Re: Here we go again

["Eric A. Hall" <ehall () ehsco com>]

> What to we need to do to nip this one in the bud

It's just HTML/JavaScript code, loaded by browsers around the world
nearly simultaneously. The plan essentially revolves around a few
thousand users hitting "reload" at the same time, and repeatedly.

Protecting the targets will be hard. Maybe the attackers will have a
[mostly] common referer: header that you can filter against or something
similar, but whatever you do it'll have to be pretty high-level. A
high-end cache might work to keep the servers from getting overloaded
although it wouldn't help with a bandwidth crunch.

Filtering the senders would be a better long-term cure. Setting up
mechanisms that detect a high-volume of out-bound requests to a single
object would be a good way to determine if any of your customers are
involved in the attack. It's unlikely that everybody will do this though
so it's probably not an effective prevention tool.

Lawsuits, criminal procedures and other forms of spectacular example
will be the best long-term deterrant.

An example of the HTML/JavaScript from their site:

  <HTML><HEAD><TITLE>Basic, standalone denial of service
        tool</TITLE></HEAD>

  <FRAMESET COLS="50%,50%" FRAMESPACING=0 BORDER=3
        ONLOAD="setTimeout('self.location.reload(true)',4000);">

        <FRAME SRC="http://www.target1.com"; NAME="site1" NORESIZE
        SCROLLING="no">

        <FRAME SRC="http://www.target2.com"; NAME="site2" NORESIZE
        SCROLLING="no">

  </FRAMESET></HTML>

More at http://www.gn.apc.org/pmhp/ehippies/files/op1.htm

-- 
Eric A. Hall                                            ehall () ehsco com
+1-650-685-0557                                    http://www.ehsco.com