On Fri, 10 Mar 2000, Eric A. Hall wrote:
Tailor your output, too many requests for same page from same address gets a larger proportion of adverts on the page.
Or generate redirects back to the original site. heheh
Except that there need not be any original site. You can send it out via email, etc. just fine. And even if there is an original site, that doesn't mean that you know where to find it. In fact, you could spam random users with a message that, if their mail program interprets javascript (and, in a horribly stupid move, many do by default), would automatically do this sort of thing. Even better, they could make a maze of javascript that makes it very hard for the user to get rid of the windows doing it and makes it easier for the user to just ignore them and keep reading their mail, while the windows in the background go on making their requests. That isn't what this attempt appears to be suggesting though. It is simply saying that, if users support a cause, they can willingly become part of a denial of service attack. I would suggest that each user that decided to do so could potentially be breaking the law in many localities. And they are easy to track. You could do the same sort of thing by telling users to run a program that ping floods a site. Nothing that novel, this is obviously more of a PR stunt than anything; even if they don't actually succeed in having any impact on any site, they get media attention by saying they will. Doesn't matter much either way to them. You also can pick and choose what pages you target in the attack. There are very large sites that can only sustain a very few hits per second on certain pages that perform expensive operations. A possible defense is to note such patterns in the logs and, after the first few minutes of a client doing this, simply temporarily block it. Even blocking it in the webserver is fine, since the requests are pretty small and many sites can handle lots of such cheap requests without much trouble. ObSlightlyMoreOnTopic: Ever wonder why Navigator (especially on Unix) hangs for 15 or 20 seconds on startup every once in a while? That's because netscape.com's DNS setup is broken, and Navigator always tries to resolve home.netscape.com on startup. ns-me1.netscape.com is listed as a nameserver, yet attempts to do DNS lookups against it timeout. So if your DNS server happens to try using that one... it will have to sit around then time out. You would think a company like Netscape would know better, or that they would care enough to fix it when notified (they didn't). I marked it as a bogus server in my BIND config, but it pretty silly to have to do that. And since home.netscape.com has a 0 second TTL... it isn't cached. Well, there is more ugliness; it has a 0 second TTL on some of their nameservers, but others look broken and give different data. And they have both CNAME and NS records for home.netscape.com. Geesh.