Slashdot Mirror
Chrome Feature Helps Shield Websites From DDoS Attacks
An anonymous reader writes "Google has an interesting idea on how to take the edge off denial of service attacks. The latest developer builds of Chrome 12 have an option called 'http throttling,' which will simply deny a user access to a website once the browser has received error messages from the URL. Chrome will react with a 'back-off interval' that will increase the time between requests to the website. If there are enough Chrome requests flooding a website under attack, this could give webmasters some room to recover from a nasty DDoS attack."
This is just to prevent ACCIDENTAL DoSing. You can turn it off with a command line switch, or simply use another browser or a dedicated DoSing tool.
Since dedicated DDoS programs like LOIC are readily available, nobody performs actual DDoS attacks with a browser. Hell, ping floods are more effective than a bunch of people pressing refresh too often.
Now, this might reduce the Slashdot Effect, but not a DDoS.
Finally, some positive news about Google. Let's see how they muck it up now.
"No matter how cynical you get, it is impossible to keep up." -- Lily Tomlin
Distributed means from many sources. Attacks of this nature will not be affected by Chrome's mechanism. Chrome's feature will only prevent repeated requests from the same user. DOS attacks are blunted, not DDOS.
How does this stop DDoS attacks? I don't really know of any DDoS attacks where the attackers use a fucking browser for their attack, and if that is ever the case, I would imagine those (really half assed) DDoSers will simply choose to use a browser that does not throttle them. Where this could be useful is for a site that got slashdotted or something similar, but only to a very limited degree, since the problem there is the thousands of different users not thousands of requests coming per user. Really would only stop the impatient people who just click the same damn link over and over waiting for it to load.
when using Chrome for web development, having the browser throttle your refreshes get very annoying very quickly. Being able to whitelist certain domains, like localhost, would be great.
Do botnets even use browser attacks anymore? I was under the impression that most of these attacks were done with direct PING requests.
On an unrelated note, I must remember to buy a replacement for my worn-out F5 key.
Just wow... What about people with a bad, high latency, connections that randomly time out? Yes those things still exist in this day and age google, and they're actually still rather common, even YOUR pages time out sometimes.
I have an interesting way to stop muggers. I just don't mug anyone.
Wait...
... Chrome promises to throw less stones?
I personally hate this 'feature'. I don't understand what it defends against, because someone hitting refresh a few times in a browser is hardly a serious DoS attack. And it got in the way of me (and many others) the first time they rolled it out because the "DoS" it was defending against was me hitting my local test webserver which was returning a 500 because the page code was broken.
This is going to make it that much harder to get a bag of crap off of woot.
Now I have to re-write my malware to some use other browser that may or may not be installed on the machine like Firefox.
Google is evil now, they sold their souls to Adobe and their slimy flash plug-in and advertisers who force you to watch intrusive flash ads just so you can watch your keyboard cat videos or play farming "games". I have been flash free for nine months since getting my iPad and I don't use flash on my PC either.
Google will DDoS your wallet, and laugh all the way to the bank.
What if we DDOS the Russian Goatse copy that the recent crew of trolls is using? Maybe those links will start showing Unavailable instead?
(Question for the Philosophy majors - what are the ethics of hacking a troll?)
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
What the hell? When Anonymous fires the low-orbit ion cannon, it comes down hard on evildoers. Why the fuck is Google on the other side of the fence now? I thought their motto is "don't be evil"? Why isn't Google offering LOIC as a feature in Chrome?
Shutting down free speech with violence isn't fighting fascism. It IS fascism!
If you're to a point where the servers spitting out errors, you've already lost the battle.
That being said during an actual DoS attack, the server doesn't respond, hence Denial of Service.
I'll stick to furiously hitting F5 in Firefox...
Remind me not to use Chrome when camping Blizzard for Blizzcon tickets.
... the Iranian military is upset with Google for possibly affecting their protester jamming systems which run Chrome OS. They have called it a "Zionist plot against Islam."
I8-D
This will only make it more difficult to get my Bandoleer of Carrots!
My sausage tree didn't grow, does that make me a bad mommy?
I don't know about the ethics, but I do know I'm not going to repeatedly click 'reload' on goatse...
You dont use chrome for a DDoS attack.
It's hard to see this being much of an impact, even for stressed sites with a lot of Chrome users; people don't usually sit there mashing the refresh button when their page won't load. Most folk will actually implement their own"back-off" feature, Sure, there are outliers, but this is a game of big numbers and average statistics.
Where this can help is with automated page loading. Your saved session has twenty tabs with pages from a single site? That's all loaded at once, in parallel in the browsers I know about. I imagine it can be a considerable load in some cases.
Those people who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
This common sense idea brought to you by someone who runs a popular website and builds a browser.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
...to force everyone to use a CR-48? (insert holy war here)
And it's not a feature, it's a bug. It's been in chrome for a while now, suddenly popped up overnight, and made life more complex to all developers. Do you have any idea of how hard it is to test a webapp if you can only get an error message once?
It's a real piece of shit. I found a way to disable it, but it still pisses me off that google suddenly decided to implement such a stupid feature overnight, without warning, and without informing users of a way to disable it.
This kind of protection should be implemented server-side. Relying in any way on the client is just braindead.
WTF am I doing replying to an AC at 5 A.M on a Friday night?
If I remember in IE4 hitting refresh three or four times rapidly caused the browser to automatically stop. Microsoft was so ahead of Google on this one.
You're just an AC, so you might not see this, but I'm working on some really wild counter-troll concepts. My original post meant a LOIC style event though.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
OK. This "feature" as already existed for quite some time. What's been added to chrome is an option to alter/turn it off.
The fact that it wasn't optional until now was a thorn in the side of many web developers, myself included, as illustrated by the bug report here http://code.google.com/p/chromium/issues/detail?id=66062
Yet another misleading /. summary.
Why was my post down moderated for? I'd like to see a technical fault (computing-wise) that I must have made in my post, for you to justify down modding my post...
APK
P.S.=> Now, lastly: Do I expect the coward who did it to actually APPEAR, & more importantly, technically justify his downward moderation on computing-based technical grounds? No - they NEVER do! These "heroes" just "hit & run downmod" because apparently, that's the "best they've got"... cowards! apk
Now I will NEVER be able to get my bag of crap from woot using Chrome. Thanks for ensuring that... hah.