DDoS Attacks Possible via URL Shortener

Wednesday, December 22, 2010



Security "enthusiast" and computer science major at the University of Tulsa, Ben Schmidt, has introduced a URL shortening service that allows users to participate in distributed denial of service (DDoS) attacks without the need to download a software application.

Schmidt was inspired by the recent DDoS attacks carried out by members of Anonymous with their Low Orbit Ion Cannon (LOIC) tool.

The JavaScript-based LOIC tool lets users join in the DDoS attack shenanigans by simply visiting a web page which then continuously sends HTTP requests to the targeted server by modifying an image tag's attributes.

Schmidt states the purpose of the tool is to illustrate a proof of concept that demonstrates the unrecognized vulnerabilities inherent in using URL shortening service.

The D0z.me shortener does not seek to trick users into participating in a DDoS attack, as the destination link and target URL need to be specified.

The purpose of the exercise is to draw attention to the fact that the use of URL shorteners could be exploited to engage users in DDoS attacks without their knowledge.

"My implementation of this attack is, at best, a hack job, but was merely meant to illustrate how easy it is to actually implement, how simple it is to launch a DDoS simply by getting people to follow a link, and how seriously our reliance on URL shorteners can affect security."

Meanwhile, developers associated with Anonymous, the international pro-piracy and pro-WikiLeaks association of hackivists, are said to be working to correct deficiencies in the LOIC software used in recent DDoS campaigns that interfered with the website operation of several business, including MasterCard, Visa, and PostFinance bank.

Source:  http://news.softpedia.com/news/New-URL-Shortener-Hijacks-Browsers-for-DDoS-173982.shtml

Possibly Related Articles:
Viruses & Malware
Denial of Service Attack Vulnerabilities DDoS Headlines LOIC URL Shortener Proof of Concept
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.