“Evil” URL shortener initiates DDoS attacks

“Evil” URL shortener initiates DDoS attacks

Ben Schmidt นักศึกษาและนักวิจัยของมหาวิทยาลัยตุลซ่า คิดค้นเครื่องมือที่สามารถทำให้เกิดการโจมตี DDoS โดยอาศัยการคลิก Shortened Link ของคนอื่นได้ ซึ่งเครื่องมือที่ว่ามีชื่อว่า d0zme.me ซึ่งใช้สร้าง Shortened URL ที่เป็น “The Evil URL Shortener” เพียงแค่ผู้ประสงค์ร้ายมีลิงค์ที่ได้รับความนิยม และลิงค์ของเป้าหมาย ใส่เข้าไปใน d0z.me จากนั้นนำ Shortened URL ที่ได้ไปโพสหรือพยายามทำให้ผู้อื่นคลิกเท่านี้ ผู้ที่คลิกจะถูกฝัง iframe ไปยังหน้าดังกล่าวและ จาว่าสคริปอันตรายจะเริ่มส่ง request ไปยัง Server ของเหยื่อโดยทำงานเป็น background โดยการโจมตีนี้ยังคงอยู่ตราบใดที่หน้าที่ฝัง iframe ยังไม่ถูกปิดไป

Can you believe that clicking on a shortened link can make you an involuntary and unknowing participant in a DDoS attack on a website ? Ben Schmidt, a self-styled student/researcher form the University of Tulsa , has made it possible.

The tool is called d0z.me (“The Evil URL Shortener”), and is the result of his unease about the increasing use of URL shorteners and the recent string of DDoS attacks executed by both sides of the dispute concerning WikiLeaks.

“The concept is quite simple, really,” says Schmidt. ” Attackers go to d0z.me and enter a link they think could be popular/want to share, but also enter the address of a server that they would like to attack as well. Then, they share this text with as many people as possible, in as many places as possible. Extensive use of social media sites is probably a must achieve the best results .”

Once the users click on the offered link, they get to see the requested content on a page in an embedded iframe, ready for their perusal. In the meantime, a malicious Javascript DoS sending request after request to the targeted server runs in the background.

The attack lasts as long as the user continues browsing from the page in the embedded iframe. This, in itself, can be difficult to achieve, but Schmidt thinks it can be done by offering an interesting online game or a bogus offer of an free iPad if the user remains on the page for a predetermined amount of time. He also thinks that this tool can be used to organize voluntary attacks such as the ones coordinated recently by Anonymous, with the added bonus of providing the “attackers” plausible deniability if caught.

He considers this tool simply as a proof-of-concept. “I am not responsible for any malicious use of this demonstration, nor any damages caused by it. It was created solely as an example of the serious consequences of the Internet’s increased reliance upon URL shorteners, as well as how easy it is to create an unwitting DDoS botnet without actually exploiting a single computer. If you target a site that is not yours, you are responsible for the consequences,” he says in the disclaimer conveniently situated under the tool.

He finishes his post by declaring that yes, he is aware that it would be funny to DoS a site that is demonstrating a DoS attack, and asks potential attackers not to do it: “I know you can, and that it would be trivial to do, as this server isn’t exactly hardened. Let’s just save each other the time and hassle and say that you win, theoretical attacker. Congratulations.”

ที่มา : net-security

Add a Comment

Your email address will not be published. Required fields are marked *