I’m publishing a short paraphrase article I encourage you to read its full text in its original language.
Panos Ipeirotis recently received a bill from amazon for over $1170, whereas normally the amount on his bills was around $100.
As it turned out, the limit of outgoing traffic was exceeded, and it was (attention) 8.8 terabyte
After checking the logs, Panos found out that the culprit was a bot :
126.96.36.199 Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)
188.8.131.52 Mozilla/5.0 (compatible) Feedfetcher-Google; (+http://www.google.com/feedfetcher.html)
He estimated that the traffic was 250 gigabytes per hour.
But as it turned out, this was no ordinary bot-crawler.
Feedfetcher serves to pre-load content that the user adds to their Google Reader or their Google homepage. Correspondingly – content is loaded on behalf of the user and therefore even ignores robots.txt
Panos remembered pasting jpg files into Google Spreadsheet with the command =image(url) and since this data is private, google doesn’t store it on its servers, not even caching it – respecting the privacy of the user. Updating every thumbnail in the table every (!) hour, i.e. pumping out all the images every hour.
If it had been some ordinary domain, google would have limited the number of queries, but since it was s3.amazonaws.com with terabytes (petabytes?) of web content, the search giant had no reason to limit itself. It turned out to be something like : "If you put an iron in the refrigerator, which one wins?"
Panos makes a logical conclusion: this technique can be used for Denial of Bank Account attack on sites hosted on amazon. For this purpose it is necessary to :
- Collect as many links to media files (jpg, pdf, etc) as possible from the victim’s site
- Place links in rss feed or google spreadsheet
- Add feed to Reader or use =image()
- Sit back in a chair and watch the hubra effect
The story ended successfully – even before it was published, amazon wrote off the charges for the excess traffic, treating it as accidental and not intentional.
Conclusion of this story: be vigilant with such resources.