[opensource-dev] Malicious payloads in third-party, viewers: is the policy worth anything?
Michael Daniel
m.a.daniel at iup.edu
Sun Aug 22 01:36:59 PDT 2010
Since I am a student on summer break until next week, I have way too
much time on my hands, and I like numbers (famous last words) so I did
some analysis of modular systems attack on iheartanime.com.
I think the amount of data involved has been understated in many
discussions I've seen so far, so I'll show my work, but long story
short: 4.2 terrabytes of data transfer are involved with this attack
(2.1 tb up and 2.1 tb down).
I used the screen cap from the following URL to find exactly what was
downloaded every time somebody logged in with the emerald viewer during
this attack:
http://alphavilleherald.com/images/2010/08/modular-bing.jpg
I used Google Chrome's inspect element feature to find the sizes of the
files downloaded (right click, inspect element - resources - size).
This is what I came up with:
http://iheartanime.com/griffblog.php?article=omnomnomnomnom 163.20k
times 20 loads is 3264k
http://iheartanime.com/images/emerald-explore-sounds.png
50.03k
http://iheartanime.com/images/emerald-windows-disclosure.png 55.09kb
http://iheartanime.com/images/emerald-mac-disclosure.png
66.90kb
http://iheartanime.com/images/emerald-linux-disclosure.png
67.32kb
http://iheartanime.com/images/imgsearch-v0.0.2.png
152.37k
http://iheartanime.com/images/FRIENDLY%20GREETINGS.jpg 77.32k
http://iheartanime.com/images/inertia-test.jpg
113.51k
http://iheartanime.com/images/inertia-login.jpg `
25.78k
http://iheartanime.com/images/inuyertia.jpg
153.68k
http://iheartanime.com/images/neillife.jpg
102.22k
http://iheartanime.com/images/background-v2.png
130.64k
http://iheartanime.com/images/background.png
77.40k
Total size: 4336.26kb, or 4.33626mb per emerald login.
According to the alphaville herald article, "Gazov told the Herald he
saw 16,541,673 page hits referred by the Emerald login pages over three
days". I'm sure he has the server logs to back him up, so lets see what
happens if we take him at his word (which I would do, as he seems pretty
honest to me).
link:
http://alphavilleherald.com/2010/08/emerald-viewer-login-screen-sneak-ddos-attack.html
I count 32 page hits per login, so we divide 16541673 by 32 to get the
number of emerald logins during the attack.
16541673 hits / 32 page loads = 516927.28125 logins from emerald
Since it's not an even number, Hazim's numbers must be off a bit. That
is no surprise, since his server was under such strain. Lets round it
up to 516928 logins from emerald during the attack.
510678 logins during the attack * 4.33626mb requested per login =
2214432.58428mb requested from iheartanime.com
I used an online calculator at the following link to translate that into
terrabytes:
http://www.matisse.net/bitcalc/
It works out to 2.11184748104095 Terrabytes of bandwidth stolen from
Hazim in 3 days!
As we all know, this bandwidth was not just stolen from Hazim. It was
also stolen from Emerald users, so if we multiply that by two we get a
grand total of 4.22369496154786 terrabyts stolen in three days. To make
this more concrete, that's over 4.2 tb of transfer. If you'll pardon
the archaic reference, the library of congress, if compressed, could fit
into 4.2 tb almost two times. That's a lot of data.
Citation for LOC measurement: http://bit.ly/9TRWUX
The crazy part is that modular systems shows absolutely no remorse at
all for stealing Hazim's bandwidth. Most hosts give unlimited
bandwidth, but some do not. If, for example, his hosting was at
nextpoint.net, their hosting plans all come with 2000gb of transfer, so
he would have gone over by 162.53182058594gb. They charge $4.50 per gb
for overage, so that would have worked out to $731.39 in damages to
Hazim, not counting his regular traffic. Aren't there laws against this
kind of thing?
Nextpoint.net reference:
http://www.nexpoint.net/support/policies/billing.cfm
Video of the emerald team talking about how ridiculous it would be to
apologize to Hazim, among other things:
http://www.youtube.com/watch?v=rwmVj9u7C3U
Somebody in the video (I'm assuming the person is Arabella Steadham)
said, "I'm not going to apologize to Hazim, I mean, why would I?," as
others agree that they could care less about him. They also said that
their users take their account names and passwords too seriously.
I don't see how the third party directory can retain any respectability
at all if they don't remove Emerald. I'd be happy if each and every
member of Modular Systems was banned from SL, but I know there are
politics involved, so that probably won't happen.
Anyway, I'm sorry if I distracted this list from more important things
going on with snowstorm. Given the discussion going on in this thread,
I thought some people on this list might find these numbers
interesting. I can't wait to see what you guys come up with for
snowstorm at the end of the first sprint.
Cheers!
~Bubblesort Triskaidekaphobia
More information about the opensource-dev
mailing list