Ok, it's not as altruistic as "Folding @ Home",

schwim · #1 17th November 2006, 04:01 AM

but hear me out. I have a plan!

One of my community sites is getting slammed by zombies and bots spamming the referrers. We're talking 1,000's of hits by each IP(and on average, there's 1-200 at a time) every hour, and instead of spamming referrers, they're becoming a low grade DoS attack. I'm using .htaccess to block the majority of them, but as they get stopped, they modify the URL's to get around the blocks people create daily. Also it burns up the server resources doing this. It's easy to block viagra-is-cheap-at-my-store.info, so they've begun hijacking college blogs, and posting their ads on .edu servers, with URL's that don't contain the keywords(mycollegeiscool.edu/dissertation/document/10004389/abc123). Luckily, I can block .edu on this site without much impact to the traffic, but they'll change to something else that I can't block so easily.

So here's why I've told you all of this:

All of the domains are registered under bogus information. I've checked about 20 of them now, and all of them are registered to different aliases, but they all point to the same server, located in Ft. Lauderdale, in the land of God's waiting room.

So, why hasn't someone come up with a client that will take the current list of servers that are housing the sites that spam of all forms point to, and simply allow the user to utilize their idle time sending bogus requests to these servers, doing in effect the very same thing they're doing to sites like mine, as well as millions of others?

Now, we could get into all kinds of philosophical debates concerning this, and I'd rather talk about the feasibility of the idea, but I know you guys, so I'll warm you up.

1) It's not illegal to connect to a website. That's why they can't do anything to people that flood your logs with referrer spam. You can't in trouble for it, so the legal issue is moot.

2) If you're going to tell me that it's not fair to the carriers to use their B/W for something like this, I will tell you that it is the lesser of two evils. They're using more B/W if allowed to go unchecked, they're causing loss of income, they are turning the web into a worldwide filing cabinet of **** you don't want to see and they're ugly.

3) Sure, they'll move networks, and set up shop again. People will also continue smoking crack while having sex with their relatives and shooting their neighbors. It doesn't mean we should just sit back and allow it to go unchecked. The harder it is to do, the less people there are that want to do it.

Ok, with that out of the way, here's what not to do: It can't have a central repository(website) in which services are provided, updated or data transferred. I think it would have to be more like a torrent system that would allow the network to shift keeping any one IP from becoming a target. You all probably remember the spam service that got DoS'ed out of business because one of the spammers wanted his mail off the block list? The dude went through 3 months of crap before he finally gave up. If you have a static location, there is absolutely no way to make yourself bullet proof. But what if it was a floating IP? How in the hell are you going to stop it? Run the client through blind proxies and have a party!

Your thoughts gents. This will be filed under "Cool things that will never go farther than this forum", but I'm curious to see what ideas come from it.

thanks,
json

nick.stumpos · #2 17th November 2006, 04:41 AM

so you want to organize a manual DoS by willing people on their servers, im in. I actually used to have a script back when i was a little holligan that did this to anyone who portscanned me, but i am much more calm now

Dies · #3 17th November 2006, 04:42 AM

Well I have a great connection that I will probably never max out so I would be more than happy to donate idle bandwith to such an effort, I pay enough for it so I really would like to use it up. So get cracking on that client, lol.

scotta3234 · #4 17th November 2006, 04:53 AM

Dude... I read something like this a while back on the forum. It was something like Artists against spammers. Basically you report the site as being "bogus" and then they attack its bandwidth so much where it simply get's shut down. I thought it was pretty cool. Can't seem to find it now though. I think it had to do with fake banks... I'll search some more.

Coolerthanyou · #5 17th November 2006, 05:14 AM

lol man people are lame.

I remember this one "art" site I used to visit. It had no D0S protection and it went under at the whim of any given lameoid. I send the admin guy an email but he ignored me. Ultimately the site was pulled down anways, but lamers suck. Lame little weasels thinking their of more worth than ass crust because they can paste code and piddle their time away procuring someone else's vulnerability-exploiting code. Ugh. die.

Invader02 · #6 18th November 2006, 04:30 AM

@scotta

It was this

BTW as for the script...

Code:

#/bin/sh

until logout; do wget -O /dev/null http://www.qualitycodec.com/download/qualitycodec.1421.exe; done

just change that URL to whatever site you're going to attack.

Also, yeah, there's been a lot of bots lately, one of my other forums gets them every few days and they're starting to post more and more.

schwim · #7 18th November 2006, 04:52 AM

Hi there guys, and thanks for the thoughts and links.

The problem is that web servers, by their very design are vulnerable. They exist to serve a web page on request. Simply requesting X amount of pages in a given time is enough to cripple a server. flood attacks can span hundreds of IP's, so no system can sort the legitimate from bogus. Lock it down? Well, now you're no longer a web server. Throttle the processes? Well now you piss all of your legitimate visitors off.

So, you're already vulnerable by simply having one. The upside to this is that the guys hitting your server are almost always after one thing, that being money. He doesn't intend to tank your server, he just wants to use it to increase his ranking. So be thankful for that. The downside to this is that you're burning up precious resources. Use filters, .htaccess, anything you want, you're still using the resources. In some cases the filtering of a request can be more resource intensive than if you just gave them the page.

Which is what caused me to think of what I posted about last night. Again, it won't solve the problem. The ONLY thing that will solve the problem is getting the dip****s that buy products through spam to quit it. This will only cause them more trouble, which will weed out some of the weaker spammers, which lessens the load. Locking your car doors help, using an alarm helps more. Removing the engine helps a lot. It's the same theory.

I will be the first to admit that it's not incredibly effective. However, I will also be the first to state that an incredibly effective method does not exist, and at least this one is of little impact on the people participating. That seems to make it more effective than many, in itself.

thanks,
json