Monday, June 12, 2006

Bad Karma is a potential DDoS threat

Some guy has something he's put out as freeware called the Referrer Karma which gets the referring page and checks to see if it actually has a link to the site referred. If no link to your site exists on the referring page it slams the door on the visitor assuming it's a referrer spammer.

Two problems with that approach:

  1. Links that pass thru redirect pages from directories directory sites will fail this test every time as the referrer is the redirect page itself, not a web page with links on it.
  2. Sites that block bots, like mine, toss out error pagess when stupid user agents appear and VOILA! the visitor from my site gets bounced off by this stupid script.
Here's the info:
65.98.116.226
cp5.secserverpros.com.
"Referrer Karma/2.0"
Next, let's explore my concern with potential vulernabilities with Referrer Karma.

If you think about the implementation of Referrer Karma for a minute you'll realize it would allow one kiddie script to potentially pull off a DDoS attack. This could be accomplished by issuing thousands of requests to a bunch of sites running this Referrer Karma and each request containing a faked referrer to the target site you're attacking.

You wouldn't need to wait for the page request to complete, just send out a ton of requests to a bunch of servers and terminate the socket when the websever respondes with data is ready. No need to download the resulting page as Referrer Karma has already done your dirty deed for you by hitting the other site asking for the requested page.

Ask for a few thousand pages in a few seconds from a a bunch of sites using Referrer Karma and step back and watch the fun as the target server melts.

7 comments:

Anonymous said...

I disabled sending the referrer in Firefox. Yes, I'm paranoid. I'm amazed that maybe once a week a site doesn't work. So the web works without referrers. It would be sad if sites change that (and instead of giving me a human readable error just block).
Yeah yeah, nobody disables referrers, I must be a robot...

IncrediBILL said...

You missed the point, those Referrer Karma sites bounce you for a bad referrer, not a BLANK referrer.

For instance if your referrer claimed you came from SAMPLE.COM/thepage.html and there was no link to your site on that page, it bounces you. It's trying to stop referrer spam, a whole 'nother beast.

Bouncing blank referrers is stupid as that bounces type-in traffic and bookmarks which is assinine.

dr Dave said...

Incredibill

Had you bothered to either 1) contact me or 2) read up RK's 50 lines of code, you would have quickly figured out why practically everything your wrote about is inaccurate.

Since you did neither, and because I am unfortunately a tad busy with other stuff at the moment, I'll keep it to your major point: the claim you could "easily" use RK to DDoS a site.

RK does not query a site each time it appears in a referrer. That would be absolutely asinine. It caches results. And as an option, can also start blacklisting IPs that come up with too many failed requests in a row. RK is certainly not a flawless piece of software (the bulk of it was written in a couple hours to bring a solution to my own DoS issues), but it is certainly better than the sort of stupid 5-liner you seem to have in mind when you try to take it down.

Thanks for ranting, play again next time.

IncrediBILL said...

Earth to Dr Dave....

If you noticed I said it would take a BUNCH of your sites to pull it off. Consider the entire group of your sites a "botnet" just waiting for someone to use to make an anonymous strike. Cached or not, if you ask 10,000 websites to access the same page on the same server that's a helluva load on one server.

Easy enough to find out where everyone is that has installed your software as we can just crawl the net with our own domain as the referrer and see how many responses we get from Referrer Karma. Once armed with a list of every site using Referrer Karma, we can spam all the servers, one request per server, and hit some site hard.

Probably nothing to fear as I doubt there is a serious amount of your software installed, but the potential is definitely there as you are unwittingly creating a botnet with the behavior of your software.

dr Dave said...

[sigh]

You obviously haven't got the faintest idea what you are talking about...

I shall therefore recommend you learn a bit more about networking and computing than what you saw in the latest sci-fi flick and stop wasting my time here.

IncrediBILL said...

Dr Dave, I've been writing software over 25 years and several of them on computer security issues.

I did look at your code and unless I'm missing something, each site running your code maintains it's own knowledge base and it's not a shared mindset. Each site uses CURL to download the page from the "referrer".

Therefore, if I tell 1,000 sites running your code that "http://attackmysite.com" is the referrer, all 1,000 sites will go back and hit that site.

Is that correct or not?

Not only that, unless you're blocking proxys, which I didn't see in your code but I didn't look too hard, I can use a very large number of anonymous proxy IPs to launch page requests to websites running your software.

Are you following this so far?

Not science fiction, very doable, quite trivial actually.

If you don't think your code can be used as a botnet to launch an attack against a site, fine, but if and when it ever happens you can't say you weren't warned about the potential risk.

IncrediBILL said...

BTW, while you're in denial over the possible abuse of your script, I forgot to mention it's actually quite a useless script as any kiddie with a basic cloaking script can dump a page of domain names they're spamming whenever your user agent hits their server.

Nice try, but easily defeated, so it would appear your ideas are fainter than mine...