A great way to shoot yourself in the leg, well, or not just yourself
I publish a brief retelling of the article . I advise you to read its full text in the original language.
Panos Ipeirotis recently received a bill from Amazon worth more than $ 1,170, while the usual amount in his accounts was about $ 100.
')
As it turned out, the outgoing traffic limit was exceeded, and he compiled (attention) 8.8 terabytes .
After checking the logs, Panos found out that the bot was responsible:
According to his calculations, the traffic was 250 gigabytes per hour.
But as it turned out, this was no ordinary bot-crawler.
Feedfetcher is used to preload content that a user adds to their Google Reader or to their Google homepage. Accordingly, the content is loaded on behalf of the user, and therefore even robots.txt is ignored.
Panos remembered that he inserted jpg files into Google Spreadsheet with the = image (url) command, and since this data is private, google does not save it on its servers, does not even cache it, respecting the user's privacy. Updating each thumbnail in the table every (!) Hour, i.e. pumping out all the pictures every hour.
If it were some kind of ordinary domain, google would limit the number of requests, but since it was s3.amazonaws.com with terabytes (petabytes?) Of web content, the search giant had no reason to limit itself. It turned out something like: “If you put the iron in the fridge, which of them will win?”
Panos makes a logical conclusion: this technique can be applied to the Denial of Bank Account attack on sites hosted on amazon. For this you need:
The story ended successfully - even before its publication, Amazon wrote off charges for the traffic exceeded, regarding it as accidental and not intentional.
Conclusion from this story: be vigilant with similar resources.
Panos Ipeirotis recently received a bill from Amazon worth more than $ 1,170, while the usual amount in his accounts was about $ 100.
')
As it turned out, the outgoing traffic limit was exceeded, and he compiled (attention) 8.8 terabytes .
After checking the logs, Panos found out that the bot was responsible:
74.125.156.82 Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)
74.125.64.83 Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)
According to his calculations, the traffic was 250 gigabytes per hour.
But as it turned out, this was no ordinary bot-crawler.
Feedfetcher is used to preload content that a user adds to their Google Reader or to their Google homepage. Accordingly, the content is loaded on behalf of the user, and therefore even robots.txt is ignored.
Panos remembered that he inserted jpg files into Google Spreadsheet with the = image (url) command, and since this data is private, google does not save it on its servers, does not even cache it, respecting the user's privacy. Updating each thumbnail in the table every (!) Hour, i.e. pumping out all the pictures every hour.
If it were some kind of ordinary domain, google would limit the number of requests, but since it was s3.amazonaws.com with terabytes (petabytes?) Of web content, the search giant had no reason to limit itself. It turned out something like: “If you put the iron in the fridge, which of them will win?”
Panos makes a logical conclusion: this technique can be applied to the Denial of Bank Account attack on sites hosted on amazon. For this you need:
- From the victim's site to collect as many links to media files (jpg, pdf, etc)
- Place links in rss feed or google spreadsheet
- Add feed to Reader or use = image () command
- Lie back in the chair watching the habraeffekt
The story ended successfully - even before its publication, Amazon wrote off charges for the traffic exceeded, regarding it as accidental and not intentional.
Conclusion from this story: be vigilant with similar resources.
Source: https://habr.com/ru/post/143039/
All Articles