"Evil" D0z.me URL Shortener Facilitates DDoS Attacks

Conceptual hacker Ben Schmidt has combined his interest in the recent spate of DDoS attacks surrounding the WikiLeaks dump as well as what he holds to be the public’s increasing over-reliance on URL shorteners and created D0z.me. D0z.me is  a “proof-of-concept” URL shortener that attacks a server while re-routing links.

In theory, potential attackers could visit d0z.me and submit a link they wanted to share as well as the URL of a server they wanted to attack. When users click on the link, they are redirected to the requested site with the addition of a invisible iFrame that unleashes a LOIC-like Javascript DoS that runs while the user is browsing. The malevolent script runs for as long as a user continues browsing from a page and is even more potent when run from an HTML5 browser.

Attackers interested in scaling attacks would then share this text with as many people as possible with the objective of either creating content that would go popular (tricking users to share the link) or have people voluntarily involve themselves in the distributed attack by clicking on the link.

Schmidt makes it clear that his tool is just an illustration of how easy orchestrating something like this and getting people to attack could be. He also includes a message for people who have a nasty sense of irony and are pondering using the tool to DoS his own site: “Let’s just save each other the time and hassle and say that you win, theoretical attacker. Congratulations.”