“Evil” URL shortener initiates DDoS attacks

Can you believe that clicking on a shortened link can make you an involuntary and unknowing participant in a DDoS attack on a website? Ben Schmidt, a self-styled student/researcher form the University of Tulsa, has made it possible.

The tool is called d0z.me (“The Evil URL Shortener”), and is the result of his unease about the increasing use of URL shorteners and the recent string of DDoS attacks executed by both sides of the dispute concerning WikiLeaks.

“The concept is quite simple, really,” says Schmidt. “Attackers go to d0z.me and enter a link they think could be popular/want to share, but also enter the address of a server that they would like to attack as well. Then, they share this text with as many people as possible, in as many places as possible. Extensive use of social media sites is probably a must achieve the best results.”

Once the users click on the offered link, they get to see the requested content on a page in an embedded iframe, ready for for their perusal. In the meantime, a malicious Javascript DoS sending request after request to the targeted server runs in the background.

The attack lasts as long as the user continues browsing from the page in the embedded iframe. This, in itself, can be difficult to achieve, but Schmidt thinks it can be done by offering an interesting online game or a bogus offer of an free iPad if the user remains on the page for a predetermined amount of time. He also thinks that this tool can be used to organize voluntary attacks such as the ones coordinated recently by Anonymous, with the added bonus of providing the “attackers” plausible deniability if caught.

He considers this tool simply as a proof-of-concept. “I am not responsible for any malicious use of this demonstration, nor any damages caused by it. It was created solely as an example of the serious consequences of the Internet’s increased reliance upon URL shorteners, as well as how easy it is to create an unwitting DDoS botnet without actually exploiting a single computer. If you target a site that is not yours, you are responsible for the consequences,” he says in the disclaimer conveniently situated under the tool.

He finishes his post by declaring that yes, he is aware that it would be funny to DoS a site that is demonstrating a DoS attack, and asks potential attackers not to do it: “I know you can, and that it would be trivial to do, as this server isn’t exactly hardened. Let’s just save each other the time and hassle and say that you win, theoretical attacker. Congratulations.”