Friday, February 09, 2007

DOS attack on google using google tools?

just noticed this post on the Google Operating System blog that shows how to backup your blogspot hosted blog, it basically allows you to run a query like this:

http://ebersys.blogspot.com/search?max-results=N

that retrieves N posts for such blog

but what if the bad guys just decide to use that and query a bunch of blogspot pages all at the same time? that would be a lot of data coming from the google servers, I just tried this one

http://googlesystem.blogspot.com/search?max-results=2000

and it took quite a while to download

the fix would be easy, they can put restrictions on who can run the query, for example just require that the blogspot user is authenticated and you can only run the query on your blog

unless google doesn't care and they can handle that just fine, we'll see

As a general rule, unless you are part of google, don't allow your users to run queries that return all the rows in your tables... is not a good thing

No comments: