An attacker can use Google to successfully launch a denial-of-service (DoS) attack against sites with minimal effort. Just ask Panos Ipeirotis, a computer scientists working at New York University.
Ipeirotis said if found out how to do the attack the hard way when he saw Amazon Web Services was charging him with ten times the usual amount because of large amounts of outgoing traffic.
“Initially I was afraid that a script that I setup to backup my photos from my local network to S3 caused that bandwidth. But then I realized that I am running this backup-to-S3 script for a few months now, and in any case all the traffic that is incoming to S3 is free. This is a matter of outgoing traffic,” he said.
After analyzing traffic logs he was able to determine that every hour 250 gigabytes of traffic sent out because of Google’s Feedfetcher, the mechanism that allows the search engine to grab RSS or Atom feeds when users add them to Reader or the main page.
“All the URLs for these images [from the S3 bucket] were also stored in a Google Spreadsheet, and I used the =image(url) command to display a thumbnail of the image in a spreadsheet cell,” Ipeirotis said.
“So, all this bandwidth waste was triggered by my own stupidity. I asked Google to download all the images to create the thumbnails in Google Spreadsheet. Talking about shooting myself in the foot. I launched the Google crawler myself.”
So why did this happen in the first place?
It seems that Google doesn’t want to store the information on its own servers so it uses Feedfetcher to retrieve it every time, thus generating large amounts of traffic.
This enabled Ipeirotis to find out how a Google feature can easily launch dangerous attacks against a site simply by gathering several big URLs from the target and putting them in a spreadsheet or a feed.
If the feed goes into a Google service or a spreadsheet and the image(url) command is in play, a DoS attacks initiates.