Kind of nice, but you will probably want to generate it in CGI or Javascript so it can change frequently; however make sure it isn't on a page that is the target of a form with method GET, or they will get to log the form contents.

And of course they will still get a listing of everyone who's hitting your page, identifying the source of the requests through the REFERRER value.

It might be more effective to distribute a little app which just generates and sends GETs to bogus domains, using bogus header information, and ignores the results. Do it from behind a proxy which serves a large number of users, and generate REMOTE_ADDR which is plausible for that proxy; thart way you help to protect the privacy of all the users of that service. A few thousand guys each sending a few hundred kinda plausible requests a day should be enough to corrupt their database.

Of course with such a lightweight process even a dial-up machine could actually generate close to a hundred thousand requests per hour. It would be an interesting question legally if enough load was generated to slow the performance of sitefinder; are you attacking sitefinder, or are they causing it to themselves by hijacking your traffic? 8^)

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/7009/22539#22539