North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Here we go again

  • From: Marc Slemko
  • Date: Fri Mar 10 18:52:37 2000

On Fri, 10 Mar 2000, Eric A. Hall wrote:

> > Tailor your output, too many requests for same page from same address
> > gets a larger proportion of adverts on the page.
> Or generate redirects back to the original site. heheh

Except that there need not be any original site.  You can send it out via
email, etc. just fine.  And even if there is an original site, that
doesn't mean that you know where to find it.

In fact, you could spam random users with a message that, if their mail
program interprets javascript (and, in a horribly stupid move, many do by
default), would automatically do this sort of thing.  Even better, they
could make a maze of javascript that makes it very hard for the user to
get rid of the windows doing it and makes it easier for the user to just
ignore them and keep reading their mail, while the windows in the
background go on making their requests.

That isn't what this attempt appears to be suggesting though.  It is
simply saying that, if users support a cause, they can willingly become
part of a denial of service attack.  I would suggest that each user that
decided to do so could potentially be breaking the law in many localities.  
And they are easy to track.  You could do the same sort of thing by
telling users to run a program that ping floods a site.

Nothing that novel, this is obviously more of a PR stunt than anything;
even if they don't actually succeed in having any impact on any site, they
get media attention by saying they will.  Doesn't matter much either way
to them.

You also can pick and choose what pages you target in the attack.  There
are very large sites that can only sustain a very few hits per second on
certain pages that perform expensive operations.

A possible defense is to note such patterns in the logs and, after the
first few minutes of a client doing this, simply temporarily block it.  
Even blocking it in the webserver is fine, since the requests are pretty
small and many sites can handle lots of such cheap requests without much

ObSlightlyMoreOnTopic: Ever wonder why Navigator (especially on Unix)
hangs for 15 or 20 seconds on startup every once in a while?  That's
because's DNS setup is broken, and Navigator always tries to
resolve on startup. is listed as a
nameserver, yet attempts to do DNS lookups against it timeout.  So if your
DNS server happens to try using that one... it will have to sit around
then time out.  You would think a company like Netscape would know better,
or that they would care enough to fix it when notified (they didn't).  I
marked it as a bogus server in my BIND config, but it pretty silly to have
to do that.  And since has a 0 second TTL... it isn't
cached.  Well, there is more ugliness; it has a 0 second TTL on some of
their nameservers, but others look broken and give different data.  And
they have both CNAME and NS records for  Geesh.