Sunday, March 20, 2011

DDoS Attacks Possible via URL Shortener

DDoS Attacks Possible via URL Shortener

infosecisland.com | Dec 22nd 2010

Security "enthusiast" and computer science major at the University of Tulsa, Ben Schmidt, has introduced a URL shortening service that allows users to participate in distributed denial of service (DDoS) attacks without the need to download a software application.

Schmidt was inspired by the recent DDoS attacks carried out by members of Anonymous with their Low Orbit Ion Cannon (LOIC) tool.

The JavaScript-based LOIC tool lets users join in the DDoS attack shenanigans by simply visiting a web page which then continuously sends HTTP requests to the targeted server by modifying an image tag's attributes.

Schmidt states the purpose of the tool is to illustrate a proof of concept that demonstrates the unrecognized vulnerabilities inherent in using URL shortening service.

The D0z.me shortener does not seek to trick users into participating in a DDoS attack, as the destination link and target URL need to be specified.

The purpose of the exercise is to draw attention to the fact that the use of URL shorteners could be exploited to engage users in DDoS attacks without their knowledge.

"My implementation of this attack is, at best, a hack job, but was merely meant to illustrate how easy it is to actually implement, how simple it is to launch a DDoS simply by getting people to follow a link, and how seriously our reliance on URL shorteners can affect security."

Meanwhile, developers associated with Anonymous, the international pro-piracy and pro-WikiLeaks association of hackivists, are said to be working to correct deficiencies in the LOIC software used in recent DDoS campaigns that interfered with the website operation of several business, including MasterCard, Visa, and PostFinance bank.

Source:  http://news.softpedia.com/news/New-URL-Shortener-Hijacks-Browsers-for-DDoS-173982.shtml

Original Page: https://www.infosecisland.com/blogview/10442-DDoS-Attacks-Possible-via-URL-Shortener.html

Shared from Read It Later

edd, edm

Posted via email from Whistleblower

No comments:

Post a Comment