Follow Slashdot stories on Twitter

 


Forgot your password?
Close
typodupeerror

Comment Re:this is not NEW (Score 1) 116

by supernothing (#34629118) Attached to: D0z.me — the Evil URL Shortener
The concept of web-based DDoS is not new. Attacks based on refreshing images and scripts have been around for a good while. The use of HTML5 cross-origin requests to perform these attacks at much higher rates, combined with URL shortening obfuscation, is, afaik, a new concept. That is not to say that others hadn't thought of it, but I certainly haven't seen it implemented anywhere.

But yeah, if you did indeed have this idea 10 years ago, before HTML5 was even conceived, I commend you. That kind of foresight is rare.

Comment Re:The joy of being a programmer... (Score 5, Interesting) 116

by supernothing (#34624386) Attached to: D0z.me — the Evil URL Shortener
Thank you for pointing out the extra http:/// issue, it's been fixed in the live version. Bug leftover from an earlier test version.

The image tag display:block and position:absolute was to fix a bug I was seeing in one of the browsers (don't remember which) that pushed the iframe down slightly. I know the display:block was necessary, don't remember about the position:absolute. That might be a holdover from some other stuff I was messing with.

As for the Javascript, I like using Array() for readability. With the setTimeout, yeah, that was incompetence.

You are indeed correct, I am by no means a Javascript expert, and never claimed to be. I actually mention in the post that web development is not my strong suit, and what few skills I have are outdated. I got the idea for the attack after reading an interesting post by Attack and Defense Labs, and just wanted to hack something together in an hour or two to see if a.) I could reproduce their results and b.) my twist on it was a feasible idea. It seems so far that it was. But yeah, any suggestions you have are definitely welcome. Always love getting input from those smarter than me. Thanks
Security

D0z.me — the Evil URL Shortener 116

Posted by Soulskill from the has-its-own-goatee dept.
supernothing writes "DDoS attacks seem to be in vogue today, especially considering the skirmishes over WikiLeaks in the past few weeks. The size of a DDoS attacks, however, has historically been limited by how many computers one has managed to recruit into a botnet. These botnets almost universally require code to be executed on the participants' local systems, whether they are willing or unwilling. A new approach has been emerging recently, however, which uses some simple JavaScript to achieve similar ends. d0z.me is a new service that utilizes these techniques, but provides a unique twist on the idea. Posing as a legitimate URL shortening service, it serves users the requested pages in an iFrame, while simultaneously participating in a DDoS attack in the background. No interaction is required beyond clicking the link and staying on the page. This makes it relatively trivial to quickly mount large-scale DDoS attacks, and affords willing participants plausible deniability in the assault."
Security

Submission + - d0z.me: The Evil URL Shortener (spareclockcycles.org)

Submitted by supernothing
supernothing writes: DDoS attacks seem to be in vogue today, especially considering the skirmishes over Wikileaks in the past few weeks. The size of a DDoS attacks, however, has historically been limited by how many computers one has managed to recruit into a botnet. These botnets almost universally require code to be executed on the participants' local systems, whether they be willing or unwilling. A new approach has been emerging recently, however, which uses some simple Javascript to achieve similar ends. d0z.me is a new service that utilizes these techniques, but provides a unique twist on the idea. Posing as a legitimate URL shortening service, it serves users the requested pages in an iframe, while simultaneously participating in a DDoS attack in the background. No interaction is required beyond clicking the link and staying on the page. This makes it relatively trivial to quickly mount large scale DDoS attacks, and affords willing participants plausible deniability in the assault. Full writeup here.
Security

Clickjacking Worm Exploits Facebook "Like" Feature 124

Posted by StoneLion from the it's-no-robert-morris dept.
An anonymous reader writes "For the last 24 hours, a series of attacks have exploited Facebook's 'Like' feature through a clickjacking vulnerability. Using subjects such as 'This Girl Has An Interesting Way Of Eating A Banana, Check It Out!' hackers have spread an attack that links to web pages that use invisible iFrames to trick users into saying they like the content. Users are presented with a innocent-seeming web page that says 'Click here to continue,' but clicking at any point on the page publishes the same message to their own Facebook page. Security blogger Graham Cluley says that hundreds of thousands of Facebook users have been hit, and offers advice on how to clean up affected Facebook profiles.
The Courts

Swedish Court Rules ISP Must Reveal OpenBitTorrent Operator's Identity 230

Posted by timothy from the fess-up-now dept.
2phar writes "An ISP must hand over the identity of the operator behind OpenBitTorrent, a court in Sweden ruled [Wednesday]. The ISP must now reveal the identity of its customer, operator of probably the world's largest torrent tracker, to Hollywood movie companies or face a hefty fine. 'OpenBitTorrent is used for file sharing, and we suspect that it is the Pirate Bay tracker with a new name. It is added by default on all of the torrent tracker files on Pirate Bay,' Hollywood lawyer Monique Wadsted said in an earlier comment. The ruling covers the customer behind the IP addresses 188.126.64.2 and 188.126.64.3 and/or any other IP addresses in Portlane's entire range (188.126.64.0 – 188.126.95.255) which have been allocated to tracker.openbittorrent.com since August 28, 2009."
Security

Submission + - Google Releases a Tutorial for Hackers 1

Submitted by
Hugh Pickens
Hugh Pickens writes: ""Learn how hackers find security vulnerabilities and exploit web applications!" as the San Francisco Chronicle reports that Google has released Jarlsberg, a "small, cheesy" web application specifically designed to be full of bugs and security flaws as a security tutorial for coders and encourages programmers to try their hands at exploiting weaknesses in Jarlsberg as a way of teaching them how to avoid similar vulnerabilities in their own code. Jarlsberg has multiple security bugs ranging from cross-site scripting and cross-site request forgery, to information disclosure, denial of service, and remote code execution. The codelab is organized by types of vulnerabilities. In black box hacking, users try to find security bugs by experimenting with the application and manipulating input fields and URL parameters, trying to cause application errors, and looking at the HTTP requests and responses to guess server behavior while in white-box hacking, users have access to the source code and can use automated or manual analysis to identify bugs. The tutorial notes that accessing or attacking a computer system without authorization is illegal in many jurisdictions but while doing this codelab, users are specifically granted authorization to attack the Jarlsberg application as directed."
Censorship

ACTA Treaty Released 205

Posted by CmdrTaco from the shrouded-in-mystery dept.
roju writes "The full text of the Anti-Counterfeiting Trade Agreement (ACTA) was released today. It differs from the earlier leaks in that the negotiating stance of each country has been scrubbed. Preliminary analysis is up at Ars, which warns that 'Several sections of the ACTA draft show that rightsholders can obtain an injunction just by showing that infringement is "imminent," even if it hasn't happened yet.'"
Australia

Man-Made Atomic Clocks the Best In the Universe 267

Posted by timothy from the take-that-you-buncha-pulsars dept.
An anonymous reader writes "The widespread belief by astrophysicists that pulsars and white dwarfs are the best clocks in the universe is wrong, say two Australian physicists. John Hartnett and Andre Luiten from the University of Western Australia have recently shown that man-made terrestrial atomic clocks take the crown, contrary to numerous claims in astrophysical literature that the natural timing provided by pulsars and white dwarfs is the most precise. The preprint of their paper, available on the arXiv, shows that terrestrial clocks exceed the accuracy and stability of the astrophysical 'clocks' by all sensible measures, in some cases by several orders of magnitude."
Security

US Most Vulnerable To Cyberattack? 118

Posted by CmdrTaco from the also-most-vulnerable-to-american-idols dept.
alphadogg writes "Several nations, most prominently Russia, the People's Republic of China and North Korea, are already assembling cyber armies and attack weapons that could be used to attack other nations. Given that the United States is heavily dependent on technology for everything from computer-based banking to supply-chain tracking and air-traffic control, it's particularly vulnerable to the denial-of-service attacks, electronic jamming, data destruction and software-based disinformation tricks likely in a cyberattack. Here's what ex-presidential adviser Richard Clarke, who is releasing a new book called Cyber War, and others are saying needs to be done to keep cyberwars from escalating into full-scale combat."

Slashdot Top Deals

You had mail, but the super-user read it, and deleted it!

Close