D0z.me — the Evil URL Shortener 116
supernothing writes "DDoS attacks seem to be in vogue today, especially considering the skirmishes over WikiLeaks in the past few weeks. The size of a DDoS attacks, however, has historically been limited by how many computers one has managed to recruit into a botnet. These botnets almost universally require code to be executed on the participants' local systems, whether they are willing or unwilling. A new approach has been emerging recently, however, which uses some simple JavaScript to achieve similar ends. d0z.me is a new service that utilizes these techniques, but provides a unique twist on the idea. Posing as a legitimate URL shortening service, it serves users the requested pages in an iFrame, while simultaneously participating in a DDoS attack in the background. No interaction is required beyond clicking the link and staying on the page. This makes it relatively trivial to quickly mount large-scale DDoS attacks, and affords willing participants plausible deniability in the assault."
I Don't Need To Do Anything? (Score:5, Funny)
Re: (Score:1)
That doesn't make me happy. I want to do less than nothing.
Re: (Score:1)
Since its a redirect... (Score:2)
Wouldn't it be possible for an admin to simply block all traffic which came from that website?
Re: (Score:2)
Re:Since its a redirect... (Score:5, Informative)
No. If you visit the site, it loads javascript on your machine which does the DDOS from your machine. It's not a proxy.
Re: (Score:1)
The referrer should still be present in the request though, which would seem to make filtering trivial (if not for the site itself, for the upstream providers). A DDOS like this would then work well in the short term, but fall apart completely once the site operators were in touch with the upstream providers.
Of course, I could be wrong about the referrer being present in requests made from Javascript, but I assume it should be there.
Re:Since its a redirect... (Score:4, Informative)
Of course, I could be wrong about the referrer being present in requests made from Javascript, but I assume it should be there.
Thats where you're wrong. Hooray for iFrames!
Re: (Score:1)
I have not checked how d0z.me invokes its targets since I do not plan on loading that site from work, but if it is via an IFrame, then there will be a referrer, at least in all of the web browsers that I am familiar with (excluding browsers that allow you to disable the referrer).
Re: (Score:1)
Scratch that, IFrames don't send the framing page as a referrer, at least in the tests I just tried.
Re: (Score:3, Informative)
this is how it shows up in my apache logs:
r00t.me.tld.fail:80 x.x.x.x - - [20/Dec/2010:23:04:08 +0000] "GET /?v=1292886248174 HTTP/1.1" 200 1888 "http://d0z.me/worker.js" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Ubuntu/10.10 Chromium/8.0.552.215 Chrome/8.0.552.215 Safari/534.10" /?v=1292886251634 HTTP/1.1" 200 1888 "http://d0z.me/worker.js" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Ubuntu/10.10 Chromium/8.0.552.215 Chrome/8.0.552.215 Safari/534.10"
r00t.me.tld.fail:80 x.x.x.x - - [20/Dec/2010:23:04:11 +0000] "GET
Re:Since its a redirect... (Score:4, Interesting)
So this bit in .htaccess should suffice to alleviate the DDoS attack?
.* - [F]
RewriteEngine on
RewriteCond %{HTTP_REFERER} d0z\.me [NC]
RewriteRule
Re: (Score:2)
Not really. It'll help if the weak point is dynamic content being generated by your own app, but if the weak point is anywhere else (eg. your link to the Internet), it'll achieve precisely nothing.
Re: (Score:1)
ZOMG!! TROJAN FIX!!! (Score:3)
So this bit in .htaccess should suffice to alleviate the DDoS attack?
.* - [F]
RewriteEngine on
RewriteCond %{HTTP_REFERER} d0z\.me [NC]
RewriteRule
It says "\. me"
Re: (Score:2)
So spoof it?
Re: (Score:3)
The referrer should still be present in the request though, which would seem to make filtering trivial (if not for the site itself, for the upstream providers)
This would require that the upstream providers perform deep packet inspection and look at HTTP payload data - which is an awkward and expensive thing for an upstream provider to have to do. Filtering at the site itself would be ineffectual; by the time the HTTP request has been examined and discarded, it's already done its job, jamming up the internet connection feeding that server.
Re: (Score:2)
Really? I think the other day there was articles about charging per site based on DPI. And years ago ISPs ues DPI to throttle Bittorrent traffic. And others uses it to swap out ads and stuff.
No, it's not expensive, and most ISPs probably already have the equipment already. It's just that it's not making the ISP any potent
Re: (Score:1)
You could easily block this at the DNS level.
I think OpenDNS allows you to do this if you don't run your own DNS system. If you do run your own DNS system, you would handle this in house redirecting the host to 127.0.0.1 or something.
Simply block doz.me (or all of .me if you wish).
If your users can't get there, they can't get the iframe back.
Re: (Score:3)
Re:Since its a redirect... (Score:5, Insightful)
Well, like any other DDOS, you are screwed. Your ISP won't even help you if you are just a small fry, figuring anything you did to piss that many people off is your own damn fault.
If you are a big customer, and the traffic generated by the DDOS is easily distinguishable from normal traffic (does not look like legitimate web hits) they might help.
It really is amazing that after all these years, there is no DDOS defense.
Re: (Score:3, Interesting)
I used similar methods to this to take down multiple ISPs back in the mid-late 90s. When you have enough traffic, you can pretty much choose what their browser does in the background and take down smaller ISPs... Thousands of unsuspecting website visitors all day long trying to load the biggest file I could link to on their server as an image 1x1 pixel or background to some table with a question mark and random trash at the end to cut down on caching. What worked even better once was using their own terribl
Re: (Score:1)
Re: (Score:1)
Building a digital world to replicate a flawed physical world was the first mistake.
Had DARPA envisioned the basic protocol to be running in anything other than a cooperative environment i image much would have been different.
Neither of your examples of analogous systems is convincing. The inability to visualize beyond your physical world is the first indication you are probably not the best person for the task at hand.
Re: (Score:1)
In fact, OpenDNS does block this very web site at the DNS level, without bothering to ask the end user beforehand. When I go to d0z.me, I get the following message:
This site was blocked by OpenDNS in response to either the Conficker virus, the Microsoft IE zero-day vulnerability, or some equally serious vulnerability.
If you think this shouldn't be blocked, please email us at contact@opendns.com.
Re: (Score:1)
Simply block doz.me (or all of .me if you wish).
All of .me, simply block all of .me,
Can't you see I'm no good without .yu?
Re: (Score:3, Insightful)
"loads javascript ... which does the DDOS"
And as I keep trying to explain to my friends, letting Some Random Website run whatever random shit on your machine is simply **idiotic**. Really, there's no other way to describe it. It's as idiotic as letting a crack gang have the run of your apartment. You have to be almost wilfully ignorant to not see the issues with the "run anything from anywhere without having the slightest damn idea what it's for" model of security.
I'm sure this is an amazing coincidence,
Re: (Score:1)
letting Some Random Website run whatever random shit on your machine is simply **idiotic**.
As much as I try to give people the benefit of the doubt, I have to agree on this point. The only problem is that there are all of these legitimate websites that have jillions of scripts running, and if you turn them off, the website breaks. You could be on a legitimate website that's running a bunch of completely benign scripts (say, slashdot trying to update the news feed), and buried somewhere in the mess is a malicious script that's doing a DDoS or whatever. Now, for most slashdotters, it's trivial t
Re: (Score:2)
Since the attack is being run by the top level page, and the page the user is looking at is in an iframe, wouldn't following most links in the iframe loaded page just load the new page in the iframe as well. i.e. the frameset page is still in the background running the attack even after the user ha
Re: (Score:2)
letting Some Random Website run whatever random shit on your machine is simply **idiotic**
Java applets originally only permitted socket connections to the host they were loaded from. I believe security is more fine grained now. Thats far better than the approach which seems to work with javascript.
Re: (Score:2)
Absolutely right, and something I've been thinking a bit about lately.
Even if you succeed in telling people not to click on every silly little advert and run random software that you don't really need, most web browsers these days save them the trouble. It's not stupid, it's downright insanity. You've got an application which - by design - downloads and executes code from random locations with more-or-less zero oversight.
Re: (Score:2)
Re: (Score:1)
Depends if the DDoS comes from the client or the server. The way I read it the redirect page opens in an iFrame but the JS runs on the client in the background DDoSing whichever target(s).
Re: (Score:2)
Can JS make an HTTP request without sending the referrer?
Re:Since its a redirect... (Score:5, Informative)
Re: (Score:2)
Ah I see, thanks. Seems the real culprit here is iframes. Sometimes I wonder if they cause more harm than good. But really i guess it's hidden iframes causing the problem? Guess I'm just wondering what's the solution here. Should iframes send a limited header with just a domain name? Should they be removed? Are they really necessary? Or should there be a minimum size that can't be covered with other content or made visible? This is a pretty clever hack I'll have to admit.
Re: (Score:2)
any of these in-browser security checks on iframe would require users to run a well-maintained frequently updated browser to have any effect within a few years, guess what browser most people still use?
I have to say this is quite a cool attack, and even without iframes you can still use any javascript running client to do a DOS attack using simple ajax style code, the real problem here, as pointed out before, is that the internet evolved into a place where running 3rd party code on your own machine without
Re: (Score:2)
Er, answering my own question -- it seems like it's quite difficult, but not impossible, to spoof the referrer: http://en.wikipedia.org/wiki/Cross-site_request_forgery [wikipedia.org]
Re: (Score:1)
Re: (Score:2)
Visit website. Click link. Music plays.
Visit website. Click link. Document displayed.
Visit website. Click link. Document displayed. [JS malware loaded]
Visit website. Click link. Music plays.
Visit website. Click link. Funny video clip plays.[JS malware loaded]
Visit website. Click link. Funny video clip plays.
Next day: Visit website. Click link. Sudoku game.
Visit website. Click link. [JS malware loade
Re: (Score:2)
From his "Mitigation" section:
The HTML5 CORS attack, according to A&RL's research, can be blocked if your server doesn't allow cross origin requests by making a rule in your WAF that blocks all requests with Origin in the headers. However, given enough people doing this attack, it could become overwhelmed regardless.
Re: (Score:2)
So what legitimate reason is there for CORS to exist?
Am I doing it right? (Score:5, Funny)
http://d0z.me/weFZ [d0z.me]
Re: (Score:3)
Holy shit, it's working all 4 of my cores just visiting the link. Nice, it has worker threads in it.
Re: (Score:1)
Re: (Score:1)
Nice to know malware is more capably programmed than almost all else.
Re:Am I doing it right? (Score:4, Informative)
http://d0z.me/ [d0z.me]
Re: (Score:3)
Not quite. Knowing what the site does, I probably wouldn't click that URL. Try something like http://bit.ly/eaHU1C [bit.ly] instead.
Re: (Score:2)
curl http://bit.ly/eaHU1C [bit.ly]
I see what you did there. Interestingly, the author mentions that bigger url shorteners such as bit.ly offer more trust than your mom-and-pop url shortener. Kinda disproves his point entirely. Also, e.g. on Twitter, if you mouse over a shortened URL it displays the target as a tooltip. (But which Twitter user is patient enough to wait?)
Re: (Score:2)
I didn't know that about Twitter, but... how many levels deep will it nest that? I could easily have run this link through 5 different ULR shorteners, and ended up with one that still resulted in a DDoS. Of course, each redirect takes time, but it's still pretty easy to trick somebody.
Re: (Score:1)
no, it was meant to be used against a website not a user.
The joy of being a programmer... (Score:2)
Re:The joy of being a programmer... (Score:5, Informative)
You're going to be happy about it.
"All code used on this site is released under the GPLv3, and is available here. "
http://spareclockcycles.org/downloads/code/dosme.tar.gz [spareclockcycles.org]
Re:The joy of being a programmer... (Score:4, Insightful)
Basically, they have an img tag pointed at the site with an onload function that just keeps reloading the image with a new cachebuster value. If your browser supports HTML5 Web Workers, it also spawns 4 of those and repeatedly AJAXes requests to the site.
It's also painfully obvious that the author isn't fluent in Javascript. The obvious clues being the use of new Array() instead of [] or {} and using setTimeout() with implicit eval instead of passing a function. The initial URL in the img tag is also wrong (it has an extra http:/// [http] prepended.) They also set position: absolute; on the img tag, but don't actually position it anywhere, however, the iframe appears to be on top anyways.
Re:The joy of being a programmer... (Score:5, Interesting)
The image tag display:block and position:absolute was to fix a bug I was seeing in one of the browsers (don't remember which) that pushed the iframe down slightly. I know the display:block was necessary, don't remember about the position:absolute. That might be a holdover from some other stuff I was messing with.
As for the Javascript, I like using Array() for readability. With the setTimeout, yeah, that was incompetence.
You are indeed correct, I am by no means a Javascript expert, and never claimed to be. I actually mention in the post that web development is not my strong suit, and what few skills I have are outdated. I got the idea for the attack after reading an interesting post by Attack and Defense Labs, and just wanted to hack something together in an hour or two to see if a.) I could reproduce their results and b.) my twist on it was a feasible idea. It seems so far that it was. But yeah, any suggestions you have are definitely welcome. Always love getting input from those smarter than me. Thanks
Re: (Score:2)
As for the Javascript, I like using Array() for readability.
I'd agree with you there, but the real downfall with new Array() is what happens when you start trying to initialize something other than an empty array. new Array(5, 4) creates a new array of size 2, with elements 5 and 4, but new Array(5) creates an array of size 5 (with undefined values). Needless to say, the headdesk potential is high in this case as the error isn't obvious until you've been bit by it before (and especially so if you happen to replace that 5 with a 1).
Re: (Score:1)
In fact, there is a legitimate DDoS effect that occurs when a site is linked from Slashdot. The DDoS is not intentional, but the result is the same :)
Re: (Score:2)
Distributed denial of service is a TOOL people
its NOT inherently "bad"
HTML5 browsers (Score:2)
Ducks and runs.
Oxygen of publicity (Score:1, Troll)
And slashdot is advertising this... why, exactly?
Re: (Score:3)
Because there are fewer slashdotters than ever, so slashdotting is getting harder to do. We need code to cheat.
Re:Oxygen of publicity (Score:4, Insightful)
Re: (Score:2)
Re: (Score:1)
Not really ad hoc, they are just using a different vector to spread the malware. This time it's purely the users' actions instead of relying on exploiting the mistakes of a few programmers.
And as long as you attach teh cute kitteh or some other such nonsense, it's way easier to convince someone to "join" the botnot willingly than it is to exploit their computer from behind.
Ask any psychologist, there are way more "exploits" in human brains than even Microsoft can come up with for Windows =)
Re: (Score:2)
In other words, useful idiots ARE useful.
Re: (Score:3)
It sounds like an interesting implementation, but I don't know about "proof of concept" - this concept has been in use for years. I remember in the late nineties activists putting together websites using javascript to repeatedly load web pages of political targets in order to DOS them; I think there was one directed at the WTO site, intended to be used as a kind of virtual support for the protests in Seattle in 1999. Of course, I'm not sure how much damage we could actually do with our 56k modems.
Re: (Score:2)
it's an interesting proof-of-concept that DDoS is no longer bound to botnets
No... it’s a proof-of-concept DDoS that is bound to a new type of botnet. This is performed without the user’s knowledge, which is the definition of a botnet: conscripting someone’s PC without their knowledge or consent.
And we already had DDoS attacks that were not bound to botnets: users voluntarily downloaded and ran the LOIC or various in-browser HTML5 pages exactly like this one, except that they were explicit in their intentions.
In other words, we already had botnets, and we already h
Is it up? (Score:2)
Just tell me that the DDoS site is slashdotted.
Re: (Score:3)
Re: (Score:3)
From his "Final Notes" section (last paragraph of TFA):
Finally, yes, to all you a-holes out there, I know, it would be ironic/funny to dos a site that is demonstrating a dos attack. Please don't. I know you can, and that it would be trivial to do, as this server isn't exactly hardened. Let's just save each other the time and hassle and say that you win, theoretical attacker. Congratulations.
Re: (Score:2)
It’s only a proof-of-concept...
Easy to check/verify/stop in Safari (Score:2)
I normally don't go to URL shortener links at all, having long ago seen how easy they are to hid the real URL of suspicious sites. Also, I've been using Safari for years, and although Firefox is installed it's my preferred browser. Normally I have the download window and the activity window active on the right side of my desktop. The Activity window in particular is very handy for monitoring any and all surfing activity.
Similarly, I have been a long-time user of Little Snitch to monitor and authorize/deauth
Clearly the first fun thing to try... (Score:1)
http://d0z.me/7iWC [d0z.me]
Re: (Score:1)
time paradox.
Re: (Score:2)
WTF? (Score:1)
affords willing participants plausible deniability in the assault.
Seriously? There are actually enough people that willingly want to do this kind of thing that it deserves a post on slashdot?
Please, if you care about the internet at all don't be coerced into doing this kind of thing - it is the digital equivalent of pissing in the pool...
Re: (Score:1)
Interesting (Score:4, Insightful)
Interesting proof of concept. How long until someone hacks into a major site, cnn.com, nytimes, etc, and sneaks this code in there? With a little obfuscation it could be buried and hidden pretty easily in the mounds of Javascript most sites are running these days, and be set to activate only when and where the hacker chooses. How long would it take before someone finally figured out what's causing the target to get massively DDoS'ed? Especially if the attacks are staggered, not made to run constantly, and multiple sites are involved at different random times? Virus scan each of the computers involved, and you turn up nothing! No worms or trojans found. Very clever!
Re: (Score:2)
This type of DDOS is not new.
OpenDNS blocked it... (Score:1)
Re: (Score:1)
The full text of the block message, for those of you not on a network using OpenDNS:
"This site was blocked by OpenDNS in response to either the Conficker virus, the Microsoft IE zero-day vulnerability, or some equally serious vulnerability.
If you think this shouldn't be blocked, please email us at contact@opendns.com."
Re: (Score:1)
Re: (Score:1)
Time for more browser level help here (Score:2)
Finally... (Score:2)
Web of Trust Warning (Score:2)
The FF plugin Web of Trust warns that this shortener site is dangerous.
it's almost too easy... (Score:2)
Re: (Score:1)
But yeah, if you did indeed have this idea 10 years ago, before HTML5 was even conceived, I commend you. That kind of foresig
Re: (Score:2)
The difference is that this poses as a legitimate URL-shortener so that the people whose computers are attacking the target don’t even realise they’re participating in it.