A great way to shoot yourself in the foot or not only yourself

Publish a recap of the state. I advise you to read the full text in the original language.

Panos Ipeirotis recently received a bill from Amazon for more than $1170, while usually the amount in his accounts were approximately $100.





As it turned out, the limit was exceeded outbound traffic, and made it (the attention) 8.8 terabytes.
After checking the logs, Panos found that the culprit was the bot:
74.125.156.82 Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)
74.125.64.83 Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)

According to his calculations, the traffic amounted to 250 gigabytes per hour.
But as it turned out this was no ordinary bot-crawler.
AdSense is used to preload a content that a user Dobley to your Google Reader or your Google homepage. Accordingly — loaded content on behalf of the user, and therefore, even is ignored robots.txt

Panos remembered that I had put jpg files in the Google Spreadsheet team =image(url), and as these are private, google does not store them on servers and not even cache — respecting the privacy of the user. Updating every thumbnail in each table (!) hour, i.e. deflating all images every hour.

If it were a normal domain, google would limit the number of requests, but since it was s3.amazonaws.com with terabytes (petabytes?) web content, the search giant had no reason to limit yourself. It turned out something like: "If the iron be put in the refrigerator, which one will win?"

Panos makes the logical conclusion: this technique can be applied for Denial of Bank Account attack on sites hosted on amazon. To do this:
    the
  1. From the site of the victim to collect as many references to media files (jpg, pdf, etc)
    2. the
  2. Post links in the rss feed or in google spreadsheet
    3. the
  3. to Add a feed in Reader or use the =image()
    4. the
  4. Lean back in the chair, watching garraffello


The story ended successfully — even before its publication, Amazon wrote off the charge for exceeded traffic, describing it as accidental and not intentional.

The conclusion of this story: be careful with these resources.
Article based on information from habrahabr.ru

Comments

Post a Comment

Popular posts from this blog

Powershell and Cyrillic in the console (updated)

Image
In the development process is very often necessary to run a powershell script from a console application. What could be easier? the #test.ps1 & $PSScriptRoot\ConsoleApp.exe Examine the behavior of console applications when running them from the command line, using PowerShell and using PowerShell ISE: execution Result In PowerShell ISE, there is a problem with encoding, as the ISE expects the output to the encoding 1251. Use Google and find two problem solving: c use [Console]::OutputEncoding and through the powershell pipeline. Let's use the first solution: test2.ps1 $ErrorActionPreference = "Stop" function RunConsole($scriptBlock) { $encoding = [Console]::OutputEncoding [Console]::OutputEncoding = [System.Text.Encoding]::GetEncoding("cp866") try { &$scriptBlock } finally { [Console]::OutputEncoding = $encoding } } RunConsole { & $PSScriptRoot\ConsoleApp1.exe } execution Result At the command prompt, all is well, bu
Read more

Active/Passive PostgreSQL Cluster, using Pacemaker, Corosync

Image
Description This article describes an example of configuring Active/Passive PostgreSQL cluster, using Pacemaker, Corosync. As the disk subsystem is considered the drive from the system data storage (CSV). Similar to the Windows Failover Cluster from Microsoft. Technical details: OS Version — CentOS 7.1 Version package pacemaker — 1.1.13-10 Package version pcs — 0.9.143 PostgreSQL — 9.4.6 As servers(2pcs) — iron server 2*12 CPU/ memory 94GB As a CSV(Cluster Shared Volume) — an array of class Mid-Range Hitachi RAID 1+0 Preparation of cluster nodes Rule /etc/hosts on both hosts and make the visibility of hosts to each other by short names, for example: the [root@node1 ~]# cat /etc/hosts 127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 10.1.66.23 node1.local.lan node1 10.1.66.24 node2.local.lan node2 Also make exchange between servers using SSH keys and
Read more

Automatic deployment ElasticBeanstalk using Bitbucket Pipelines

Image
bitbucket is a service ( Bitbucket Pipelines), which among other things allows extremely simple to automate the deployment of applications in the Amazon cloud, in particular using ElasticBeanstallk. To whom interesting, I ask under kat. the Prerequirements You should already be created ElasticBeanstalk application and deployed environments (in order to do this, refer to the official AWS documentation for, so, for example, unfolds Django ). Since the service is still undergoing testing, you need to request access to it here . the project setup Let's say we have two branches, master and we want to deplot on production environment and development — development environment. Create in the root of the project file bitbucket-pipelines.yml with the following content: the image: python:2.7.11 pipelines: branches: master: - step: script: - apt-get update # to install required zip - apt-get install -y zip # required for packaging up the application - pip install b
Read more