

Using Facebook Notes to DDoS any website - kapkapkap
http://chr13.com/2014/04/20/using-facebook-notes-to-ddos-any-website/?

======
leepowers
> In the end, the conclusion is that there’s no real way to us fix this that
> would stop “attacks” against small consumer grade sites without also
> significantly degrading the overall functionality.

Nonsense. Every web crawler should have some form of rate limiting. That's
just good etiquette. I can control the number of requests that the Google
search indexer sends to my site via webmaster tools. I don't see a good reason
why Facebook can't be a good net citizen and do the same.

~~~
Artemis2
Especially, Facebook is not supposed to intelligently crawl websites but to
just proxy images. That's an easy one.

~~~
Terr_
Ah, but intelligently for whom?

Benefits to Facebook might outweigh intangibles like "being nice" to the
people and places they are indirectly making money off of.

~~~
dspillett
I think in this intance we've passsed the line between "not being nice" and
"being a dick", or in this case being an accessory to a dickish move.

If the issue is used to DoS a site Zuckerberg cares about, not that I would
encourage such action as it would in itself be a dick move, I'm sure some form
of rate limiting will be implemented in short order...

------
RKoutnik
This is actually the _third_ time this has been submitted [1] (including once
by the actual author of this post). There's an extra `/?` appended to the url
so HN thinks it's a different link. Not sure why - just adding the slash and
question mark doesn't change the target.

[1]
[https://hn.algolia.com/#!/story/past_month/0/ddos%20facebook](https://hn.algolia.com/#!/story/past_month/0/ddos%20facebook)

~~~
STRiDEX
Next post: using hacker news to DDoS any website.

~~~
egeozcan
Actually it has a name, "The HN Effect" (inspired by "The Digg Effect", I
guess) and it's a real thing as many web sites go down when they are featured
in the front page.

~~~
wingerlang
Actually it has a name, "Slashdot effect".

[http://en.wikipedia.org/wiki/Slashdot_effect](http://en.wikipedia.org/wiki/Slashdot_effect)

~~~
Argorak
Theres so many local variations. In the german speaking part of the internet,
there is the verb "geheist", after a popular tech news site.

------
lucb1e
Thought Facebook had already fixed it. I tried with an image on my domain and
it only went till about 660KB/s.

Then I found a bigger file.

It's now maxes out my upload speed (50mbps on fiber). The notes have been
deleted but Facebook continues to do http requests for the file. That, or
Apache continues to write requests to the access log after they finished and
Facebook does not close active connections when it knows that the answer will
never be used.

Edit: Found a video (big file) hosted by Facebook. Guess who's under attack
now :D

Edit2: Seems they're loading at about 1.6-1.9gbps speed, calculating from how
quickly the images seem to 'load' (become blank 1x1px images) on my client and
how big the actual file is.

~~~
Nexxxeh
I wonder, what is the legality of having them DDoS themselves, using something
they've suggested will not impact on someone of their scale, and that they
won't fix?

Are you breaching their ToC or AUP? (I'm sure I've "agreed" to it but I doubt
I've ever read it in full.)

~~~
lucb1e
I have no clue and I personally do not really care :P

It's way easier to just fix the issue than to sue me, as long as I don't
noticeably disturb their infrastructure (i.e. don't bother other users).

------
ama729
> In the end, the conclusion is that there’s no real way to us fix this that
> would stop “attacks” against small consumer grade sites without also
> significantly degrading the overall functionality.

Why not just limit the number of request per site _and_ per user? Ie. John
Smith can only make X request (let say 1000) to www.google.com.

Doesn't seem too hard.

~~~
eyeareque
They state that 400-800 mbit/s == consumer grade sites? really?

~~~
MichaelGG
Outbound traffic. That's only serving up a few large images a second. It's
entirely IO bound on network output. Getting a 1Gbps connection is not a big
deal.

~~~
iancarroll
I don't know what your setup is like but a connection != the requests my
webserver can handle.

~~~
MichaelGG
I know, it was two separate comments. A: It's "just" IO, performing probably
the most heavily optimized IO pattern in the world (serving static files) and
B: buying a 1Gbps uplink is trivial.

~~~
chr13
>"buying 1Gbps uplink is trivial"

1 Gbps dedicated uplink is not trivial everywhere in the world. You also need
more quota. Facebook easily crawled more than 1 TB of data during an hour. The
more the better may not be best solution here. The higher the uplink, faster
Facebook may crawl. So instead of transfering 1 TB in an hour for a 1 Gbps
uplink, the transfer will be 10 TB if you have 10 Gbps. This will also depend
how much bandwidth they allow their crawler, there must be an upper limit
though.

------
pygy_
Could one use this to attack Facebook from within its network, bypassing its
DDoS mitigation measures?

~~~
TwoBit
I'll bet that if it could then suddenly they might start caring more about it.

~~~
arasmussen
I'll bet that could end you up in jail.

~~~
spoiler
Wait... This comment thread looks familiar. Did this happen already?

------
eyeareque
I'm surprised they aren't going to give him a bounty for this. I also assume
they realize that most reporters will post their rejected findings soon after
they get denied.

If enough people start using technique they will have no choice but to create
a fix for this.

~~~
wisty
It doesn't really hurt Facebook.

~~~
mey
Tying up these servers impacts them, makes people start blocking them,
breaking this service.

------
j0k3r
Same as [http://chr13.com/2014/03/10/using-google-to-ddos-any-
website...](http://chr13.com/2014/03/10/using-google-to-ddos-any-website/)

~~~
hazelnut
so if Facebook and Google got this bug ... or feature ... point one to another
and boooom goes the internet!

~~~
nsns
But isn't Google constantly "ddos"ed by definition? (I mean simultaneously
used by almost every computer on Earth).

------
sargun
Ideally, if the webserver should just return HTTP 420 (Enhance your calm), 429
(Too many requests), or 509 (Bandwidth Limit exceeded).

~~~
hk__2
Side note: 420 is not a standard HTTP error.

~~~
steveklabnik
While this is true, it's also not a huge problem, exactly:

    
    
      > HTTP status codes are extensible. HTTP applications are not required
      > to understand the meaning of all registered status codes, though such
      > understanding is obviously desirable. However, applications MUST
      > understand the class of any status code, as indicated by the first
      > digit, and treat any unrecognized response as being equivalent to the
      > x00 status code of that class, with the exception that an
      > unrecognized response MUST NOT be cached. For example, if an
      > unrecognized status code of 431 is received by the client, it can
      > safely assume that there was something wrong with its request and
      > treat the response as if it had received a 400 status code. In such
      > cases, user agents SHOULD present to the user the entity returned
      > with the response, since that entity is likely to include human-
      > readable information which will explain the unusual status.
    

[http://tools.ietf.org/html/rfc2616#section-6.1.1](http://tools.ietf.org/html/rfc2616#section-6.1.1)

This text was basically unchanged in httpbis:
[http://tools.ietf.org/html/draft-ietf-
httpbis-p2-semantics-2...](http://tools.ietf.org/html/draft-ietf-
httpbis-p2-semantics-26#section-6)

------
brador
Now that they've been informed and chosen to do nothing do they have some
legal liability if it's used in an attack?

------
TOMDM
To the people saying that this won't really hurt facebook, I beg to differ,
this is a relatively simple to deploy DDOS attack, if enough people start
utilising it, I can see a fair amount of Facebooks resources being tied up in
these attacks.

They will only fix it when it starts to hurt them it seems.

------
NicoJuicy
This can be fixed easily ( i have read it fast, but i suppose this could be a
fix)

Add a boolean to a attachment in the db, queryDiff

Add a string (for md5 hash)

Calculate the hash on every file with a query parameter, if the file is
requested the second time (with different query parameters), check if the file
hash is the same. If the file hash is the same, change the bool queryDiff

Next time you fetch the file, queryDiff is false, so you shouldn't fetch the
url and only get the original one (which was already downloaded)

~~~
jrochkind1
There's no way to know if difference in query parameter is a different image
or not, you can't simply re-use a prior URL which is equivalent but for query
param in place of a new one.

    
    
        http://example.org/images?image_id=12121
        http://example.org/images?image_id=7272

~~~
NicoJuicy
If

    
    
       http://example.org/images?image_id=12121
        http://example.org/images?image_id=7272
    

contain the same images, chances are very high that other query parameters
will be the same.

If they are different, chances are very high that other query parameters are
also different.

Want to up your chances, then instead of only 2 requests, raise the bar to 10
different query parameter checks and add some additional db values (like
CountFetch:int,sameUntillCurrentFetch:bool)

As soon as sameUntillCurrentFetch = false, then you request all images in the
future. If CountFetch = 5 and sameUntillCurrentFetch = true, then queryDiff =
false.

It's kinda weird my answer was downvoted, any better solutions to avoid the
stated problem then?

------
democracy
This looks like a great free load testing tool! :)

------
benguild
This is one of those “worse cast scenarios” when it comes to web application
design...

------
panzi
So giving a 404 for unknown get parameters should fix this for your own site?
A way for Facebook to detect such a thing would be to hash the images and when
two images have the same hash and only differ by some get parameter it could
remember that it can ignore that parameter.

~~~
LukeB_UK
Not a reliable check. If the first 2 are the same, then this would cause a
false positive as the third, fourth and fifth could all be completely
different.

------
thematt
Interesting. I wonder if being behind CloudFlare would mitigate this?

------
gabemart
I'm really impressed digital ocean droplets can sustain ~900mbps

------
thejosh
You can do the same thing with Google Docs...

------
sippeangelo
So now Facebook can DDoS anyone they like, and claim it's out of their
control?

------
EGreg
Just use etags!

------
MichaelGG
He's using "outbound" traffic as a DoS metric which is sort of novel. I guess
it looked better than "1000 HTTP requests"?

~~~
chr13
Actually the number of HTTP requests is 180,000+.

~~~
MichaelGG
An an HTTP request requires what, 3 packets inbound? Just saying calling it a
"DDoS" seems slightly generous.

~~~
chr13
We also have to remember that these requests are shared between 100+ Facebook
server.

