Discovered on 10 Aug 2011
Google Security center contact: 10 Aug 2011
Response from the Google Security center: N/A
Published: 29 Aug 2011 (GMT +1)
How does it work?
The vulnerable pages are “/_/sharebox/linkpreview/“ and “gadgets/proxy?“
Is possible to request any file type, and G+ will download and show all the content. So, if you parallelize so many requests, is possible to DDoS any site with Google bandwidth. Is also possible to start the attack without be logged in G+.
The advantage of using Google and make requests through their servers, is to be even more anonymous when you attack some site (TOR+This method); The funny thing is that apache will log Google IPs.
But beware: gadgets/proxy? will send your ip in apache log, if you want to attack, you’ll need to use /_/sharebox/linkpreview/
Also the Sql injection Time attack will work using this method.
DDoS attack is just an example, do not start ddos for no reason
UPDATE 1: _/sharebox/linkpreview has been fixed on 01 Sep 2011 at 15.20 (GMT +1)… no communication from Google at the moment
UPDATE 2: Reply message from G Security team on 02 Sep 2011 at 00:36 (GMT +1):
Hello Apologies for missing this one - "mea culpa" for not responding to your email. As you've noticed, we've made a few tweaks to the existing abuse detection and prevention mechanisms that were already in place. Thanks for your assistance! Cheers, Adam
UPDATE 3: Some lamerz used this kind of attack to increase bandwidth bill in Amazon cloud (http://www.behind-the-enemy-lines.com/2012/04/google-attack-how-i-self-attacked.html)
In this example i start a thread of 1000 requests and the output bandwidth will result in 91/96Mbps (my house bandwidth is only 6Mbps). This is my server, do not start to ddos around for no reason!
+DDoS source code download: