Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 03 Aug 2012 08:27 PM |
> httpGet would allow someone to DDoS ROBLOX.com using our own game servers
In what alternate universe? Doesn't the author realize that sending HTTP GET requests from clients/servers has always been possible and is quite frequently used? Example:
Decal.Texture = "http://www.roblox.com/"
Congratulations, you have just sent a GET request to the ROBLOX server! Does this mean you can DDoS the site? No! |
|
|
| Report Abuse |
|
|
Flickerdo
|
  |
| Joined: 08 Oct 2010 |
| Total Posts: 5011 |
|
|
| 03 Aug 2012 08:28 PM |
*facedesk*
your a genius, seranok. |
|
|
| Report Abuse |
|
|
| |
|
Flickerdo
|
  |
| Joined: 08 Oct 2010 |
| Total Posts: 5011 |
|
|
| 03 Aug 2012 08:31 PM |
*rejected*
anyways, my mind is a special thing the voices in my head told me why this is valuable knowledge
|
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 03 Aug 2012 08:32 PM |
| Note: The URL I have provided should have been "http://www.roblox.com/asset" because of the URL filters. But my argument does not change. |
|
|
| Report Abuse |
|
|
|
| 03 Aug 2012 08:38 PM |
| It's funny how only 2 users have replied to this with no information at all on how to respond to what Ser wants in return. |
|
|
| Report Abuse |
|
|
|
| 03 Aug 2012 08:47 PM |
i cant beleave this i just spent ten mins on typeing and the felter dloxed it and said it broke the rules but ther was not a singel word in it volateing rules i am mad
|
|
|
| Report Abuse |
|
|
1234321
|
  |
| Joined: 07 Nov 2007 |
| Total Posts: 257 |
|
|
| 03 Aug 2012 08:47 PM |
| I'm pretty sure flick only read the "httpGet would allow someone to DDoS ROBLOX.com using our own game servers" part. |
|
|
| Report Abuse |
|
|
| |
|
Flickerdo
|
  |
| Joined: 08 Oct 2010 |
| Total Posts: 5011 |
|
|
| 03 Aug 2012 09:08 PM |
| fangirl squeallllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllllll |
|
|
| Report Abuse |
|
|
|
| 03 Aug 2012 09:11 PM |
while true do wait(0.3) a = coroutine.create(function() while true do wait(0.3) decal.Texture = "assetid" end) a.resume() end end
simple takedown is simple |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 06 Aug 2012 08:51 PM |
| Does anyone have any legitimate counterarguments to this? I'm not sure if all HttpGets rely on the ContentProvider's threadpool, but in any case I don't think it would be possible to DDoS this site using the game servers. |
|
|
| Report Abuse |
|
|
mew903
|
  |
| Joined: 03 Aug 2008 |
| Total Posts: 22071 |
|
|
| 06 Aug 2012 08:53 PM |
| Multiple HttpPost calls might slow the site down a bit. |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 06 Aug 2012 08:59 PM |
@mew903
All we need is game::HttpGet. |
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 09:00 PM |
HttpPost is locked?
Although, Seranok is right - things that use asset IDs actually don't cache, meaning....
for i = 1, e do e = e++ -- possible in Lua? ehh you get the point decal.TextureId = "http://roblox.com/asset/id?=" .. i end
There you go. A working DDoSer.
I hope I don't get sued for this. |
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 09:01 PM |
@Seranok
RBXPri modifies Studio so your command bar gets level 7 access (StarterScript level), so there's your game:HttpGet() and game:HttpPost()
|
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 06 Aug 2012 09:02 PM |
> There you go. A working DDoSer.
Just because you can send GET requests doesn't mean you can DDoS a site... |
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 09:04 PM |
"Just because you can send GET requests doesn't mean you can DDoS a site..."
Actually, it does. That's basically what a DDoSer does. It sends instructions to its clients (most likely gotten through malware, running a server so it can accept instructions) and the clients basically while true do packet sending filled with useless headers and data. |
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 09:06 PM |
| The point of a DDoS is to fill up the server's allocated buffer size, so any more packets will not have space to be put in, effectively crashing/rendering the service unusable for everyone else. |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 06 Aug 2012 09:06 PM |
| No, I'm saying that it's not sufficient ammo to take down a site. You need a lot more than that. Even if I put that Script into every one of my Catalog Heaven servers the effect on the site wouldn't be noticeable. |
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 09:11 PM |
"No, I'm saying that it's not sufficient ammo to take down a site. You need a lot more than that. Even if I put that Script into every one of my Catalog Heaven servers the effect on the site wouldn't be noticeable."
Well, of course - for a site as big as ROBLOX, anyways. But say you kept that script going forever - which, by the way, it already does - the more servers that are running, the more packets the server is receiving... Now, think on an even bigger scale. You have the script running on 40-60 servers, now...make an autoupdating model. Say that hundreds of people take it (which, considering you're famous, is very likely) - now, include that script with the model.
You now effectively have about 60 - 300 servers (even more if a famous place includes it) sending packet requests to the site PLUS the regular traffic it gets from its users.
Even that may not cause a total shutdown, but it would certainly make 503 errors less rare and slow down the site to a near standstill. |
|
|
| Report Abuse |
|
|
|
| 06 Aug 2012 09:44 PM |
@techboy6601
Even 300 servers would probably not have much of an impact. You know, ROBLOX has a very complex infrastructure and it's not like you'd be able to slow down Amazon's servers so easily. |
|
|
| Report Abuse |
|
|
mew903
|
  |
| Joined: 03 Aug 2008 |
| Total Posts: 22071 |
|
|
| 06 Aug 2012 09:49 PM |
| I remember I made a little HTTP flooder using POST requests. It could take down a site w/o flood protection in a matter of seconds. |
|
|
| Report Abuse |
|
|
Seranok
|
  |
| Joined: 12 Dec 2009 |
| Total Posts: 11083 |
|
|
| 06 Aug 2012 09:50 PM |
It couldn't be any page. It would have to be a page that took a lot of server-side resources to render each time. And it couldn't be cached by the server.
The closest thing to that is the image creator URL that ROBLOX had up a while ago. They let you make huge images (like literally in the gigabytes) because they didn't check to make sure the images were a certain size. But they recently patched it. |
|
|
| Report Abuse |
|
|
|
| 07 Aug 2012 01:05 AM |
Since we're talking about HttpGet here...
It has access to offsite sites, too. So you have 300 servers sending massive packet spam to a (potentially not as powerful as ROBLOX's) server, which could in effect bring it down.
Shedletsky was right, he just used the wrong wording. While it can't be used to DDoS a major site like ROBLOX, it can in fact render smaller sites useless. But the IPs in the logs will be ROBLOX's, and they will no doubt get sued if it is a medium sized corporation.
Basically that sentence translates into this: "We're blocking offsite access so people can't do illegal things using our game servers which will essentially make some people out there think we're out to get them" |
|
|
| Report Abuse |
|
|