Infinite loop as a way for DoS attack

An infinite loop  is a sequence of instructions in a computer program which loops endlessly, either due to the loop having no terminating condition, having one that can never be met, or one that causes the loop to start over. For example,

while(true){

//do nothing here

}

or

for(;;);

There are a few situations when this is desired behavior. For example, when you want to freeze attacker’s machine in order to prevent JSON hijacking. On the other hand, most of the time infinite loop is not a desired behavior and will simply consume all allowed system resources. Kind of DoS attack against your machine resources.

Similar effect (infinite loop) could be achieved not by using some language operators, but services. Yeah, what about the services? Can we loop them infinitely? I bet we can and here is one of examples.

As you may know it is possible to connect your Twitter and Facebook accounts so that your Tweets will automatically post to your Facebook wall.

twitter-settings

Please note I have page on facebook named “Infinite loop page” – which is a regular facebook page.

In this attack we will also use IFTTT service which states to “If This Then That”. It provides ways to connect different services. For example, you can use IFTTT to simultaneously post message on your Facebook page and then direct it to your Twitter account. Are you still with me? So the loop we’d like to create is Twitter –> Facebook –> IFTTT –> Twitter.

Here is how I configured IFTTT recipe:

ifttt

In order to demonstrate you attack timing, it will add post date-time to the end of the message each time it will go through IFTTT.

ifttt-action

Now let’s tweet something short and see what happens:

tweets

As you can see my single tweet leads to 4 consecutive tweets and it stops there only because it reached 140 symbols limit on Twitter. Also there is one new tweet in 15 minutes.

Now imagine what would happen if tweet message will not grow after each cycle? Correct, it will run infinitely. In addition I can tweet tens, hundreds or even thousand messages. So the rate will be several tweets per second.  And what if I create tens or hundreds of such accounts? And what if I create tens of such IFTTT receipts which will run with different time shifts?

I have to admit that it should be easy to detect such DoS attack and disable compromised accounts, but the beauty of the attack is that an attacker shouldn’t waste any of his resources (after accounts are registered and linked), he just need to run the cycle with as many tweets as he can. Also I have to admit that IFTTT doesn’t have enough resources to spam such giants properly, so this is not an actual DoS attack, but just conceptual bug in the service.

Probably we can involve other services in this loop and make the services to waste their resources for us, but I didn’t have time to try it out.

You can check test accounts working on Twitter and Facebook page.

UPDATE 7/31/2012: Looks “like infinite loop” stops after 130 tweets for some reason. I guess one of the services has spam detection or posts/per minute limitation.