Feeds

How to automate a DoS attack using the Post Office

Alt-revenge FAQ

  • alert
  • submit to reddit

5 things you didn’t know about cloud backup

Fancy taking revenge on someone you don't like by deluging someone with junk mail?

A little bit of knowledge can go a long way. Thanks to the increased readiness of companies to send out brochures and magazines to anyone who bothers to register online, the US Postal Service can become the agent of denial of service attacks.

This much is well known, but a recent paper by security researchers Simon Byers, Aviel Rubin and Dave Kormann demonstrates how to automate this attack.

If you type the following search string into Google -- "request catalogue name address city state zip" -- you'll get links to over thousands of Web forms where you can type in your information and receive a catalogue in the mail.

It'd be a tedious business to fill out many forms.

But anyone with a modest amount of programming skills, and a target's snail mail address, can automate the attack and deluge their victims with junk mail.

Last December, self-styled "spam king" Alan Ralsky let slip his snail-mail address. Internet activists seized on this information to deluge him with unwanted snail mail.

Within weeks he was getting hundreds of pounds of junk mail per day and was unable to find his real mail amongst the deluge.

A pleasantly ironic attack, made all the more satisfying by Ralsky's outraged reaction.

That attack took the collective effort of many thousands but automating the attack leaves us all vulnerable.

Noted security and encryption guru Bruce Schneier believes there is no easy defence against the attack.

"Companies want to make it easy for someone to request a catalogue. If the attacker used an anonymous connection to launch his attack -open wireless networks would be a good choice - I don't see how he would ever get caught," Schneier observes.

"Even worse, it could take years for the victim to get his name off all of the mailing lists," he adds.

Individual catalogue companies can protect themselves by blocking automated signups (inserting a step that a person can easily do, but a machine can't). But it only takes a limited percentage to omit this check for the attack to work.

Schneier isn't convinced this will happen.

"The attack works in aggregate; each individual catalogue mailer only participates to a small degree. There would have to be a lot of fraud for it to be worth the money for a single catalogue mailer to install the countermeasure," he writes.

Schneier concludes that as old physical process is moved onto the Internet such attacks are likely to become more prevalent.

Which isn't nice. ®

External Links

Defending against an Internet-based Attack on the Physical World

Related stories

Spammer gets junk mailed
Email more popular than letters

Secure remote control for conventional and virtual desktops

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
JLaw, Kate Upton exposed in celeb nude pics hack
100 women victimised as Apple iCloud accounts reportedly popped
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

Endpoint data privacy in the cloud is easier than you think
Innovations in encryption and storage resolve issues of data privacy and key requirements for companies to look for in a solution.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.