploiting the mistakes of a few programmers.

          And as long as you attach teh cute kitteh or some other such nonsense, it's way easier to convince someone to "join" the botnot willingly than it is to exploit their computer from behind.

          Ask any psychologist, there are way more "exploits" in human brains than even Microsoft can come up with for Windows =)

      • by Duradin (1261418)

        In other words, useful idiots ARE useful.

      • by Homburg (213427)

        It sounds like an interesting implementation, but I don't know about "proof of concept" - this concept has been in use for years. I remember in the late nineties activists putting together websites using javascript to repeatedly load web pages of political targets in order to DOS them; I think there was one directed at the WTO site, intended to be used as a kind of virtual support for the protests in Seattle in 1999. Of course, I'm not sure how much damage we could actually do with our 56k modems.

      • it's an interesting proof-of-concept that DDoS is no longer bound to botnets

        No... it’s a proof-of-concept DDoS that is bound to a new type of botnet. This is performed without the user’s knowledge, which is the definition of a botnet: conscripting someone’s PC without their knowledge or consent.

        And we already had DDoS attacks that were not bound to botnets: users voluntarily downloaded and ran the LOIC or various in-browser HTML5 pages exactly like this one, except that they were explicit in their intentions.

        In other words, we already had botnets, and we already h

  • Just tell me that the DDoS site is slashdotted.

    • by muphin (842524)
      the irony, a DDoS site was DDoS's by us simple slashdotters
      • From his "Final Notes" section (last paragraph of TFA):

        Finally, yes, to all you a-holes out there, I know, it would be ironic/funny to dos a site that is demonstrating a dos attack. Please don't. I know you can, and that it would be trivial to do, as this server isn't exactly hardened. Let's just save each other the time and hassle and say that you win, theoretical attacker. Congratulations.

      • It’s only a proof-of-concept...

  • I normally don't go to URL shortener links at all, having long ago seen how easy they are to hid the real URL of suspicious sites. Also, I've been using Safari for years, and although Firefox is installed it's my preferred browser. Normally I have the download window and the activity window active on the right side of my desktop. The Activity window in particular is very handy for monitoring any and all surfing activity.

    Similarly, I have been a long-time user of Little Snitch to monitor and authorize/deauth

  • by Anonymous Coward
    ... is a d0z.me link that points to & targets d0z.me!

    http://d0z.me/7iWC [d0z.me]
  • affords willing participants plausible deniability in the assault.

    Seriously? There are actually enough people that willingly want to do this kind of thing that it deserves a post on slashdot?

    Please, if you care about the internet at all don't be coerced into doing this kind of thing - it is the digital equivalent of pissing in the pool...

    • by asticia (1623063)
      OTOH I am glad /. informed about this, at least I know which shortcut URL to avoid and installing noscript in browser was useful. Because this says willing participants - b ut you never know how many will be unwillingly ddosing from some other sites using this technique.
  • Interesting (Score:4, Insightful)

    by shiftless (410350) on Monday December 20, 2010 @10:10PM (#34624086) Homepage

    Interesting proof of concept. How long until someone hacks into a major site, cnn.com, nytimes, etc, and sneaks this code in there? With a little obfuscation it could be buried and hidden pretty easily in the mounds of Javascript most sites are running these days, and be set to activate only when and where the hacker chooses. How long would it take before someone finally figured out what's causing the target to get massively DDoS'ed? Especially if the attacks are staggered, not made to run constantly, and multiple sites are involved at different random times? Virus scan each of the computers involved, and you turn up nothing! No worms or trojans found. Very clever!

    • by Inda (580031)
      I used to visit an anti-spam website. It would load all the images of an offending site over and over and over.

      This type of DDOS is not new.
  • OpenDNS blocked it as malware because someone here decided to report it... Looks like I'm getting rid of OpenDNS
    • by blacklint (985235)

      The full text of the block message, for those of you not on a network using OpenDNS:

      "This site was blocked by OpenDNS in response to either the Conficker virus, the Microsoft IE zero-day vulnerability, or some equally serious vulnerability.

      If you think this shouldn't be blocked, please email us at contact@opendns.com."

      • I'm not sure if I should be flattered or worried that my PoC got lumped in with Conficker and IE 0-days...
        • I wouldn't be worried. Someone here posted in their forums and they added it to the list. Check it out here forums.opendns.com/comments.php?DiscussionID=8381. It's a pretty cool concept. Like someone else here said, imagine a hacker hiding it in the code of The New York Times or some other big site. It could do some serious damage.
  • IFRAME and IMG SRC and similiar spam like this could and should be easily preventable. Browsers however don't normally pass information on the nature of the request. That is, it could tell the server it's coming from a click, a javascript, an iframe, and img src or whatever. Sites should be able to refuse incoming requests that are from an iframe. A simple HTTP header with the type of request would help greatly. It wasn't created as a method of attack, but it's used that way.
  • ...Finally we are now able to slashdot slashdot [d0z.me]...
  • The FF plugin Web of Trust warns that this shortener site is dangerous.

  • ... why hasn't anyone figured this out before? Is it too easy and too obvious to be true?

IF I HAD A MINE SHAFT, I don't think I would just abandon it. There's got to be a better way. -- Jack Handley, The New Mexican, 1988.

Working...