D0z.me — the Evil URL Shortener

← Back to Stories (view on slashdot.org)

D0z.me — the Evil URL Shortener

Posted by Soulskill on Monday December 20, 2010 @10:49AM from the has-its-own-goatee dept.

supernothing writes "DDoS attacks seem to be in vogue today, especially considering the skirmishes over WikiLeaks in the past few weeks. The size of a DDoS attacks, however, has historically been limited by how many computers one has managed to recruit into a botnet. These botnets almost universally require code to be executed on the participants' local systems, whether they are willing or unwilling. A new approach has been emerging recently, however, which uses some simple JavaScript to achieve similar ends. d0z.me is a new service that utilizes these techniques, but provides a unique twist on the idea. Posing as a legitimate URL shortening service, it serves users the requested pages in an iFrame, while simultaneously participating in a DDoS attack in the background. No interaction is required beyond clicking the link and staying on the page. This makes it relatively trivial to quickly mount large-scale DDoS attacks, and affords willing participants plausible deniability in the assault."

116 comments

Min score:

Reason:

Sort:

I Don't Need To Do Anything? by WrongSizeGlass · 2010-12-20 10:50 · Score: 4, Funny

Dr Zoidberg: Hurray! I can do no less!!
1. Re:I Don't Need To Do Anything? by Anonymous Coward · 2010-12-20 11:04 · Score: 0
  
  Zoidberg never said that!
2. Re:I Don't Need To Do Anything? by Anonymous Coward · 2010-12-20 11:07 · Score: 0
  
  Join me or die! Can you do any less?
3. Re:I Don't Need To Do Anything? by eugene+ts+wong · 2010-12-20 11:56 · Score: 1
  
  That doesn't make me happy. I want to do less than nothing.
  
  --
  testing out my trending skills
4. Re:I Don't Need To Do Anything? by ldobehardcore · 2010-12-20 12:03 · Score: 1
  
  Dr. Zoidberg: What a Captain! I'd follow that man to hell and back I would!
  
  --
  Hectice, baby, Mercator says hello to you
Since its a redirect... by Haedrian · 2010-12-20 10:51 · Score: 1

Wouldn't it be possible for an admin to simply block all traffic which came from that website?
1. Re:Since its a redirect... by Stregano · 2010-12-20 10:52 · Score: 1
  
  Unless that website is tied into a full on botnet
  
  --
  The world is how you make it
2. Re:Since its a redirect... by Hatta · 2010-12-20 10:53 · Score: 4, Informative
  
  No. If you visit the site, it loads javascript on your machine which does the DDOS from your machine. It's not a proxy.
  
  --
  Give me Classic Slashdot or give me death!
3. Re:Since its a redirect... by caluml · 2010-12-20 10:53 · Score: 1
  
  No, because the traffic comes from the visitors' browsers.
  
  --
  Get your own free personal location tracker
4. Re:Since its a redirect... by dwarfsoft · 2010-12-20 10:54 · Score: 1
  
  Depends if the DDoS comes from the client or the server. The way I read it the redirect page opens in an iFrame but the JS runs on the client in the background DDoSing whichever target(s).
  
  --
  Cheers, Chris
5. Re:Since its a redirect... by FunnyLookinHat · 2010-12-20 10:55 · Score: 1
  
  No... if you check out what it does, it uses Javascript to have YOUR computer request random files from whatever the target site is - so you would have to block all legitimate browser traffic.
6. Re:Since its a redirect... by increment1 · 2010-12-20 10:57 · Score: 1
  
  The referrer should still be present in the request though, which would seem to make filtering trivial (if not for the site itself, for the upstream providers). A DDOS like this would then work well in the short term, but fall apart completely once the site operators were in touch with the upstream providers.
  Of course, I could be wrong about the referrer being present in requests made from Javascript, but I assume it should be there.
7. Re:Since its a redirect... by PatPending · 2010-12-20 10:59 · Score: 1
  
  From his "Mitigation" section:
  
  The HTML5 CORS attack, according to A&RL's research, can be blocked if your server doesn't allow cross origin requests by making a rule in your WAF that blocks all requests with Origin in the headers. However, given enough people doing this attack, it could become overwhelmed regardless.
  
  --
  What one fool can do, another can. (Ancient Simian Proverb)
8. Re:Since its a redirect... by Monkeedude1212 · 2010-12-20 11:02 · Score: 3, Informative
  
  Of course, I could be wrong about the referrer being present in requests made from Javascript, but I assume it should be there.
  Thats where you're wrong. Hooray for iFrames!
9. Re:Since its a redirect... by Anonymous Coward · 2010-12-20 11:04 · Score: 3, Insightful
  
  "loads javascript ... which does the DDOS"
  And as I keep trying to explain to my friends, letting Some Random Website run whatever random shit on your machine is simply **idiotic**. Really, there's no other way to describe it. It's as idiotic as letting a crack gang have the run of your apartment. You have to be almost wilfully ignorant to not see the issues with the "run anything from anywhere without having the slightest damn idea what it's for" model of security.
  I'm sure this is an amazing coincidence, but they're the ones always getting malware, and I never do. They complain about the malware, but show no inclination to listen to me why I try to explain the ways they are getting jacked.
10. Re:Since its a redirect... by somersault · 2010-12-20 11:06 · Score: 1
  
  So spoof it?
  
  --
  which is totally what she said
11. Re:Since its a redirect... by beakerMeep · 2010-12-20 11:07 · Score: 1
  
  Can JS make an HTTP request without sending the referrer?
  
  --
  meep
12. Re:Since its a redirect... by John+Hasler · 2010-12-20 11:09 · Score: 1
  
  So what legitimate reason is there for CORS to exist?
  
  --
  Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
13. Re:Since its a redirect... by TheRaven64 · 2010-12-20 11:11 · Score: 5, Informative
  
  The JS can create and destroy iframes pointed at the site. The browser will then load the site into the iframe, but the security model prevents the referrer field from being present in the iframe to avoid leaking sensitive information (for example, if you load adverts into an iframe while you have a URL with a session ID in it). If this isn't the default, then a silent redirect of the outer frame to an HTTPS URL will do it (aside from a recently-fixed bug in Safari, referrer is not provided to an HTTP URL when it is an HTTPS URL).
  
  --
  I am TheRaven on Soylent News
14. Re:Since its a redirect... by spazdor · 2010-12-20 11:13 · Score: 2
  
  The referrer should still be present in the request though, which would seem to make filtering trivial (if not for the site itself, for the upstream providers)
  This would require that the upstream providers perform deep packet inspection and look at HTTP payload data - which is an awkward and expensive thing for an upstream provider to have to do. Filtering at the site itself would be ineffectual; by the time the HTTP request has been examined and discarded, it's already done its job, jamming up the internet connection feeding that server.
  
  --
  DRM: Terminator crops for your mind!
15. Re:Since its a redirect... by beakerMeep · 2010-12-20 11:13 · Score: 1
  
  Er, answering my own question -- it seems like it's quite difficult, but not impossible, to spoof the referrer: http://en.wikipedia.org/wiki/Cross-site_request_forgery
  
  --
  meep
16. Re:Since its a redirect... by Anonymous Coward · 2010-12-20 11:18 · Score: 0
  
  Yep... and despite things like this DDOS, and near weekly stories of local exploits and drive-by malware downloads, people STILL persist in running unknown scripts from completely unknown sites.
  Go figure. Apparently even after the virtual equivalent of getting hit *repeatedly* in the face, nobody is interested in ducking or not walking through that same door any more. They'll keep complaining though, as if the next time is somehow a surprise.
  *Walk through door marked JS* -> *WHACK* -> *Ouch!*
  *Walk through door marked JS* -> *WHACK* -> *Ouch!*
  *Walk through door marked JS* -> *WHACK* -> *Ouch!*
  [repeat a few hundred more times]
  At what point do you learn to avoid that particular door? Or at least frickin' duck next time?
17. Re:Since its a redirect... by increment1 · 2010-12-20 11:23 · Score: 1
  
  I have not checked how d0z.me invokes its targets since I do not plan on loading that site from work, but if it is via an IFrame, then there will be a referrer, at least in all of the web browsers that I am familiar with (excluding browsers that allow you to disable the referrer).
18. Re:Since its a redirect... by beakerMeep · 2010-12-20 11:29 · Score: 1
  
  Ah I see, thanks. Seems the real culprit here is iframes. Sometimes I wonder if they cause more harm than good. But really i guess it's hidden iframes causing the problem? Guess I'm just wondering what's the solution here. Should iframes send a limited header with just a domain name? Should they be removed? Are they really necessary? Or should there be a minimum size that can't be covered with other content or made visible? This is a pretty clever hack I'll have to admit.
  
  --
  meep
19. Re:Since its a redirect... by increment1 · 2010-12-20 11:33 · Score: 1
  
  Scratch that, IFrames don't send the framing page as a referrer, at least in the tests I just tried.
20. Re:Since its a redirect... by Anonymous Coward · 2010-12-20 11:37 · Score: 1
  
  letting Some Random Website run whatever random shit on your machine is simply **idiotic**.
  As much as I try to give people the benefit of the doubt, I have to agree on this point. The only problem is that there are all of these legitimate websites that have jillions of scripts running, and if you turn them off, the website breaks. You could be on a legitimate website that's running a bunch of completely benign scripts (say, slashdot trying to update the news feed), and buried somewhere in the mess is a malicious script that's doing a DDoS or whatever. Now, for most slashdotters, it's trivial to install NoScript and narrow it down to only stuff that's running from websites you trust, but for the unwashed masses, they have no idea how to do that, or even that they need to.
  It's a combination of users who refuse to learn internet safety and websites that splatter scripts all over the place, providing cover for stuff like this. But ya, if people would be suspicious of what they run instead of having the attitude "oh hey, a script, let's run it and see what it does!" Okay, maybe not the same thing, but the principle remains.
  As far as how to block this type of attack? Well, it seems to me it may be a short-lived attack. It's sort of dependent on how many people just *happen* to leave their internet browsers open on just the right page for long periods of time. How many would that be? To be quite honest, I have no idea. I would suspect that they would make some kind of attraction to do just that (stock ticker, for one). However, any of those ideas would need to have some kind of refresh. Blocking the website would make the user say something like, "oh, it must be down, I'll come back later". On the other hand, it would be trivial to have the web page try the original site first, and then refresh from a preconfigured fallback page instead if that one gets blocked. I think if someone got hold of the original web page, however, it would also be trivial to figure out what the new one is from that.
  Not sure how that would pan out.
21. Re:Since its a redirect... by tdobson · 2010-12-20 11:52 · Score: 3, Informative
  
  this is how it shows up in my apache logs:
  
  r00t.me.tld.fail:80 x.x.x.x - - [20/Dec/2010:23:04:08 +0000] "GET /?v=1292886248174 HTTP/1.1" 200 1888 "http://d0z.me/worker.js" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Ubuntu/10.10 Chromium/8.0.552.215 Chrome/8.0.552.215 Safari/534.10"
  r00t.me.tld.fail:80 x.x.x.x - - [20/Dec/2010:23:04:11 +0000] "GET /?v=1292886251634 HTTP/1.1" 200 1888 "http://d0z.me/worker.js" "Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Ubuntu/10.10 Chromium/8.0.552.215 Chrome/8.0.552.215 Safari/534.10"
22. Re:Since its a redirect... by tlhIngan · 2010-12-20 11:58 · Score: 1
  
  This would require that the upstream providers perform deep packet inspection and look at HTTP payload data - which is an awkward and expensive thing for an upstream provider to have to do.
  Really? I think the other day there was articles about charging per site based on DPI. And years ago ISPs ues DPI to throttle Bittorrent traffic. And others uses it to swap out ads and stuff.
  No, it's not expensive, and most ISPs probably already have the equipment already. It's just that it's not making the ISP any potential profit.
  The technology exists. It's in use right now. It could be used to do good, but so far, it's used to chase the almighty dollar instead.
23. Re:Since its a redirect... by camperdave · 2010-12-20 12:24 · Score: 1
  
  Thing is... It's never marked, and the *WHACK*->*Ouch!* is missing most of the time, so it's like:
  Visit website. Click link. Music plays.
  Visit website. Click link. Document displayed.
  Visit website. Click link. Document displayed. [JS malware loaded]
  Visit website. Click link. Music plays.
  Visit website. Click link. Funny video clip plays.[JS malware loaded]
  Visit website. Click link. Funny video clip plays.
  
  Next day: Visit website. Click link. Sudoku game.
  Visit website. Click link. [JS malware loaded]
  Visit website. Click link. Funny video clip plays.
  [JS Malware loads more malware]
  Visit website. Click link. Funny video clip plays.
  Hmm... system seems slower.
  Visit website. Click link. Sudoku game.
  Visit website. Click link. Music plays.
  Visit website. Click link. Funny video clip plays.[JS malware loaded]
  
  Next day: Visit website. Click link. Sudoku game.
  Visit website. Click link. Music plays.
  Virus scan runs: 3 malicious programs found. Delete? (Y/n)
  WTF?... Y
  Virus scan runs: No malicious programs found.
  [JS Malware loads more malware]
  Visit website. Click link. Sudoku game.
  Visit website. Click link. Music plays.
  
  --
  When our name is on the back of your car, we're behind you all the way!
24. Re:Since its a redirect... by icebike · 2010-12-20 12:26 · Score: 0
  
  You could easily block this at the DNS level.
  I think OpenDNS allows you to do this if you don't run your own DNS system. If you do run your own DNS system, you would handle this in house redirecting the host to 127.0.0.1 or something.
  Simply block doz.me (or all of .me if you wish).
  If your users can't get there, they can't get the iframe back.
  
  --
  Sig Battery depleted. Reverting to safe mode.
25. Re:Since its a redirect... by socsoc · 2010-12-20 13:14 · Score: 2
  
  Sure, there are multiple ways to prevent your users from accessing the site. What about when the rest of the world is loading it against your machines?
26. Re:Since its a redirect... by icebike · 2010-12-20 13:22 · Score: 4, Insightful
  
  Well, like any other DDOS, you are screwed. Your ISP won't even help you if you are just a small fry, figuring anything you did to piss that many people off is your own damn fault.
  If you are a big customer, and the traffic generated by the DDOS is easily distinguishable from normal traffic (does not look like legitimate web hits) they might help.
  It really is amazing that after all these years, there is no DDOS defense.
  
  --
  Sig Battery depleted. Reverting to safe mode.
27. Re:Since its a redirect... by Anonymous Coward · 2010-12-20 13:27 · Score: 0
  
  What are you talking about? And +4 Insightful?! Isn't /. supposed to be populated largely by IT people?
  The answer is yes, if your admin blocks the site you never reach D0z.me, so you never load any javascript or participate in the DDOS attack. Blocked is blocked.
  Jebus people, c'mon now.
28. Re:Since its a redirect... by MichaelSmith · 2010-12-20 13:52 · Score: 1
  
  letting Some Random Website run whatever random shit on your machine is simply **idiotic**
  Java applets originally only permitted socket connections to the host they were loaded from. I believe security is more fine grained now. Thats far better than the approach which seems to work with javascript.
  
  --
  http://michaelsmith.id.au
29. Re:Since its a redirect... by uolamer · 2010-12-20 16:34 · Score: 3, Interesting
  
  I used similar methods to this to take down multiple ISPs back in the mid-late 90s. When you have enough traffic, you can pretty much choose what their browser does in the background and take down smaller ISPs... Thousands of unsuspecting website visitors all day long trying to load the biggest file I could link to on their server as an image 1x1 pixel or background to some table with a question mark and random trash at the end to cut down on caching. What worked even better once was using their own terrible high cpu usage cgi programming as the 1x1 pixel, that way their cpu was maxed out. It is funny what one pissed off kid can do to a whole ISP or site... Those were the days.
  Of course this relies on them not being smart enough to remove the file, add simple apache lines in the config to block referral, etc. Last place that tried something similar to one of my servers had the attack redirected back to them using the apache config and redirects. It did slow my sever a tiny bit but theirs just stopped..
  
  --
  s/©//g
30. Re:Since its a redirect... by Vectormatic · 2010-12-20 19:53 · Score: 1
  
  any of these in-browser security checks on iframe would require users to run a well-maintained frequently updated browser to have any effect within a few years, guess what browser most people still use?
  I have to say this is quite a cool attack, and even without iframes you can still use any javascript running client to do a DOS attack using simple ajax style code, the real problem here, as pointed out before, is that the internet evolved into a place where running 3rd party code on your own machine without any validation is the norm (and thus breaks many legit sites when it you disable it)
  
  --
  People, what a bunch of bastards
31. Re:Since its a redirect... by mwvdlee · 2010-12-20 20:23 · Score: 3, Interesting
  
  So this bit in .htaccess should suffice to alleviate the DDoS attack?
  RewriteEngine on RewriteCond %{HTTP_REFERER} d0z\.me [NC] RewriteRule .* - [F]
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
32. Re:Since its a redirect... by Anonymous Coward · 2010-12-20 21:00 · Score: 0
  
  There is one, it's called disconnect.
33. Re:Since its a redirect... by Anonymous Coward · 2010-12-20 21:38 · Score: 0
  
  But legitimate browsers still send the Referer, don't they?
34. Re:Since its a redirect... by Captain+Hook · 2010-12-20 22:52 · Score: 1
  
  it seems to me it may be a short-lived attack. It's sort of dependent on how many people just *happen* to leave their internet browsers open on just the right page for long periods of time. How many would that be?
  Since the attack is being run by the top level page, and the page the user is looking at is in an iframe, wouldn't following most links in the iframe loaded page just load the new page in the iframe as well. i.e. the frameset page is still in the background running the attack even after the user has moved away from the original URL shorten link.
  To break out of it, the user would have to either type an address in the address bar, or follow a bookmark, or restart the browser.
  
  --
  These comments are my personal opinions and do not necessarily reflect the opinions of the other voices in my head.
35. Re:Since its a redirect... by jimicus · 2010-12-21 00:36 · Score: 1
  
  Absolutely right, and something I've been thinking a bit about lately.
  Even if you succeed in telling people not to click on every silly little advert and run random software that you don't really need, most web browsers these days save them the trouble. It's not stupid, it's downright insanity. You've got an application which - by design - downloads and executes code from random locations with more-or-less zero oversight.
36. Re:Since its a redirect... by jimicus · 2010-12-21 00:37 · Score: 1
  
  Not really. It'll help if the weak point is dynamic content being generated by your own app, but if the weak point is anywhere else (eg. your link to the Internet), it'll achieve precisely nothing.
37. Re:Since its a redirect... by Anonymous Coward · 2010-12-21 01:15 · Score: 0
  
  Well aren't you just the coolest, most leet person on here today.
  Props to winning today's Kiddie award. Don't redirects any traffics back to meees!
38. Re:Since its a redirect... by i8degrees · 2010-12-21 02:20 · Score: 1
  
  In fact, OpenDNS does block this very web site at the DNS level, without bothering to ask the end user beforehand. When I go to d0z.me, I get the following message:
  This site was blocked by OpenDNS in response to either the Conficker virus, the Microsoft IE zero-day vulnerability, or some equally serious vulnerability.
  If you think this shouldn't be blocked, please email us at contact@opendns.com.
39. Re:Since its a redirect... by Tim+the+Gecko · 2010-12-21 02:31 · Score: 1
  
  Simply block doz.me (or all of .me if you wish).
  All of .me, simply block all of .me,
  Can't you see I'm no good without .yu?
40. Re:Since its a redirect... by Anonymous Coward · 2010-12-21 02:38 · Score: 0
  
  Chinny reckon...
41. Re:Since its a redirect... by Anonymous Coward · 2010-12-21 05:16 · Score: 0
  
  It really is amazing that after all these years, there is no DDOS defense.
  What defense do you expect there to be?
  The Internet has a lot in common with the telephone system, if you have 30 phone lines and 100s of people calling you to complain, how do you ignore the bad DDoS calls and only answer the "legitimate" ones?
  The telephone system has been around longer than the Internet and I've never heard of a defense against a "jammed switchboard" either.
  The meatspace equivalent to a DDOS is the protest rally that blocks access to some area. There's no defense against that either, curfews and police presence only try to "cure" it after the fact and tend to result in rioting and property damage.
  Captcha: fascism.
42. Re:Since its a redirect... by icebike · 2010-12-21 05:41 · Score: 0
  
  Building a digital world to replicate a flawed physical world was the first mistake.
  Had DARPA envisioned the basic protocol to be running in anything other than a cooperative environment i image much would have been different.
  Neither of your examples of analogous systems is convincing. The inability to visualize beyond your physical world is the first indication you are probably not the best person for the task at hand.
  
  --
  Sig Battery depleted. Reverting to safe mode.
43. Re:Since its a redirect... by LiENUS · 2010-12-21 05:55 · Score: 1
  
  depends, if the weak point is them fetching a large image off your site it'll let you serve up a smaller response alleviating the load on your link.
44. Re:Since its a redirect... by asmith.atx · 2010-12-21 07:06 · Score: 1
  
  you could run in the cloud.. seemed to work well for Amazon
Am I doing it right? by Shikaku · 2010-12-20 10:52 · Score: 5, Funny

http://d0z.me/weFZ
1. Re:Am I doing it right? by Shikaku · 2010-12-20 10:53 · Score: 2
  
  Holy shit, it's working all 4 of my cores just visiting the link. Nice, it has worker threads in it.
2. Re:Am I doing it right? by FunnyLookinHat · 2010-12-20 10:56 · Score: 1
  
  And.... that site is down!
3. Re:Am I doing it right? by Anonymous Coward · 2010-12-20 10:58 · Score: 0
  
  what website is this DoSing?
4. Re:Am I doing it right? by Shikaku · 2010-12-20 10:59 · Score: 3, Informative
  
  http://d0z.me/
5. Re:Am I doing it right? by Anonymous Coward · 2010-12-20 11:13 · Score: 0
  
  Nope, the IMG url is wrong. It's apparently their fault, though. The site doesn't work:
  Has a superfluous http://
6. Re:Am I doing it right? by Anonymous Coward · 2010-12-20 11:48 · Score: 0
  
  This is what we call ... "slashdotting"!
7. Re:Am I doing it right? by Anonymous Coward · 2010-12-20 11:51 · Score: 1
  
  Nice to know malware is more capably programmed than almost all else.
8. Re:Am I doing it right? by cbhacking · 2010-12-20 12:09 · Score: 2
  
  Not quite. Knowing what the site does, I probably wouldn't click that URL. Try something like http://bit.ly/eaHU1C instead.
  
  --
  There's no place I could be, since I've found Serenity...
9. Re:Am I doing it right? by he-sk · 2010-12-20 15:52 · Score: 1
  
  curl http://bit.ly/eaHU1C
  I see what you did there. Interestingly, the author mentions that bigger url shorteners such as bit.ly offer more trust than your mom-and-pop url shortener. Kinda disproves his point entirely. Also, e.g. on Twitter, if you mouse over a shortened URL it displays the target as a tooltip. (But which Twitter user is patient enough to wait?)
  
  --
  Free Manning, jail Obama.
10. Re:Am I doing it right? by perryizgr8 · 2010-12-20 16:23 · Score: 1
  
  no, it was meant to be used against a website not a user.
  
  --
  Wealth is the gift that keeps on giving.
11. Re:Am I doing it right? by cbhacking · 2010-12-21 13:25 · Score: 1
  
  I didn't know that about Twitter, but... how many levels deep will it nest that? I could easily have run this link through 5 different ULR shorteners, and ended up with one that still resulted in a DDoS. Of course, each redirect takes time, but it's still pretty easy to trick somebody.
  
  --
  There's no place I could be, since I've found Serenity...
Plausible deniability by Anonymous Coward · 2010-12-20 10:54 · Score: 0

This makes it relatively trivial to quickly mount large-scale DDoS attacks, and affords willing participants This makes it relatively trivial to quickly mount large-scale DDoS attacks, and affords willing participants plausible deniability in the assault.in the assault.
You'd still have to explain why you enabled Javascript.
1. Re:Plausible deniability by monkyyy · 2010-12-20 11:09 · Score: 0
  
  most people wouldnt know
  
  --
  warning pointless sig
2. Re:Plausible deniability by Anonymous Coward · 2010-12-20 12:20 · Score: 0
  
  Because 99.9999% of people using javascript by default won't give you plausible deniability?
The joy of being a programmer... by Stregano · 2010-12-20 10:54 · Score: 1

...we talk about our techniques for doing all of our fun stuff, and make it a single button click for users. I have not been to the website, but if it has a way so that you can view the source (unless it truly does it all through JS) then that might be interested just to see. Point it at a site you know can't be taken down from a simple DDoS Web app like Amazon and then view the code of what it is actually doing.

--
The world is how you make it
1. Re:The joy of being a programmer... by Haedrian · 2010-12-20 10:59 · Score: 4, Informative
  
  You're going to be happy about it.
  "All code used on this site is released under the GPLv3, and is available here. "
  http://spareclockcycles.org/downloads/code/dosme.tar.gz
2. Re:The joy of being a programmer... by Mad+Merlin · 2010-12-20 12:15 · Score: 3, Insightful
  
  ...but if it has a way so that you can view the source (unless it truly does it all through JS) then that might be interested just to see.
  
  curl http://d0z.me/weFZ
  
  Basically, they have an img tag pointed at the site with an onload function that just keeps reloading the image with a new cachebuster value. If your browser supports HTML5 Web Workers, it also spawns 4 of those and repeatedly AJAXes requests to the site.
  It's also painfully obvious that the author isn't fluent in Javascript. The obvious clues being the use of new Array() instead of [] or {} and using setTimeout() with implicit eval instead of passing a function. The initial URL in the img tag is also wrong (it has an extra http:/// prepended.) They also set position: absolute; on the img tag, but don't actually position it anywhere, however, the iframe appears to be on top anyways.
  
  --
  Game! - Where the stick is mightier than the sword!
3. Re:The joy of being a programmer... by supernothing · 2010-12-20 15:09 · Score: 5, Interesting
  
  Thank you for pointing out the extra http:/// issue, it's been fixed in the live version. Bug leftover from an earlier test version.
  
  The image tag display:block and position:absolute was to fix a bug I was seeing in one of the browsers (don't remember which) that pushed the iframe down slightly. I know the display:block was necessary, don't remember about the position:absolute. That might be a holdover from some other stuff I was messing with.
  
  As for the Javascript, I like using Array() for readability. With the setTimeout, yeah, that was incompetence.
  
  You are indeed correct, I am by no means a Javascript expert, and never claimed to be. I actually mention in the post that web development is not my strong suit, and what few skills I have are outdated. I got the idea for the attack after reading an interesting post by Attack and Defense Labs, and just wanted to hack something together in an hour or two to see if a.) I could reproduce their results and b.) my twist on it was a feasible idea. It seems so far that it was. But yeah, any suggestions you have are definitely welcome. Always love getting input from those smarter than me. Thanks
  
  --
  "All we have is logic and love on our side."
4. Re:The joy of being a programmer... by Mad+Merlin · 2010-12-21 12:03 · Score: 1
  
  As for the Javascript, I like using Array() for readability.
  I'd agree with you there, but the real downfall with new Array() is what happens when you start trying to initialize something other than an empty array. new Array(5, 4) creates a new array of size 2, with elements 5 and 4, but new Array(5) creates an array of size 5 (with undefined values). Needless to say, the headdesk potential is high in this case as the error isn't obvious until you've been bit by it before (and especially so if you happen to replace that 5 with a 1).
  
  --
  Game! - Where the stick is mightier than the sword!
Evil? No. by Anonymous Coward · 2010-12-20 10:55 · Score: 0

DDOS is merely a tool, sending bytes over a data stream. It is not evil in itself, although some may try to use it in the service of good or evil.
Re:Evil? No. by dwarfsoft · 2010-12-20 11:01 · Score: 1

In fact, there is a legitimate DDoS effect that occurs when a site is linked from Slashdot. The DDoS is not intentional, but the result is the same :)

--
Cheers, Chris
HTML5 browsers by PatPending · 2010-12-20 11:08 · Score: 1

I just got off the phone with AnonOps and he said he won't be able to employ this HTML5 Cross Origin exploit because he's using IE6.
Ducks and runs.

--
What one fool can do, another can. (Ancient Simian Proverb)
1. Re:HTML5 browsers by Anonymous Coward · 2010-12-20 11:45 · Score: 0
  
  Oh the irony... hack doesn't work in IE6, because IE6 doesn't support HTML5.
  You're vulnerable only if you use Firefox or Safari or Chrome or IE8.
Oxygen of publicity by carou · 2010-12-20 11:11 · Score: 0, Troll

And slashdot is advertising this... why, exactly?
1. Re:Oxygen of publicity by Anonymous Coward · 2010-12-20 11:13 · Score: 0
  
  Lulz
2. Re:Oxygen of publicity by Pharmboy · 2010-12-20 11:14 · Score: 2
  
  Because there are fewer slashdotters than ever, so slashdotting is getting harder to do. We need code to cheat.
  
  --
  Tequila: It's not just for breakfast anymore!
3. Re:Oxygen of publicity by gman003 · 2010-12-20 11:27 · Score: 3, Insightful
  
  Because it's an interesting proof-of-concept that DDoS is no longer bound to botnets, as well as proof-of-concept of DDoSing in Javascript.
4. Re:Oxygen of publicity by PatPending · 2010-12-20 11:40 · Score: 1
  
  ...and (furthermore) how social networking sites could be used to spread this URL, in effect creating an ad-hoc botnet.
  
  --
  What one fool can do, another can. (Ancient Simian Proverb)
5. Re:Oxygen of publicity by Duradin · 2010-12-20 11:44 · Score: 1
  
  In other words, useful idiots ARE useful.
6. Re:Oxygen of publicity by drcheap · 2010-12-20 11:53 · Score: 1
  
  Not really ad hoc, they are just using a different vector to spread the malware. This time it's purely the users' actions instead of relying on exploiting the mistakes of a few programmers.
  And as long as you attach teh cute kitteh or some other such nonsense, it's way easier to convince someone to "join" the botnot willingly than it is to exploit their computer from behind.
  Ask any psychologist, there are way more "exploits" in human brains than even Microsoft can come up with for Windows =)
7. Re:Oxygen of publicity by Homburg · 2010-12-20 13:33 · Score: 2
  
  It sounds like an interesting implementation, but I don't know about "proof of concept" - this concept has been in use for years. I remember in the late nineties activists putting together websites using javascript to repeatedly load web pages of political targets in order to DOS them; I think there was one directed at the WTO site, intended to be used as a kind of virtual support for the protests in Seattle in 1999. Of course, I'm not sure how much damage we could actually do with our 56k modems.
8. Re:Oxygen of publicity by clone52431 · 2010-12-21 04:27 · Score: 1
  
  it's an interesting proof-of-concept that DDoS is no longer bound to botnets
  No... it’s a proof-of-concept DDoS that is bound to a new type of botnet. This is performed without the user’s knowledge, which is the definition of a botnet: conscripting someone’s PC without their knowledge or consent.
  And we already had DDoS attacks that were not bound to botnets: users voluntarily downloaded and ran the LOIC or various in-browser HTML5 pages exactly like this one, except that they were explicit in their intentions.
  In other words, we already had botnets, and we already had HTML5 DDoS tools: this is only new because we never had something that combined both aspects.
  
  --
  Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
Is it up? by blair1q · 2010-12-20 11:12 · Score: 1

Just tell me that the DDoS site is slashdotted.
1. Re:Is it up? by muphin · 2010-12-20 11:27 · Score: 2
  
  the irony, a DDoS site was DDoS's by us simple slashdotters
  
  --
  It's not a typo if you understood the meaning!
2. Re:Is it up? by PatPending · 2010-12-20 11:44 · Score: 2
  
  From his "Final Notes" section (last paragraph of TFA):
  
  Finally, yes, to all you a-holes out there, I know, it would be ironic/funny to dos a site that is demonstrating a dos attack. Please don't. I know you can, and that it would be trivial to do, as this server isn't exactly hardened. Let's just save each other the time and hassle and say that you win, theoretical attacker. Congratulations.
  
  --
  What one fool can do, another can. (Ancient Simian Proverb)
3. Re:Is it up? by clone52431 · 2010-12-21 04:34 · Score: 1
  
  It’s only a proof-of-concept...
  
  --
  Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
Easy to check/verify/stop in Safari by gordguide · 2010-12-20 12:09 · Score: 1

I normally don't go to URL shortener links at all, having long ago seen how easy they are to hid the real URL of suspicious sites. Also, I've been using Safari for years, and although Firefox is installed it's my preferred browser. Normally I have the download window and the activity window active on the right side of my desktop. The Activity window in particular is very handy for monitoring any and all surfing activity.
Similarly, I have been a long-time user of Little Snitch to monitor and authorize/deauthorize outgoing connections, with the network activity window always showing upon outgoing network activity. I suspected one, or both, of these tools would be useful.
Little Snitch, as expected, shows the network activity as a fairly constant level of network activity, but since it's an authorized outgoing connection (your web browser, naturally, has to be allowed to make connections to the usual internet ports like 80, etc, or no browsing for you) there isn't much that would really seem unusual. Many requests and deliveries of data are of course visible, but this is relatively normal and probably would not really alert anyone; for example it is similar to what you would see with a streaming server delivering content on a page. It's there, but it's not obvious something nefarious is going on unless you were really paying attention, and there's really no reason to be, since it's a standard browser operation, more or less.
Safari's Activity window, however, reveals the activity quite obviously. In a few moments using the sample page outlined in the original article, you see a huge amount of requests to the target url. A normal webpage might have up to 100 or even 200 different components, but not a constant stream that gets to 100 in a few seconds, and keeps going. The urls are fairly obvious as well, taking the form of:
http://www.example.com/?v=1292889926999 ...{continuous stream of ... example/com/?v= [some incremental number]} ...
http://www.example.com/?v=1292889877790
The webpage does not fully load, but the stream continues until you close the page { [Command-W] or mouse click on the close button }
With the Activity Window open you should be able to monitor and react to being an unwitting party to the DDoS.
Clearly the first fun thing to try... by Anonymous Coward · 2010-12-20 12:28 · Score: 1

... is a d0z.me link that points to & targets d0z.me!

http://d0z.me/7iWC
1. Re:Clearly the first fun thing to try... by mug+funky · 2010-12-20 13:22 · Score: 1
  
  time paradox.
2. Re:Clearly the first fun thing to try... by PatPending · 2010-12-20 13:44 · Score: 1
  
  Here, read this--he's clearly referring to you.
  
  --
  What one fool can do, another can. (Ancient Simian Proverb)
This was implemented 5 years ago. by Anonymous Coward · 2010-12-20 13:47 · Score: 0

See
http://en.wikipedia.org/wiki/Lad_Vampire
1. Re:This was implemented 5 years ago. by clone52431 · 2010-12-21 04:30 · Score: 1
  
  The difference is that this poses as a legitimate URL-shortener so that the people whose computers are attacking the target don’t even realise they’re participating in it.
  
  --
  Distributed Denial of APK: It takes 15 seconds to reply to him anonymously, but wastes tons of his time if we all do it.
WTF? by galvanash · 2010-12-20 13:52 · Score: 1

affords willing participants plausible deniability in the assault.
Seriously? There are actually enough people that willingly want to do this kind of thing that it deserves a post on slashdot?
Please, if you care about the internet at all don't be coerced into doing this kind of thing - it is the digital equivalent of pissing in the pool...

--
- sigs are stupid
1. Re:WTF? by asticia · 2010-12-20 16:33 · Score: 1
  
  OTOH I am glad /. informed about this, at least I know which shortcut URL to avoid and installing noscript in browser was useful. Because this says willing participants - b ut you never know how many will be unwillingly ddosing from some other sites using this technique.
  
  --
  There is no light without darkness.
Interesting by shiftless · 2010-12-20 14:10 · Score: 3, Insightful

Interesting proof of concept. How long until someone hacks into a major site, cnn.com, nytimes, etc, and sneaks this code in there? With a little obfuscation it could be buried and hidden pretty easily in the mounds of Javascript most sites are running these days, and be set to activate only when and where the hacker chooses. How long would it take before someone finally figured out what's causing the target to get massively DDoS'ed? Especially if the attacks are staggered, not made to run constantly, and multiple sites are involved at different random times? Virus scan each of the computers involved, and you turn up nothing! No worms or trojans found. Very clever!
1. Re:Interesting by Anonymous Coward · 2010-12-20 15:14 · Score: 0
  
  In that case, why not just do a drive by download, add the computers to a botnet and perform a traditional DDoS attack. I guess the advantage would be that it only requires JS not a vulnerability to the browser/OS/Flash, but a botnet would be more effective in the long run for someone savvy enough to pull off this type of attack in the first place.
2. Re:Interesting by Inda · 2010-12-20 22:10 · Score: 1
  
  I used to visit an anti-spam website. It would load all the images of an offending site over and over and over.
  
  This type of DDOS is not new.
  
  --
  This post contains benzene, nitrosamines, formaldehyde and hydrogen cyanide.
3. Re:Interesting by Anonymous Coward · 2010-12-21 14:36 · Score: 0
  
  quite funny
  www.partinchina.com
Something similar from the past by Anonymous Coward · 2010-12-20 14:58 · Score: 0

I remember seeing a similar trick in the past but the user's CPU time was used rather than their bandwidth (distributed computing through the browser).
Basically the javascript on the page would fetch work units off a central server and feedback the results in the background while the user was viewing the site.
Combining the URL forwarder + distributed computing element would be a good way to use this for good instead of eeeeevil (unless you use it to crack passwords!) especially with the amount of spare CPU cycles desktops have.
OpenDNS blocked it... by alexpalmer · 2010-12-20 15:04 · Score: 1

OpenDNS blocked it as malware because someone here decided to report it... Looks like I'm getting rid of OpenDNS
1. Re:OpenDNS blocked it... by blacklint · 2010-12-20 17:54 · Score: 1
  
  The full text of the block message, for those of you not on a network using OpenDNS:
  "This site was blocked by OpenDNS in response to either the Conficker virus, the Microsoft IE zero-day vulnerability, or some equally serious vulnerability.
  If you think this shouldn't be blocked, please email us at contact@opendns.com."
2. Re:OpenDNS blocked it... by supernothing · 2010-12-20 18:07 · Score: 1
  
  I'm not sure if I should be flattered or worried that my PoC got lumped in with Conficker and IE 0-days...
  
  --
  "All we have is logic and love on our side."
3. Re:OpenDNS blocked it... by alexpalmer · 2010-12-20 18:21 · Score: 1
  
  I wouldn't be worried. Someone here posted in their forums and they added it to the list. Check it out here forums.opendns.com/comments.php?DiscussionID=8381. It's a pretty cool concept. Like someone else here said, imagine a hacker hiding it in the code of The New York Times or some other big site. It could do some serious damage.
this is not NEW by chronoss2010 · 2010-12-20 15:40 · Score: 0

in fact i showed somehting almost exactly like that to a friend TEN YEARS AGO. WHOSE the twerp stealing my ideas ill show him my upgrade.... j/k
1. Re:this is not NEW by supernothing · 2010-12-21 04:13 · Score: 1
  
  The concept of web-based DDoS is not new. Attacks based on refreshing images and scripts have been around for a good while. The use of HTML5 cross-origin requests to perform these attacks at much higher rates, combined with URL shortening obfuscation, is, afaik, a new concept. That is not to say that others hadn't thought of it, but I certainly haven't seen it implemented anywhere.
  
  But yeah, if you did indeed have this idea 10 years ago, before HTML5 was even conceived, I commend you. That kind of foresight is rare.
  
  --
  "All we have is logic and love on our side."
Time for more browser level help here by slashkitty · 2010-12-20 16:07 · Score: 1

IFRAME and IMG SRC and similiar spam like this could and should be easily preventable. Browsers however don't normally pass information on the nature of the request. That is, it could tell the server it's coming from a click, a javascript, an iframe, and img src or whatever. Sites should be able to refuse incoming requests that are from an iframe. A simple HTTP header with the type of request would help greatly. It wasn't created as a method of attack, but it's used that way.

--
-- these are only opinions and they might not be mine.
Finally... by dargaud · 2010-12-20 19:07 · Score: 1

...Finally we are now able to slashdot slashdot...

--
Non-Linux Penguins ?
partinchina by Anonymous Coward · 2010-12-20 22:12 · Score: 0

http://www.partinchina.com
Re:Evil? No. by insertwackynamehere · 2010-12-20 22:31 · Score: 1

Distributed denial of service is a TOOL people
its NOT inherently "bad"
Web of Trust Warning by AP31R0N · 2010-12-20 23:27 · Score: 1

The FF plugin Web of Trust warns that this shortener site is dangerous.

--
Utilizing the synergization of benchmark e-solutions to pre-workaround action items!
Made my day by Anonymous Coward · 2010-12-21 02:45 · Score: 0

Hopefully this will teach people to stop "shortening" URLs. Once you use one of these proxies you lose all control over where your links point to and who tracks the clicks. And it makes you look like a spammer or worse.
it's almost too easy... by yet-another-lobbyist · 2010-12-21 02:53 · Score: 1

... why hasn't anyone figured this out before? Is it too easy and too obvious to be true?
ZOMG!! TROJAN FIX!!! by Motard · 2010-12-21 03:48 · Score: 2

So this bit in .htaccess should suffice to alleviate the DDoS attack?
RewriteEngine on RewriteCond %{HTTP_REFERER} d0z\.me [NC] RewriteRule .* - [F]
It says "\. me"
hate to bring it but by chronoss2010 · 2010-12-22 10:40 · Score: 0

look up iframes and DHTML seriously its real real old crap use mate refresh to reload the iframe and make it a pixel in size with a url wooooooooo