DDoS + Web 2.0 == Buckets o’ traffic

Denial of Service attacks are based upon a simple idea: generate the maximum amount of traffic using the minimum amount of work. At one time this was as simple as sending a spoofed ICMP echo packet to a broadcast address or similar shenanigans. Modern DDoS attacks rely upon the unwilling complicity of tens of thousands of end hosts to generate the traffic necessary to render a host unusable, whereby attackers will either build or purchase a botnet to generate a DDoS attack. There are other ways of generating DDoS attacks, however, that use social networking widgets or the complicity of politically active citizens, as pointed out by researchers at ICS and the ShadowServer group.

In a recently posted preprint titled “Antisocial Networks: Turning a Social Network into a Botnet”, several researchers point out the somewhat obvious: widgets on social networks can be used to launch DDoS attacks against web servers by pointing Javascript XMLHttpRequest() calls, the API call behind AJAX technologies, at a targeted webserver. Rather than compromising individual social networking accounts, an apparently innocuous widget could start propagating virally on a social network and launch the described attack at a time determined by a third party server.

[ SEE: Demo Facebook app creates DoS botnet ]

It is also possible that such a widget could directly declare its purpose. During the recent Estonian and Georgian DDoS event, a simple script was circulated that allowed the average citizen to participate in the DDoS attack. While this particular script required only a small amount of technical expertise to execute, one could easily imagine a viral widget that claimed to allow the average user to fight against a political entity using similar techniques.

At that point, why stop at DDoS? Republicans could install widgets that launched click-fraud attacks against Democrats, and Democrats could do the same to Republicans. I would expect an increase in political-oriented DDoS as the barrier to entry for DDoS drops from the moderately technical to the skill level of an average social network user.

[Source: zdnet]