Using Spreadsheets as a DDoS weapon


I saw an article the other day where somebody had used Google Docs incorrectly and he’d racked up a tremendous bill for himself because of the way he set up the hyperlinks. It got me thinking about the potential for hackers to really abuse this flaw in spreadsheets and hyperlinks to take web properties offline and cause financial pain.

So, the idea Anonymous or, say, an aggressive competitor could use against a target could be this:

  1. Webcrawl the victim/target/competitor’s web site and get all of the URL links from their site.
  2. Add every single link into Google Docs with =image(“url”) in cells.
  3. Google Docs (we haven’t tested other “office” type of applications) refresh the data every hour.
  4. Imagine if a CDN was in play, this could exponentially raise the cost of using the CDN. We call this FDoS, short for Financial Denial of Service.
  5. Open up 100 Google accounts and repeat the process over and over, until the site crashes from pure traffic load from Google or other hosted provider.

So, now the second scenario is using a pure non-hosted spreadsheet as the second weapon. You can use embedded code inside of a spreadsheet as explained here. This means, that you could set up queries from the site, to do heavy database searches, over and over and over and over. So the attack would look like this:

  1. Create an .iqy file to go along with the spreadsheet so that it knows how to access the web code: WEB 1 Month=[“Month”,”Enter month (1-12).”] .
  2. Repeat the queries over and over and over, finding the heaviest searches possible.
  3. Distribute the excel spreadsheet everywhere, the more queries used, the heavier the abuse of the server.
  4. If that spreadsheet were to get spammed all over the place with some social engineering like “Private Financials for Obama.xls” and hit a few million e-mail boxes, the implications could be very serious. Even preview functions from Yahoo or other online mail systems could cause Yahoo or others to potentially load all of the links.

I see this threat being a really menacing problem for the following likely vicims:

  • Governments / Politicians: This technique could be used for websites asking for updates or financial contributions
  • Social Media Companies: Could be deluged with erroneous data
  • Military: Could this be used during times of conflict to ‘hide” a true attack by flooding the environment with garbage first?
  • Gaming Sites
  • And Plenty More

Now, how about the purveyors of the data? Doesn’t this also adversely affect companies who offer these services such as the following:

  • Google Docs
  • Dropbox
  • Snapfish
  • Microsoft Office Live
  • DocStock
  • And Many Others

As you can see, with a little creativity, there could be other exploits developed, possibly using document files, PDF files, etc. The possibilities are very wide open on how to use common every day formats of information exchange and hosting solutions to become weapons for DDoS. By using DefensePro from Radware, you’ll be able to mitigate these kinds of attacks and defend your networks from these types of situations.


  1. […] 第一起攻击案例解释了博主如何不小心攻击了自己,结果收到了巨款流量账单。另一篇文章《利用Spreadsheet作为DDoS武器》描述了另一个类似攻击,但指出攻击者必须先抓取整个网站并用多个帐户将链接保存在spreadsheet中。 […]

  2. […] 第一起攻击案例解释了博主如何不小心攻击了自己,结果收到了巨款流量账单。另一篇文章《利用Spreadsheet作为DDoS武器》描述了另一个类似攻击,但指出攻击者必须先抓取整个网站并用多个帐户将链接保存在spreadsheet中。 […]

  3. […] 第一起攻击案例解释了博主如何不小心攻击了自己,结果收到了巨款流量账单。另一篇文章《利用Spreadsheet作为DDoS武器》描述了另一个类似攻击,但指出攻击者必须先抓取整个网站并用多个帐户将链接保存在spreadsheet中。 […]


Please enter your comment!
Please enter your name here