A great way to shoot yourself in the foot or not only yourself

Publish a recap of the state. I advise you to read the full text in the original language.

Panos Ipeirotis recently received a bill from Amazon for more than $1170, while usually the amount in his accounts were approximately $100.





As it turned out, the limit was exceeded outbound traffic, and made it (the attention) 8.8 terabytes.
After checking the logs, Panos found that the culprit was the bot:
74.125.156.82 Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)
74.125.64.83 Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)

According to his calculations, the traffic amounted to 250 gigabytes per hour.
But as it turned out this was no ordinary bot-crawler.
AdSense is used to preload a content that a user Dobley to your Google Reader or your Google homepage. Accordingly — loaded content on behalf of the user, and therefore, even is ignored robots.txt

Panos remembered that I had put jpg files in the Google Spreadsheet team =image(url), and as these are private, google does not store them on servers and not even cache — respecting the privacy of the user. Updating every thumbnail in each table (!) hour, i.e. deflating all images every hour.

If it were a normal domain, google would limit the number of requests, but since it was s3.amazonaws.com with terabytes (petabytes?) web content, the search giant had no reason to limit yourself. It turned out something like: "If the iron be put in the refrigerator, which one will win?"

Panos makes the logical conclusion: this technique can be applied for Denial of Bank Account attack on sites hosted on amazon. To do this:
    the
  1. From the site of the victim to collect as many references to media files (jpg, pdf, etc)
  2. the
  3. Post links in the rss feed or in google spreadsheet
  4. the
  5. to Add a feed in Reader or use the =image()
  6. the
  7. Lean back in the chair, watching garraffello


The story ended successfully — even before its publication, Amazon wrote off the charge for exceeded traffic, describing it as accidental and not intentional.

The conclusion of this story: be careful with these resources.
Article based on information from habrahabr.ru

Comments

Popular posts from this blog

Powershell and Cyrillic in the console (updated)

Active/Passive PostgreSQL Cluster, using Pacemaker, Corosync

Automatic deployment ElasticBeanstalk using Bitbucket Pipelines