Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

the js version does something like

  setInterval(function(){
    var i = new Image();
    i.src = target + randId + msg;
    ... // event handling
  }, 0)
so you end up requesting an url every 0 ms the randId is just a simple `Date.now`, the message is an actual message taken from an input in the html. Source code: http://hastebin.com/gasitinafo.js


That's pretty nasty. Surely defense against this kind of thing should be built into browsers although you would need to detect an unending loop causing HTTP requests so run into the halting problem I guess.

If they are tricking people into performing what is potentially a criminal act then they lose the limited amount of respect I did have for them.


My recent version of Firefox defaults to a limit of 15 connections per server. So there is some defense built in.


Yea but as soon as one connection is finished it can just spawn another one so 15 concurrent connections is more than enough to do damage.

Once you start doing thousands of concurrent connections you more likely to kill your router anyway.


The Firefox addon RequestPolicy will protect you from this.


This should be something that is default in the browser, the issue is to stop the less tech savvy user unwittingly perpetrate a DDOS.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: