Categories
Advisories Top

Make requests through Google servers +DDoS

Discovered on 10 Aug 2011
Google Security center contact: 10 Aug 2011
Response from the Google Security center: N/A
Published: 29 Aug 2011 (GMT +1)

How does it work?
The vulnerable pages are /_/sharebox/linkpreview/ and gadgets/proxy?
Is possible to request any file type, and G+ will download and show all the content. So, if you parallelize so many requests, is possible to DDoS any site with Google bandwidth. Is also possible to start the attack without be logged in G+.

Attack vectors:
The advantage of using Google and make requests through their servers, is to be even more anonymous when you attack some site (TOR+This method); The funny thing is that apache will log Google IPs.
But beware: gadgets/proxy? will send your ip in apache log, if you want to attack, you’ll need to use /_/sharebox/linkpreview/

Also the Sql injection Time attack will work using this method.
DDoS attack is just an example, do not start ddos for no reason

Pratical examples:
https://plus.google.com/_/sharebox/linkpreview/?c=<SITE>&t=1&_reqid=<RANDOM_NUMBERS>&rt=j
or
https://images2-focus-opensocial.googleusercontent.com/gadgets/proxy?url=<SITE>&container=focus


UPDATE 1:  _/sharebox/linkpreview has been fixed on 01 Sep 2011 at 15.20 (GMT +1)… no communication from Google at the moment
UPDATE 2: Reply message from G Security team on 02 Sep 2011 at 00:36 (GMT +1):

Hello

Apologies for missing this one - "mea culpa" for not responding to your
email. 

As you've noticed, we've made a few tweaks to the existing abuse detection
and prevention mechanisms that were already in place. Thanks for your
assistance!

Cheers,
Adam

UPDATE 3: Some lamerz used this kind of attack to increase bandwidth bill in Amazon cloud (http://www.behind-the-enemy-lines.com/2012/04/google-attack-how-i-self-attacked.html)
Video guide:

In this example i start a thread of 1000 requests and the output bandwidth will result in 91/96Mbps (my house bandwidth is only 6Mbps). This is my server, do not start to ddos around for no reason!

+DDoS source code download:

http://iht.li/p/tdQt2t

37 replies on “Make requests through Google servers +DDoS”

Since a p.txt file containing the HTML content for the requested site is returned using gadgets/proxy, I was thinking a grease-monkey script to convert the text file to HTML and also request further content from the URL.

Any thoughts of how I can be able to surf using the bug.

Nice find. From my past experience google and facebook usually ignore such mails and only respond when its abused on large scale.

Una curiosità Simone, quale applicazione utilizzi nella seconda tab del terminale?
Comunque google ha di queste “uscite”, cioè ignorare avvisi di vulnerabilità. Vediamo se in seguito a molteplici segnalazioni e articoli come questo ed altri, si decideranno ad ascoltare e fixare.

I’m trying on my server but I cant get it to work Im using Cygwin when I enter bash script.sh my.server 1000 it says that it started but my server is fine… and the output bandwidth doesnt show any results…

You should try with one request using curl without nohup and redirection to /dev/null and see what curl say.

I download it again same thing it says Sending 1000 requests but nothing happens… About the Usage: big file Requests what do you mean by big file? I only enter the ip addres…

how to use it? just run _154785695367_+ddos.sh file?

in source _154785695367_+ddos.sh not be edited?

reply me soon

This is not a course to learn how to use the script.
Just learn some bash scripting and you will understand it!

Great Job…i was thinking something similar to you,but in my case in the webpage of University

/_/sharebox/linkpreview/ does not work any more.

/gadgets/proxy still works, but we can detect the user-agent and block it

i´m super sorry. I entered this page one week ago, and it was down, but i can still see it, because you use one service… could you tell what that service is you use? (some backup uptime web page… or somenthing).
Thanks (and sorry again, as you said in other coments, this is not a school to explain everithing, but i think i could really use some service like that, you have).

Your ip has been robably blacklisted for some reason. This is why you see the message.
Anyway the service is “Cloud Flare”.

Regards

Confirmed working. They hasn’t fixed it yet. It’s been 8 months.

Anyway, we got a free fast proxy 🙂

Thanks

Dear,

The last attack which you have shown in the video with loop of icmp echo requests is out dated and does not work any more in almost all of the servers quite literally. Because most servers are now configured to block icmp requests from a particular ip above the critical limit. So after some requests, your echo request would not be responded and blocked.

And the one which happened incidentally to mr. panos has much more probability to work if you find a script to generate the list of all image urls from a web page or the whole website because google in this case acts as a human agent i.e. acts on behalf of you so it will not be restricted by the server.

But the challenging thing here is to generate the list of all image urls on the particular site to execute this attack successfully.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.