Re: New DDoS?

[Szilveszter Adam <sziszi () PETRA HOS U-SZEGED HU>]

Hello and Happy New Year everybody,

On Tue, Jan 09, 2001 at 08:07:37AM -0800, nealk wrote:
> Traditional DDoS have the follow flow:
>   - A host (or few hosts) controls a large number of clients.
>   - The clients are directed by the host to attack a single site/server.
>     The attack can either be network or service oriented.
>
>
> Alternate (New) DDoS model:
>   - Server 'A' directly prevents all clients from accessing server 'B'.

Well, I do not think that this qualifies as a DoS. Denial of Service is
when the site denies service to the clients contacting it. Here, the
clients are attacked, but similar attacks have been around for a long time.
I think of eg DNS poisoning, which will prevent users from accessing the
site they want (although they get something else) or a whole class of
Man-in-the-middle-Attacks. Yet, these all count as themselves and not as
DoS when making categories. But this may well be an unimportant semantics
thing. (On a very important side-note, although users will not get to the
service, this kind of attack does not incur huge load on the server and the
network nodes and does not cause marginal conditions, much less will it be
able to bring down a server. So you can react to it can be a much more relaxed
manner, and also at least the perpetrators are not endangering the
whole Internet infrastructure with their deeds, but rather just one
particular service. This, of course may be no cause for joy to the service
concerned, but as soon as you discover what's wrong, you can take quick
decisive action and restore access to the service *without any performance
loss* visible to the customer. There is no rate-limiting problem, no
slowdown, nothing. So the danger is a lot more benign.)

> Here's an example of how it could work:
> I recently posted about a Flash plugin risk that can crash or hang a browser.
>
> Let's say that someone placed a corrupt Flash (SWF) file on a web server.
> All clients that access the web server and that view the Flash file
> (about 90% of all browsers can, so this is a good assumption) will
> have their browsers crash or hang.
>
> This is a DoS against the site, but it attacks the clients rather than
> the server.

Yes, but this not new in the sense that if you can place a corrupt SWF file
there, you can place any other "bad" content as well. Exploiting scripting
bugs, eg. Also, a DoS is IMHO more sweeping in definition. If a site is
DoS-ed than you cannot get at it, period. While here merely not having  or
disabling the
offending plugin already gives you access. If this were a DoS, then some
leading portal and other high-profile sites continually are DoS-ing their
users with eg scripts that only work on IE but may crash Netscape. (At one
time microsoft.com came into such suspicion because a certain page took
almost forever to download and render with Netscape on non-windows
platforms and some users experienced browser hang or crash. However, upon
more testing it was found that the page took longest to display on Win98
and I think IE4. Whoo-whoo:-)

> Now, let's take it one step further.
> Doubleclick, adtegrity.spinbox.net, and Akamai are linked by most
> large web sites.  (Amazon, eBay, AltaVista, etc.)
> I have observed these sites returning banner ads written as jpeg,
> gif, and SWF.
> Let's say that one of the SWF files is corrupted.
> The single ad site can effectively deny all client access to the host
> site by crashing/hanging all client browsers.
>
> Server 'A' (the ad site) can directly prevent all clients from
> accessing server 'B' (the host web site).

Well, this is possible but again, as soon as you disable ads, you get in.
This remains an issue however, but should be named differently. How about
access blockage? Also, scripting "tricks" can be used similarly. Easy
verification in all cases: try a text browser. If you get in, it is access
blockage. (quickly coined abbreviation: AB)

> What's worse:  This is more difficult to identify since local testing
> on the local server may not identify why the clients are crashing.

Well, if local testing involves loading the page with one of the leading
browsers, then it almost surely will:-) Eg with an ad it has to target your
site specifically (and display with every new download) or else it may not
be noticeable.

> Question: How can sites protect themselves from this?
> (I mean: Aside from the obvious, "don't link to ad sites.")

It is equally tricky IMHO than it would be with a real DoS. Just as with a
DoS you can only act on a case-by-case basis and general rules are hard to
make, here it helps only if you react on a case-by-case basis. After all,
we are talking circumstances outside of your control here.

But you are right, considering that most people use one of the leading
browsers and have all sorts of interesting plugins and have no notion of to
handle them (eg how to disable them) this will become a problem just as
viruses have with the advent of all-singing-all-dancing,
totally-transparent-to-the-user mail clients.

Just my HUF 0.02...

--
Regards:

Szilveszter ADAM
Szeged University
Szeged Hungary