cryptologie.net

cryptography, security, and random thoughts

Hey! I'm David, cofounder of zkSecurity, research advisor at Archetype, and author of the Real-World Cryptography book. I was previously a cryptography architect of Mina at O(1) Labs, the security lead for Libra/Diem at Facebook, and a security engineer at the Cryptography Services of NCC Group. Welcome to my blog about cryptography, security, and other related topics.

← back to all posts

◦

Using Google, Facebook (and others?) to DDoS any websites

2014-04-26 blog

chr13 has posted a nice finding on how to DDoS a website thanks to services like facebook and google.

It’s actually pretty simple!

You just create notes with img tags, facebook will crawl the website to cache the picture.

In his example he writes a thousand img tags per notes, opens all the notes from several browsers.

<img src=http://targetname/file?r=1></img>
<img src=http://targetname/file?r=2></img>
..
<img src=http://targetname/file?r=1000></img>

Thousands of get request are sent to a single server in a couple of seconds. Total number of facebook servers accessing in parallel is 100+.

The funny thought of facebook DDoSing itself crossed my mind. Interestingly someone else’s also and chr13 answered that he hadn’t tried:

It’s against the bug bounty rules to do this, hence one has to be careful here. I was only using browsers at first just because of that.

suggested reads:

→ Facebook's TLS 1.3 library • blog

→ Writing a DAPP for the Ethereum block chain • blog

→ [facebook bug bounty] Reading local files from facebook • blog

← back to all posts blog • 2014-04-26

currently reading:

Using Google, Facebook (and others?) to DDoS any websites

04-26 blog

recent posts:

New cryptologie.net

07-20 blog

Weaponizing AI Assistants: With Their Permission

07-20 blog

What are Schwartz-Zippel circuits? How do they relate to iterative constraint systems?

05-29 blog

Short Note On Montgomery Reduction: Why Operating Modulo b?

05-24 blog

Still confused by Plonk's permutation?

03-13 blog

Partial evaluations and linearization

03-12 blog

The trap of the top-down approach

03-07 blog

My company is looking for interns

02-25 blog

Vlogging attempts

02-16 blog

I like whiteboards

10-17 blog

↓ scroll

📖 my book

Real-World Cryptography is available from Manning Publications.

A practical guide to applied cryptography for developers and security professionals.

🎙️ my podcast

Two And A Half Coins on Spotify.

Discussing cryptocurrencies, databases, banking, and distributed systems.

📺 my youtube

Cryptography videos on YouTube.

Video explanations of cryptographic concepts and security topics.

currently reading:

Using Google, Facebook (and others?) to DDoS any websites

04-26 blog

recent posts:

New cryptologie.net

07-20 blog

Weaponizing AI Assistants: With Their Permission

07-20 blog

What are Schwartz-Zippel circuits? How do they relate to iterative constraint systems?

05-29 blog

Short Note On Montgomery Reduction: Why Operating Modulo b?

05-24 blog

Still confused by Plonk's permutation?

03-13 blog

📖 my book

Real-World Cryptography is available from Manning Publications.

A practical guide to applied cryptography for developers and security professionals.

🎙️ my podcast

Two And A Half Coins on Spotify.

Discussing cryptocurrencies, databases, banking, and distributed systems.

📺 my youtube

Cryptography videos on YouTube.

Video explanations of cryptographic concepts and security topics.