URL Shortener Is Also A DDOS Tool

By Fahmida Y. Rashid  |  Posted 2010-12-22 Print this article Print

Despite security researchers citing the dangers of using URL shorteners, they've proliferated online. Twitter pretty much requires them because of its 140-character limit, and major sites like Google (goo.gl), New York Times (nyt.ms), New Yorker (nyr.lr) and LA Times (lat.ms) have popularized their own sites, too.

It's getting to the point where people (send) e-mail shortened links to each other, making security researchers' recommendations about not clicking on "strange" links instantly moot.

Enter Ben Schmidt, a computer science student at the University of Tulsa, who thinks people are "over-reliant" on URL shorteners. He created D0z.me, a "proof-of-concept" URL shortener that generates a denial of service attack on a a server while re-routing links.

In theory, potential attackers can submit a link they wanted to share as well as the URL of a server they wanted to attack. When users clicked on the generated URL, they are redirected to the site, just the same as a bit.ly or any other link. However, unknown to them, the act of clicking on the link opens an invisible iFrame running Javascript code attacking that second URL. As long as the user is browsing, the invisible iFrame is open, and the script is firing at the hapless victim.

The way the script is written, the resulting DDOS attack is even more potent when run from an HTML5 browser.

Imagine this - a link appears that purports to be a funny YouTube video. The video is funny enough, that the user forwards it on to the next person, who sends it on again. And each time a person clicks on that link, some other site somewhere is getting DDOSed, and these people are inadvertently taking part and increasing the size of the attack.

Schmidt emphasizes that he made the service to prove a point and not to facilitate mischief-making, writing on his blog, "If you target a site that is not yours, you are responsible for the consequences."

There was a time when distributed denial of service attacks were something that required a lot of hacking know-how and technical skills. It's a little scary to think of the havoc that can be wreaked by click-happy individuals using these tools.

If someone posts a D0z.me link, don't click on it!

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel