Hey! I'm David, cofounder of zkSecurity and the author of the Real-World Cryptography book. I was previously a crypto architect at O(1) Labs (working on the Mina cryptocurrency), before that I was the security lead for Diem (formerly Libra) at Novi (Facebook), and a security consultant for the Cryptography Services of NCC Group. This is my blog about cryptography and security and other related topics that I find interesting.

Using Google, Facebook (and others?) to DDoS any websites posted April 2014

chr13 has posted a nice finding on how to DDoS a website thanks to services like facebook and google.

It's actually pretty simple!

You just create notes with img tags, facebook will crawl the website to cache the picture.

In his example he writes a thousand img tags per notes, opens all the notes from several browsers.

<img src=http://targetname/file?r=1></img>
<img src=http://targetname/file?r=2></img>
..
<img src=http://targetname/file?r=1000></img>

Thousands of get request are sent to a single server in a couple of seconds. Total number of facebook servers accessing in parallel is 100+.

The funny thought of facebook DDoSing itself crossed my mind. Interestingly someone else's also and chr13 answered that he hadn't tried:

It’s against the bug bounty rules to do this, hence one has to be careful here. I was only using browsers at first just because of that.

Well done! You've reached the end of my post. Now you can leave a comment or read something else.

Here are some random popular articles:

Here are some random recent articles:

Using Google, Facebook (and others?) to DDoS any websites posted April 2014

Comments

leave a comment...

Using Google, Facebook (and others?) to DDoS any websites posted April 2014

Comments

leave a comment...

Subscribe to the mailing list