North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Here we go again

  • From: Eric A. Hall
  • Date: Fri Mar 10 17:26:06 2000

> What to we need to do to nip this one in the bud

It's just HTML/JavaScript code, loaded by browsers around the world
nearly simultaneously. The plan essentially revolves around a few
thousand users hitting "reload" at the same time, and repeatedly.

Protecting the targets will be hard. Maybe the attackers will have a
[mostly] common referer: header that you can filter against or something
similar, but whatever you do it'll have to be pretty high-level. A
high-end cache might work to keep the servers from getting overloaded
although it wouldn't help with a bandwidth crunch.

Filtering the senders would be a better long-term cure. Setting up
mechanisms that detect a high-volume of out-bound requests to a single
object would be a good way to determine if any of your customers are
involved in the attack. It's unlikely that everybody will do this though
so it's probably not an effective prevention tool.

Lawsuits, criminal procedures and other forms of spectacular example
will be the best long-term deterrant.

An example of the HTML/JavaScript from their site:

  <HTML><HEAD><TITLE>Basic, standalone denial of service
	tool</TITLE></HEAD>

  <FRAMESET COLS="50%,50%" FRAMESPACING=0 BORDER=3
	ONLOAD="setTimeout('self.location.reload(true)',4000);">

	<FRAME SRC="http://www.target1.com"; NAME="site1" NORESIZE
	SCROLLING="no">

	<FRAME SRC="http://www.target2.com"; NAME="site2" NORESIZE
	SCROLLING="no">

  </FRAMESET></HTML>

More at http://www.gn.apc.org/pmhp/ehippies/files/op1.htm

-- 
Eric A. Hall                                            [email protected]
+1-650-685-0557                                    http://www.ehsco.com