Hacker News new | comments | show | ask | jobs | submit login

It's funny that Mastercard can't defend against an attack that my home router is capable of defending against. (A big limit on connections per /24 per minute should solve this problem. So will using a smart webserver or frontend proxy that doesn't care how many idle connections there are. Then all you have to worry about is bandwidth saturation rather than your servers crashing.)

But the lesson here is, when you visit a web page, a line in a log that identifies you is generated. Generate too many of these lines, and, one line of Perl later, the cops are going to be asking you some questions. Don't participate in a DDoS attack unless you're absolutely sure that nobody is logging your traffic. And that is something that's impossible to be sure of these days.




It seems like it would be trivial to get someone's door busted down by running LOIC aggressively on their computer. I wonder--at what point can the FBI's enthusiastic enforcement be directed, in some sense, as a weapon?

Edit: I've watched Anonymous (insert typical disclaimer about the membership of a heterogenous group of net users) attack more than one of my boxes. DDOS's have been traditionally been the regime of surreptitious botnets, not voluntary ones. I'll bet you some unsuspecting soccer mom (or someone who pisses off Anon) gets nabbed at some point.


The FBI is just sending a message.

They cherry picked a few IP addresses, set surveillance on them, and then chose those few which belonged to people who were active on forums revealing that they were in fact probably guilty and didn't just have a trojan or little brother.

If the FBI intended to comprehensively prosecute every offender your point would be a genuine hindrance. However they only need a few to deter the behaviour and they know this.

Thousands of people participated in these protests, and a handful are going to be made examples of. It's not at all unlike a flesh-and-blood protest.


You can get people to participate in DDoS attacks with a malicious website though.

Just use some JS to create image elements, script tags, iframes etc all with sources pointing at the target, should be able to do a few hundred a second at least.

Even trivial to get people to participate without using javascript. Just pop in a hidden iframe with a million <img> tags in the source.

As things move on, I don't think individuals who happen to fire off a few hundred requests at a website should be investigated/prosecuted/etc. Website owners just need to get better at protecting their systems.


I guarantee the FBI did further surveillance before sending the raids.

They didn't just pick a random IP and then send a team.

They picked the IP, sniffed their traffic, monitored their internet behaviour, read their forum posts, and then finally selected them to be an example.

By performing surveillance like this you can be 99% sure who is a real voluntary participant and who is just a stooge. A voluntary participant will talk about it on forums for example, brag on IRC, etc etc. These will be the ones selected by the FBI for dramatic home visits.


> A voluntary participant will talk about it on forums for example, brag on IRC, etc etc.

So it's like assassination, then: all you have to do to get away clean is to execute only on others' commands, making no plans of your own, and not discussing, bragging, or asking questions. Historically, this leads quickly to a two-level military structure: officers to point, and enlistedmen to shoot.

The only question is whether any sort of hierarchy is possible within a completely decentralized system of mutually non-trusting agents, who are nonetheless driven by either status or belonging. That sounds like it should have a mathematical answer...


Well, if they're snooping your net traffic, then you don't have to say anything on those forums or sites, simply hitting them on port 80 more than a handful of times is probably sufficient. They're trying to differentiate "guy who got botted" from "guy who's doing this manually", and even visiting those sites is probably differentiation enough to establish the probable cause or reasonable suspicion they need for a search warrant.


Just pop in a hidden iframe with a million <img> tags in the source.

Mostly agree, but thought it worth pointing out that no browser will respond to this by parallelizing the million requests - most browsers don't ever open more than a dozen or so concurrent connections to one site. So this wouldn't do as much as you might think, unless you could get lots of users to stay on your page for a long time.


True, although you can probably find all subdomains for the target, or if you're lucky find someone who has setup a DNS wildcard then you'll be able to have a bit more fun and run lots of the requests concurrently.

Maybe my 'few hundred a second' was a bit off, idk

There is a javascript version of the tool (LOIC), so presumably it's effective enough to be useful.


How about Flash? I'm pretty sure you can have as many open connections as you want that way.


not only that, in Flash you can write a for {} loop that will bombard the target with requests, as long as the movie is running. The ultimate example would be compromising Youtube's SWF player, and using it as a DDOS bot.


Come on, quite a few home routers can't even handle an aggressive Bittorrent client. Yes, DDoS can be defended against, and the fact that the LOIC is pretty primitive helps, but it's not that trivial.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: