Using Spreadsheets as a DDoS weapon

I saw an article the other day where somebody had used Google Docs incorrectly and he’d racked up a tremendous bill for himself because of the way he set up the hyperlinks. It got me thinking about the potential for hackers to really abuse this flaw in spreadsheets and hyperlinks to take web properties offline and cause financial pain.

So, the idea Anonymous or, say, an aggressive competitor could use against a target could be this:

  1. Webcrawl the victim/target/competitor’s web site and get all of the URL links from their site.
  2. Add every single link into Google Docs with =image(“url”) in cells.
  3. Google Docs (we haven’t tested other “office” type of applications) refresh the data every hour.
  4. Imagine if a CDN was in play, this could exponentially raise the cost of using the CDN. We call this FDoS, short for Financial Denial of Service.
  5. Open up 100 Google accounts and repeat the process over and over, until the site crashes from pure traffic load from Google or other hosted provider.

So, now the second scenario is using a pure non-hosted spreadsheet as the second weapon. You can use embedded code inside of a spreadsheet as explained here. This means, that you could set up queries from the site, to do heavy database searches, over and over and over and over. So the attack would look like this:

  1. Create an .iqy file to go along with the spreadsheet so that it knows how to access the web code: WEB 1 Month=[“Month”,”Enter month (1-12).”] .
  2. Repeat the queries over and over and over, finding the heaviest searches possible.
  3. Distribute the excel spreadsheet everywhere, the more queries used, the heavier the abuse of the server.
  4. If that spreadsheet were to get spammed all over the place with some social engineering like “Private Financials for Obama.xls” and hit a few million e-mail boxes, the implications could be very serious. Even preview functions from Yahoo or other online mail systems could cause Yahoo or others to potentially load all of the links.

I see this threat being a really menacing problem for the following likely vicims:

  • Governments / Politicians: This technique could be used for websites asking for updates or financial contributions
  • Social Media Companies: Could be deluged with erroneous data
  • Military: Could this be used during times of conflict to ‘hide” a true attack by flooding the environment with garbage first?
  • Gaming Sites
  • And Plenty More

Now, how about the purveyors of the data? Doesn’t this also adversely affect companies who offer these services such as the following:

  • Google Docs
  • Dropbox
  • Snapfish
  • Microsoft Office Live
  • DocStock
  • And Many Others

As you can see, with a little creativity, there could be other exploits developed, possibly using document files, PDF files, etc. The possibilities are very wide open on how to use common every day formats of information exchange and hosting solutions to become weapons for DDoS. By using DefensePro from Radware, you’ll be able to mitigate these kinds of attacks and defend your networks from these types of situations.

David Hobbs

As Director of Security Solutions, David Hobbs is responsible for developing, managing, and increasing the company’s security practice in APAC. Before joining Radware, David was at one of the leading Breach Investigation Firms in the US. David has worked in the Security and Engineering arena for over 20 years and during this time has helped various government agencies and world governments in various cyber security issues across all sectors.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program


An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Security Research Center