Panos Ipeirotis, a computer scientists working at New York University, learned the hard way that Google can be used to launch successful denial-of-service (DOS) attacks against sites with minimal effort.
On his personal blog Ipeirotis explained that it all started when he saw that Amazon Web Services was charging him with ten times the usual amount because of large amounts of outgoing traffic.
“Initially I was afraid that a script that I setup to backup my photos from my local network to S3 caused that bandwidth. But then I realized that I am running this backup-to-S3 script for a few months now, and in any case all the traffic that is incoming to S3 is free. This is a matter of outgoing traffic,” he explained.
After analyzing traffic logs he was able to determine that every hour a total of 250 gigabytes of traffic was sent out because of Google’s Feedfetcher, the mechanism that allows the search engine to grab RSS or Atom feeds when users add them to Reader or the main page.
“All the URLs for these images [from the S3 bucket] were also stored in a Google Spreadsheet, and I used the =image(url) command to display a thumbnail of the image in a spreadsheet cell,” Ipeirotis wrote.
“So, all this bandwidth waste was triggered by my own stupidity. I asked Google to download all the images to create the thumbnails in Google Spreadsheet. Talking about shooting myself in the foot. I launched the Google crawler myself.”
So why did this happen in the first place?
It seems that Google doesn’t want to store the information on its own servers so it uses Feedfetcher to retrieve it every time, thus generating large amounts of traffic.
This enabled the expert to find out how a Google feature can be easily used to launch dangerous attacks against a site simply by gathering several big URLs from the target and putting them in a spreadsheet or a feed.
If the feed is placed into a Google service or a spreadsheet and the image(url) command is used, a DOS attacks is initiated.