Hacker News new | past | comments | ask | show | jobs | submit login

Hi everyone, this is Andrew from Dropbox.

We do use LibreOffice to render previews of Office documents for viewing in a browser, and have permitted external resource loading to make those previews as accurate as possible. While this could theoretically be used for DDoS, we haven’t seen any such behavior. However, just to be extra cautious we’ve temporarily disabled external resource loading while we explore alternatives.

As one part of your solution, I recommend restricting the machines that can make outbound requests to a certain pool, and then limit that pool's total bandwidth, throwing an alarm whenever the limit is hit.

It may be that you are big enough that even the limited bandwidth you need for normal operations is enough to take out smaller hosts, so you'd need to measure and monitor to see how well this works.

Hi Andrew, thanks for the explanation.

Could Dropbox perhaps let me disable this feature? I almost never use the web interface so I wouldn't miss it and I prefer that my documents are not opened after being synched.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact