

Using Google to DDoS any website - coffeecodecouch
http://chr13.com/2014/03/10/using-google-to-ddos-any-website/

======
leepowers
Previous discussion:

[https://news.ycombinator.com/item?id=7371176](https://news.ycombinator.com/item?id=7371176)

For sites like Gravatar[1] that generate an image from a given URL:

> In addition to allowing you to use your own image, Gravatar has a number of
> built in options which you can also use as defaults .... Most of these work
> by taking the requested email hash and using it to generate a themed image
> that is unique to that email address.

Not only would it such an attack function as a network DDOS, but could also
cause CPU thrashing as thousands of images are generated simultaneously.

There may also a danger of an amplification attack using Gravatar (or a
similar site). For instance, from the Gravatar docs:

> If you'd prefer to use your own default image (perhaps your logo, a funny
> face, whatever), then you can easily do so by supplying the URL to an image
> in the d= or default= parameter.

Which will cause a Gravatar server to fetch the image in question.

So - in the Google spreadsheet an attacker could also add an additional
Gravatar line for each image, doubling the number of requesting servers with
little extra effort.

[1]
[https://en.gravatar.com/site/implement/images/](https://en.gravatar.com/site/implement/images/)

