Bugtraq mailing list archives

New DDoS?

From: nealk <nealk () verinet com>
Date: Tue, 9 Jan 2001 08:07:37 -0800

I think I have stumbled across a new category of distributed denial
of service (DDoS).  (If this is old news, I'm sure I'll be corrected;
it's new to me.)

Traditional DDoS have the follow flow:
  - A host (or few hosts) controls a large number of clients.
  - The clients are directed by the host to attack a single site/server.
    The attack can either be network or service oriented.


Alternate (New) DDoS model:
  - Server 'A' directly prevents all clients from accessing server 'B'.


Here's an example of how it could work:
I recently posted about a Flash plugin risk that can crash or hang a browser.

Let's say that someone placed a corrupt Flash (SWF) file on a web server.
All clients that access the web server and that view the Flash file
(about 90% of all browsers can, so this is a good assumption) will
have their browsers crash or hang.

This is a DoS against the site, but it attacks the clients rather than
the server.

Now, let's take it one step further.
Doubleclick, adtegrity.spinbox.net, and Akamai are linked by most
large web sites.  (Amazon, eBay, AltaVista, etc.)
I have observed these sites returning banner ads written as jpeg,
gif, and SWF.
Let's say that one of the SWF files is corrupted.
The single ad site can effectively deny all client access to the host
site by crashing/hanging all client browsers.

Server 'A' (the ad site) can directly prevent all clients from
accessing server 'B' (the host web site).

What's worse:  This is more difficult to identify since local testing
on the local server may not identify why the clients are crashing.
The local server does not know what information was sent to the clients
by the ad sites.

In this example, I used ad sites and SWF files.  It can be done with
any third-party site (remember all the Web Bugs discussions?).
Although SWF can do it today, I'm sure there will be more technologies
that can do it tomorrow.


Question: How can sites protect themselves from this?
(I mean: Aside from the obvious, "don't link to ad sites.")


Finally, I'm sure there are some script kiddies just dying to be "the
first one to pull this off".  Please don't.  Accidents happen all by
themselves and it's only a matter of time before this is seen in the
wild and by accident.  Why bother implementing something this trivial?


Thoughts?

                                        -Neal

Current thread:

New DDoS? nealk (Jan 09)
- Re: New DDoS? Szilveszter Adam (Jan 09)
- Re: New DDoS? Alfred Perlstein (Jan 09)
- Re: New DDoS? Ryan Russell (Jan 09)
  - Re: New DDoS? Darren Reed (Jan 10)
    - Re: New DDoS? Ryan Russell (Jan 10)
- Re: New DDoS? Mailing List (Jan 09)