Web Forms and Untraceable DDoS Attacks

Jakobsson, Markus; Menczer, Filippo

doi:10.1007/978-0-387-73821-5_4

Markus Jakobsson⁴ &
Filippo Menczer

Abstract

We analyze a Web vulnerability that allows an attacker to perform an email-based attack on selected victims, using standard scripts and agents. What differentiates the attack we describe from other, already known forms of distributed denial of service (DDoS) attacks is that an attacker does not need to infiltrate the network in any manner – as is normally required to launch a DDoS attack. Thus, we see this type of attack as a poor man’s DDoS. Not only is the attack easy to mount, but it is also almost impossible to trace back to the perpetrator. Along with descriptions of our attack, we demonstrate its destructive potential with (limited and contained) experimental results. We illustrate the potential impact of our attack by describing how an attacker can disable an email account by flooding its inbox; block competition during on-line auctions; harm competitors with an on-line presence; disrupt phone service to a given victim; disconnect mobile corporate leaders from their networks; and disrupt electronic elections. Finally, we propose a set of countermeasures that are light-weight, do not require modifications to the infrastructure, and can be deployed in a gradual manner.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

eBook: USD 16.99; Price excludes VAT (USA)

Softcover Book: USD 119.99; Price excludes VAT (USA)

Hardcover Book: USD 109.99; Price excludes VAT (USA)

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

1.
We wanted to preserve the ethical behavior of the agent used in our experiments; an actual attacker could use any search engine since the robot exclusion standard is not enforceable.
2.
Earthlink has announced a beta version of such a system as of this writing.

References

S. Byers, A.D. Rubin, and D. Kormann. Defending against an Internet-based attack on the physical world. In Proceedings of ACM Workshop on Privacy in the Electronic Society, 2002.
Google Scholar
S. Dietrich, N. Long, and D. Dittrich. Analyzing distributed denial of service tools: The Shaft case. In Proceedings of 14th Systems Administration Conference, 2000.
Google Scholar
D. Dittrich. Distributed denial of service (DDoS) attacks/tools. http://staff.washington.edu/dittrich/misc/ddos/, 2003.
Google Scholar
R.B. Doorenbos, O. Etzioni, and D.S. Weld. A scalable comparison-shopping agent for the World-Wide Web. In Proceedings of the First International Conference on Autonomous Agents, pp. 39–48, 1997.
Google Scholar
K.J. Houle, G.M. Weaver, N. Long, and R. Thomas. Trends in denial of service attack technology. CERT Coordination Center White Paper, October 2001. http://www.cert.org/archive/pdf/DoS_trends.pdf.
Google Scholar
M. Jakobsson, and F. Menczer. Untraceable email cluster bombs: On agent-based distributed denial of service. Technical report, http://arxiv.org/abs/cs.CY/0305042, 2003.
Google Scholar
F. Menczer, G. Pant, M. Ruiz, and P. Srinivasan. Evaluating topic-driven Web crawlers. In D.H. Kraft, W.B. Croft, D.J. Harper, and J. Zobel, (Eds.), Proceedings of 24th Annual International ACM SIGIR Conference on Research and Development in Information Retrieval, pp. 241–249, New York, NY, ACM, 2001.
Chapter Google Scholar
F. Menczer, G. Pant, and P. Srinivasan. Topical web crawlers: Evaluating adaptive algorithms. ACM Transactions on Internet Technology, 4(4), 2004. Forthcoming.
Article Google Scholar
J. Silva. Spam small problem… today. RCRNews, 2003. http://www.rcrnews.com/cgi-bin/article.pl?articleId=42294.
Google Scholar
SkyNews. Elections: The final push. http://www.sky.com/skynews/article/0,,30100-12300859,00.html, 2003.
L. Von Ahn, M. Blum, N. Hopper, and J. Langford. CAPTCHA: Using hard AI problems for security. In Proceedings of Eurocrypt, 2003.
Google Scholar
L. Von Ahn, M. Blum, and J. Langford. Telling humans and computers apart automatically. Communications of the ACM, 47(2):56–60, 2004.
Article Google Scholar

Download references

Author information

Authors and Affiliations

School of Informatics and Computing, Indiana University, Bloomington, IN, 47408, USA
Markus Jakobsson

Authors

Markus Jakobsson
View author publications
You can also search for this author in PubMed Google Scholar
Filippo Menczer
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Markus Jakobsson .

Editor information

Editors and Affiliations

, Department of Computer Science, City University of Hong Kong, Tat Chee Avenue 83, Hong Kong, 0, Hong Kong/PR China
Scott C.-H. Huang
, Computer Science and Engineering, University of Minnesota, Union Street SE., 200, Minneapolis, 55455-0000, USA
David MacCallum
Erik Jonsson School of Engineering &, Computer Science, University of Texas, Dallas, W. Campbell Road 800, Richardson, 75080, USA
Ding-Zhu Du

Rights and permissions

Reprints and permissions

Copyright information

About this chapter

Cite this chapter

Jakobsson, M., Menczer, F. (2010). Web Forms and Untraceable DDoS Attacks. In: Huang, SH., MacCallum, D., Du, DZ. (eds) Network Security. Springer, Boston, MA. https://doi.org/10.1007/978-0-387-73821-5_4

Download citation

DOI: https://doi.org/10.1007/978-0-387-73821-5_4
Published: 12 June 2010
Publisher Name: Springer, Boston, MA
Print ISBN: 978-0-387-73820-8
Online ISBN: 978-0-387-73821-5
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics