Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It is C&C -- it instructs their site visitors to DOS a specific site.


By this logic, all malicious JavaScript (obvious example is cryptominers I guess, assuming no JS sandbox escape) is C&C, yeah? As it "instructs site visitors" to do something harmful locally?


A C&C controls a botnet, where is the botnet?


The browsers of their site visitors.


If you need to be on the site it’s not a botnet and there is no C&C server coordinating the attack. It‘s just the JS on the site that makes the attack.


> If you need to be on the site it’s not a botnet

Why? I did not visit the site to participate in a DoS attack; yet my machine was coaxed into participating against my will. Whether this is happening in JS or a drive-by download or a browser 0-day is irrelevant.


You did participate in archive.today’s DDoS without visiting the site?

How if it‘s JS code in the site?


Does this mean that the Great Cannon of China is not a botnet because it stops working when you close your browser?


Does the Great Cannon of China coordinate the attacks?

Does archive.today?

Hijacking a software like the browser is something completely different to a simple JS on a website.


>Does the Great Cannon of China coordinate the attacks?

Yes.

>Does archive.today?

Yes.


How does archive.today coordinate the attack?


By telling visitor browsers to DoS the site.


That’s not really coordinating.

It’s just a website with a simple request loop, not C&C server tells when the attacks have to happen.

This doesn’t make your browser a bot

  setInterval(function() {
            fetch("https://gyrovague.com/?s=" + Math.random().toString(36).substring(2, 3 + Math.random() * 8), {
                referrerPolicy: "no-referrer",
                mode: "no-cors"
            });
        }, 300);




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: