What can you do? I would say "not much"-
Tailor your output, too many requests for same page from same address gets a larger proportion of adverts on the page. May as well make some money off them, choose adverts for whatever it is they're protesting against then you can sell premium highly targeted ads. brandon
Tailor your output, too many requests for same page from same address gets a larger proportion of adverts on the page.
Or generate redirects back to the original site. heheh -- Eric A. Hall ehall@ehsco.com +1-650-685-0557 http://www.ehsco.com
On Fri, 10 Mar 2000, Eric A. Hall wrote:
Tailor your output, too many requests for same page from same address gets a larger proportion of adverts on the page. Or generate redirects back to the original site. heheh
I was thinking the exact same thing. The DoS'er would end up DoS'ing themselves. -Dan
Couldn't been any worse than the VBS virus yesterday!!! ----- Original Message ----- From: "Dan Hollis" <goemon@sasami.anime.net> To: "Eric A. Hall" <ehall@ehsco.com> Cc: <nanog@merit.edu> Sent: Friday, March 10, 2000 4:59 PM Subject: Re: Here we go again
On Fri, 10 Mar 2000, Eric A. Hall wrote:
Tailor your output, too many requests for same page from same address gets a larger proportion of adverts on the page. Or generate redirects back to the original site. heheh
I was thinking the exact same thing. The DoS'er would end up DoS'ing themselves.
-Dan
Dan Hollis wrote:
On Fri, 10 Mar 2000, Eric A. Hall wrote:
Tailor your output, too many requests for same page from same address gets a larger proportion of adverts on the page. Or generate redirects back to the original site. heheh
I was thinking the exact same thing. The DoS'er would end up DoS'ing themselves.
-Dan
Eh? Since when does "same source address" mean "same client"? Ya- start redirecting everyone to an AOL proxy... And all these depend on being able to identify "authentic" users- I don't think that's going to happen- If the client is coded correctly you won't be able to tell at all- -- Scott Solmonson Speedera Networks Inc. -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* scosol@speedera.com / 408.970.1591
On Fri, 10 Mar 2000, Scott Solmonson wrote:
Dan Hollis wrote:
I was thinking the exact same thing. The DoS'er would end up DoS'ing themselves. Since when does "same source address" mean "same client"? Ya- start redirecting everyone to an AOL proxy...
Referrer != forwarded-for. When we are talking about redirecting, we are talking about redirecting to the DoS'ers page. Not their client.
And all these depend on being able to identify "authentic" users-
Nope
I don't think that's going to happen- If the client is coded correctly you won't be able to tell at all-
Huh? The client is netscape or IE. I dont know of any way for javascript to override the headers the browser client sends. -Dan
Dan Hollis wrote:
On Fri, 10 Mar 2000, Scott Solmonson wrote:
Dan Hollis wrote:
I was thinking the exact same thing. The DoS'er would end up DoS'ing themselves. Since when does "same source address" mean "same client"? Ya- start redirecting everyone to an AOL proxy...
Referrer != forwarded-for.
Correct. And even that simple snippet of code spits out *no* referrer tag for you to filter on. So I was assuming you meant source IP.
When we are talking about redirecting, we are talking about redirecting to the DoS'ers page. Not their client.
So you would redirect them *where*? My (I'm running my auto-refresher) "page", what ever that is? Or the <DoS-tool-maker>'s page?
And all these depend on being able to identify "authentic" users-
Nope
Huh? - If you're going to redirect someone, you first need to identify them as "bad".
Huh? The client is netscape or IE. I dont know of any way for javascript to override the headers the browser client sends.
Not necessarily- their site stated that a custom client was in the works- We all know a perl script wrapped around netcat would do nicely. -- Scott Solmonson Speedera Networks Inc. -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* scosol@speedera.com / 408.970.1591
On Fri, 10 Mar 2000, Eric A. Hall wrote:
Tailor your output, too many requests for same page from same address gets a larger proportion of adverts on the page.
Or generate redirects back to the original site. heheh
Except that there need not be any original site. You can send it out via email, etc. just fine. And even if there is an original site, that doesn't mean that you know where to find it. In fact, you could spam random users with a message that, if their mail program interprets javascript (and, in a horribly stupid move, many do by default), would automatically do this sort of thing. Even better, they could make a maze of javascript that makes it very hard for the user to get rid of the windows doing it and makes it easier for the user to just ignore them and keep reading their mail, while the windows in the background go on making their requests. That isn't what this attempt appears to be suggesting though. It is simply saying that, if users support a cause, they can willingly become part of a denial of service attack. I would suggest that each user that decided to do so could potentially be breaking the law in many localities. And they are easy to track. You could do the same sort of thing by telling users to run a program that ping floods a site. Nothing that novel, this is obviously more of a PR stunt than anything; even if they don't actually succeed in having any impact on any site, they get media attention by saying they will. Doesn't matter much either way to them. You also can pick and choose what pages you target in the attack. There are very large sites that can only sustain a very few hits per second on certain pages that perform expensive operations. A possible defense is to note such patterns in the logs and, after the first few minutes of a client doing this, simply temporarily block it. Even blocking it in the webserver is fine, since the requests are pretty small and many sites can handle lots of such cheap requests without much trouble. ObSlightlyMoreOnTopic: Ever wonder why Navigator (especially on Unix) hangs for 15 or 20 seconds on startup every once in a while? That's because netscape.com's DNS setup is broken, and Navigator always tries to resolve home.netscape.com on startup. ns-me1.netscape.com is listed as a nameserver, yet attempts to do DNS lookups against it timeout. So if your DNS server happens to try using that one... it will have to sit around then time out. You would think a company like Netscape would know better, or that they would care enough to fix it when notified (they didn't). I marked it as a bogus server in my BIND config, but it pretty silly to have to do that. And since home.netscape.com has a 0 second TTL... it isn't cached. Well, there is more ugliness; it has a 0 second TTL on some of their nameservers, but others look broken and give different data. And they have both CNAME and NS records for home.netscape.com. Geesh.
Marc Slemko wrote:
That isn't what this attempt appears to be suggesting though. It is simply saying that, if users support a cause, they can willingly become part of a denial of service attack. I would suggest that each user that decided to do so could potentially be breaking the law in many localities. And they are easy to track. You could do the same sort of thing by telling users to run a program that ping floods a site.
You think so? Is there any difference between me clicking "refresh" manually; And me having something automated do the clicking for me? -- Scott Solmonson Speedera Networks Inc. -*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* scosol@speedera.com / 408.970.1591
participants (6)
-
brandon@rd.bbc.co.uk -
Dan Hollis -
Eric A. Hall -
Marc Slemko -
Morris Allen -
Scott Solmonson