Xanga, The Ghetto Botnet || kuro5hin.org


	create account \| help/FAQ \| contact \| links \| search \| IRC \| site news

Everything

We need your support: buy an ad | premium membership | k5 store

Xanga, The Ghetto Botnet (Internet)

By Tod Friendly
Thu Dec 30th, 2004 at 02:24:54 PM EST

Did you notice when Slashdot's search was down for the past few days? (It's back up now.) Turns out that in a stunning case of irony, it had been hammered into submission by thousands of people attempting to use it.

However, unlike CmdrTaco's regimented DDoS attacks, this one is carried out with malicious intent as opposed to mere sociopathic inconsiderateness. It also highlights a potential threat from one of the biggest weblogging services out there.

I've discussed the threat of weblogs before. In my story, I waxed lyrical about the benefits of sequestered weblogging sites such as LiveJournal and Xanga. I advocated them safe in the belief that they were safely separated from the rest of the Web under a single domain, making any spurious search results from them easy to filter out.

However, there is a new and probably more dangerous threat posed by Xanga which has only been made obvious recently. A person's Xanga weblog can contain arbitrary JavaScript and HTML. In and of itself, this isn't too bad. Even though the blog can do pretty horrendous things to anyone who visits it, it isn't likely to be visited because it won't stand out amongst the five and a half million or so other weblogs hosted at the same site.

However, when this poor security is combined with readily available (and easily written) Xanga spamming scripts to spam links to the insidious weblog to tens or hundreds of thousands of other users, it receives dozens of hits a minute. And if the weblog has an embedded <iframe> or redirect to a database intensive script on other website -- such as Slashdot -- bad things happen. Slashdot suffered sporadic 503 errors and anything which depended on its database, including logging in and the generation of the front page, suffered from frequent failures. (That is, until CmdrTaco finally figured out what happened and got rid of search.pl all together.)

What makes this even more dangerous is that it can be done so quickly and readily. As opposed to scraping together a decent-sized botnet (which can take days or weeks), anyone can whip up a couple of Perl scripts and start hammering away. The only limit is someone's bandwidth, but past Xangadottings have demonstrated that it only takes two or three disgruntled hackers with ordinary broadband connections to take down the databases of all but the hardiest websites.

Xanga seem to be completely unaware of this problem or just can't be bothered to try and fix it, having taken no measures to combat it. (I suspect the latter, since they haven't bothered to follow up on other users' reports.) For instance, despite asking for an email address when signing up, they don't send confirmation to the email address. Nor do they use a captcha in order to signup or post. So the process of signing up and posting comments in others' blogs is very easy to script.

As such, we can't really do much about it but fume now and then. Even trying to use the flooding tactic against Xanga itself would be self-defeating because if Xanga were to go down, it would no longer be bombarded. Quite a dilemma. Maybe I should have been more inclusive in decrying weblogging after all. I find it pretty funny that blogging, which has been described as a tool for perpetuating freedom of speech, can now be used as a tool to suppress others' views.

Good work. Let's keep bringing the power of publishing to the people!

Sponsors

Managed Servers

Managed Clusters

Virtual Hosting

www.johncompanies.com

Looking for a hosted server? We provide Dedicated, Managed and Virtual servers with unparalleled tech support and world-class network connections.

Starting as low as $15/month
Linux and FreeBSD
No set-up fees and no hidden costs
Tier-one provider bandwidth connections

Poll

Xanga: should it go, or should it stay?

Go. 61%

Stay. 38%

Votes: 57
Results | Other Polls

View: Display: Sort:

Xanga, The Ghetto Botnet | 66 comments (53 topical, 13 editorial, 5 hidden)

Xanga is stupid. (none / 0) (#66)
by Dersatz on Mon Apr 4th, 2005 at 07:58:19 AM EST

I hate it.. I used to have a webblog, since closed, and it was spammed with links in the comments. Like this: kuro5hin
owned
ownage
ghetto
camwhore
cam whore
teens
hacked
cyber
cyber sex
g00ns
Ceciliantas pwnage
Halo 2
World of Warcraft
Everquest
blog
Xanga
urban dictionary
urbandictionary
blogger

http://slashdot.org/search.pl (none / 0) (#63)
by J'raxis on Thu Jan 13th, 2005 at 12:47:46 AM EST
http://www.jraxis.com/

It’s been down, up, down again, up again (as it is currently). Did they actually fix the script so it’s less CPU-intensive, or are they just putting it back up again and again only to be re-attacked?

— J’raxis

[ J’raxis·Com | Liberty in Your Lifetime ]

I Am Evil Incarnate (1.50 / 2) (#62)
by n8f8 on Tue Jan 4th, 2005 at 08:24:01 PM EST
(tlowing@nospam.lowing.org) http://www.Lowing.org

Hi, my name is Trevor and I'm a Xangaite and I am hardly repentant. It all started over the holidays when my nephew mentioned his site. Out of curiosity I set up an account (easy setup) and found somthing entirely suprising...flexability. You see, for me the presentation of the message is just as important ans the message itself. And ,much more interresting. I can actually have a little fun designing the layout and dynamic effects. No more static text responses like Slashdot or Kuro5hin. In fact, I have even taken it as a sort of challenge since there is a very limited subset of dynamic output commands, you must use DHTML to rewrite the DOM document after the fact. My god, it's actually fun. Also important, I don't have a thousand buzzing gnats trying to swat down my message with metamoderation like here and Slashdot. I'm not sure how long the fun will last, but I've had more fun with Xanga than I've had in mere posting text on other sites in the entire past year.

Sig: (This will get posted after your comments)

cool by ggn, 02/04/2005 06:57:32 PM EST (none / 0)

An Example of the Xanga Comment (1.00 / 3) (#61)
by scottsb on Mon Jan 3rd, 2005 at 01:26:22 AM EST
http://blog.mytechaid.com/

I have posted a story on my blog about this attack. I noticed the attack myself and came across this article while researching the attack. On my blog, I have a link to an example of one of the spam comments: to Give an Answer: Attack of the Killer Xanga

Hrrrm. More details??? (2.66 / 3) (#51)
by WWWWolf on Fri Dec 31st, 2004 at 02:51:55 PM EST
(wwwwolf@iki.fi) http://www.iki.fi/wwwwolf/

Sorry, I was sort of confused by the article. Great topic, of course, but the author was obviously distracted into writing thinly veiled "blogs suck but at least xanga and lj are on their own domains" and "slashdot sucks, and now, it really sucks" and... well... boring comments like that, instead of telling us more.

So let me get this right: 1) Xanga has an inadequate user verification system, 2) given that, they let anyone post completely unfiltered HTML in comments, and 3) people spam the Xanga sites with comments containing iframes to, say, slashdot search, or other intensive CGI scripts that, when called too often, bring too much load to the server? (It wasn't clear that this problem was comment-spam related; speak of "hackers" made me guess they're actually modifying the page templates. Comment spam is an old trick. Not very l33t at all, if you want my spurious opinion as a non-expert of the hAx0r field. But I suppose some d00dz still get kicks out of them...)

Um... wait, that was a bit more boring. Anyway, maybe the lesson learned here is pretty simple: Allowing external references (images, iframes, whatever) in blog comments is a very risky idea at best and stupid at worst.

But there's also one small problem - comment content validation in itself is tricky to implement and needs more than some processor, too... which, of course, is not an excuse to allow people to use any HTML in the comments.

Okay, this was a boring comment...

-- Weyfour WWWWolf, a lupine technomancer from the cold north...

pretty clever (3.00 / 5) (#31)
by circletimessquare on Thu Dec 30th, 2004 at 03:37:17 AM EST
(at gmail dot com)

i haven't heard of this sort of blog-enabled bot recruiting before for database intensive targets

is it brand spanking new(tm)?

and so i wonder what would happen if someone pointed this at google or cnn or verisign for example

as this article demonstrates well (thanks submitter, very cool story), the effectiveness of the attack on the server is not dictated by bandwidth, but by cpu-intensive page targets

slashdot makes for the perfect first try at this kind of attack since it is the ultimate "i'm an antisocial geek loser look at my l33t ski11z" chest thumping arena

but what next?

if this kind of attack is new, then i can make a prediction: someone will use this clueless blog surfer (no shortage there) bot recruiting method to query a database intensive page on a website that is more than just a "look at me i took down slashdot i live in my parents basement i'm a dork" kind of target, but something much more serious

what kind of cpu-intensive page targets are out there that are important to society or the health of the internet?

_{He who desires but acts not, breeds pestilence.
- William Blake}

if you wanted a visit from the fbi by rkz11, 12/30/2004 11:57:21 AM EST (1.50 / 4)

The question is by Meshigene Ferd, 12/30/2004 01:02:47 PM EST (none / 1)

shut down the cpu-intensive page by circletimessquare, 12/30/2004 04:58:20 PM EST (3.00 / 3)

Referer by qbwiz, 12/31/2004 06:37:34 PM EST (none / 1)

Blocking by referer takes O(1) time. by communistpoet, 01/01/2005 12:16:55 AM EST (none / 0)

-1, get a life (1.06 / 16) (#27)
by b1t r0t on Wed Dec 29th, 2004 at 02:36:26 PM EST
(-@-)

ipfw add 1000 deny ip from 209.66.88.11 to any
ipfw add 1000 deny ip from any to 209.66.88.11

-- Indymedia: the fanfiction.net of journalism.

moron: its a botnet, attack ips r random (nt) by circletimessquare, 12/30/2004 03:50:27 AM EST (3.00 / 4)
-1, useless. by i, 12/29/2004 04:24:50 PM EST (3.00 / 6)

"inconsiderateness" is not a word. [n/t] (none / 1) (#25)
by sudog on Wed Dec 29th, 2004 at 01:23:47 PM EST

All this, and CENSURESHIP too!!! by EminemsRevenge, 03/13/2005 11:06:22 AM EST (none / 0)
Uh.. meant: isn't the best word.. :) [n/t] by sudog, 12/29/2004 01:26:47 PM EST (none / 1)

Here's an assignment for ya. (2.80 / 5) (#22)
by i on Wed Dec 29th, 2004 at 10:14:39 AM EST
(i.hamsa<at>gmail<dot>com)

Design a javascript worm that lives in Xanga and destroys other javascript worms. That would be übercool.
^{^{—
and we have a contradicton according to our assumptions and the factor theorem}}

Not really possible to do what your suggesting. by The Devil, 12/31/2004 12:34:29 PM EST (3.00 / 2)

Here's one idea. by i, 12/31/2004 03:56:55 PM EST (3.00 / 2)

Perhaps You are Correct by The Devil, 01/01/2005 01:40:43 PM EST (none / 0)

if your readers also visit sites like that... (1.42 / 7) (#18)
by dimaq on Wed Dec 29th, 2004 at 05:57:50 AM EST
(nobody@dev.null.org)

then you're a branwashed technoliterati who deserves an untimely death anyway.

so, who tf cares?

IF THIS GETS TO FP (1.00 / 12) (#15)
by After The Gold Rush on Wed Dec 29th, 2004 at 02:45:41 AM EST

this is proof that the GNAA and the GNAA is unstoppable and the GNAA is all that's good in the world and the GNAA will probably have me killed for saying this...

Captcha? (1.42 / 7) (#8)
by Kasreyn on Tue Dec 28th, 2004 at 07:17:45 PM EST
(screw email, AIM me or post a reply) http://www.livejournal.com/users/kasreyn

Please tell me this is some technical jargon, maybe a combo-keypress like Capslock+T+C+H+A, rather than your goofy slang form of "capture". Please.

"You'll run off to Zambuti to live with her in a village of dirt huts, and you will become their great white psycho king." -NoMoreNicksLeft, to Baldrson

http://en.wikipedia.org/wiki/Captcha [nt] by Tod Friendly, 12/28/2004 07:29:25 PM EST (3.00 / 3)

Please link by adimovk5, 12/28/2004 07:52:00 PM EST (none / 0)
I stand corrected. by Kasreyn, 12/28/2004 07:42:49 PM EST (none / 1)

LOL by Dr Gonzo, 12/29/2004 12:36:07 AM EST (none / 0)

LOLLERS x2! by Dr Gonzo, 12/29/2004 01:10:23 AM EST (2.00 / 2)

Fire with fire (3.00 / 6) (#4)
by mcc on Tue Dec 28th, 2004 at 05:22:00 PM EST
(mcc@charon.sjs.org) http://charon.sjs.org/~mcc

Even trying to use the flooding tactic against Xanga itself would be self-defeating because if Xanga were to go down, it would no longer be bombarded.

However, this does suggest a neatly symmetric way of dealing with the problem: perform the same trick, but instead of hosting it on Xanga, host it on Slashdot.

Slashdot uses IFRAME-based ads. The ads are hosted on ads.osdn.com but Slashdot ad purchasers may insert any html they like into the ad space and are encouraged-- in fact basically required-- to use this space to reference content hosted on third party servers. If one were to place an IFRAME reference to a database-intensive page on Xanga into a Slashdot ad, and possibly set the enclosing IFRAME such that the inner one periodically reloads, it is highly unlikely OSTG would notice anything unusual were happening before the purchased ad impressions were exhausted.

While it is unclear exactly which pricing plan would be the best here, at the very least there is the option by which for $100 you can have your ad display on literally every single non-subscriber pageload on slashdot for a full three hours or until a thousand pageloads are exhausted. This is almost certainly enough to make Xanga unreachable for a noticeable amount of time, and affordable enough that the necessary capital could be easily obtained by a simple "donate here to take down xanga" pledge drive on a small number of sites with high anti-blog sentiment.

you don't understand the attack by circletimessquare, 12/30/2004 03:54:11 AM EST (none / 1)

You're just being silly. by mcc, 12/30/2004 01:39:19 PM EST (2.66 / 3)

silly i am by circletimessquare, 12/30/2004 04:52:55 PM EST (2.50 / 2)

Why? by mcc, 12/30/2004 06:24:23 PM EST (2.66 / 3)

More like (3.00 / 10) (#3)
by TheOnlyCoolTim on Tue Dec 28th, 2004 at 05:18:56 PM EST
(bolbro@cooper.thisisfordeletion.edu)

Xanga, the Ghetto.

AZN p|21d3, 12 year olds, and almost universally painful to look at.

Xanga as a whole is probably below furry websites, I think, and only above those forums that SomethingAwful digs up where people discuss in broken English their incestual relations with retarded DragonballZ fans.

Tim
"We are trapped in the belly of this horrible machine, and the machine is bleeding to death."

only on something awful by rkz11, 12/28/2004 06:30:14 PM EST (2.71 / 7)

oh boo hoo by LilDebbie, 12/29/2004 10:40:23 AM EST (3.00 / 5)

Slashdot's search (2.42 / 7) (#2)
by Psychopath on Tue Dec 28th, 2004 at 05:03:07 PM EST

Since Slashdot's search sucks anyway I couldn't care less whether it's really down or just unuseable as usual.
--
The only antidote to mental suffering is physical pain. -- Karl Marx

It is remarkably useless... by bsimon, 01/01/2005 02:09:03 PM EST (3.00 / 2)

slashdot comment dates by tchuladdiass, 01/01/2005 08:04:13 PM EST (none / 0)

It must be a test by bsimon, 01/02/2005 06:26:18 AM EST (none / 1)

Xanga, The Ghetto Botnet | 66 comments (53 topical, 13 editorial, 5 hidden)

View: Display: Sort:

All trademarks and copyrights on this page are owned by their respective companies. The Rest � 2000 - 2005 Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
If you can read this, you are sitting too close to your screen.