I think I accidentally DoS'd a website. What should I do?

Question

I was browsing a website, and stumbled across a sample scheme for password-protecting web pages. The owner of the website specifically had a page that invited people to attempt to hack it.

I wanted to give it a try, so I wrote up a quick python script a few hours ago to try brute-forcing the password. (Which, in retrospect, was a stupid idea).

I left the script running for a few hours, but came back to find that my script was running haywire and the website was returning '509 Bandwidth limit exceeded' errors on all its pages. ([EDIT]: I also checked via 3g on my phone, and using a school computer, so I know it's not limited to just my ip address)

This is not something I had intended to do, and feel really, really bad about it.

Should I send an email apologizing and offering to pay reparations? Or am I just unnecessarily worried, and should let this blow over?

(I'm also not sure where in stackexchange to ask this question, but I think it might fit here).

[UPDATE]:
I sent an email apologizing -- once the site owner responds, I'll update this post.

[UPDATE]: Well, it's been several days now. The website is still down and the owner hasn't responded yet. I originally wanted to wait for a response first before accepting an answer, but it might be a while, so I'll pick an answer.

If the site owner invited people to hack his site, but did not harden it (at least somewhat) to DDoS, he is partially at fault here, too. The best-case scenario, without a doubt, is that you and he both learned something, which would make this whole incident into a positive :) — Chris Allen Lane, Apr 03 '12 at 19:22

score 61 · Accepted Answer · answered Apr 02 '12 at 01:24

First off, let me say this: I respect the ethics of anyone who would ask this kind of question (rather than just closing their eyes, walking away, and forgetting the whole thing). My compliments to you.

Ultimately, this is a matter of personal ethics, so it is hard to give advice. You need to do what you feel is right.

That said, your suggestion to try contacting the site owner seems reasonable to me. I suspect that any harm done will be minor or that the cost will be minor. Normally, the cost of bandwidth is pretty modest, in monetary terms. But the site owner might appreciate hearing that his/her site is unreachable, and appreciate the apology. But it's up to you, and what feels right to you.

Unfortunately, it may be legally perilous to not walk away in such cases. Georgia's SB 315 is a nasty, and not single, example of clueless lawmakers making it dangerous and expensive to admit even innocent involvement. — dig, Apr 03 '18 at 16:05

score 39 · Answer 2 · answered Apr 02 '12 at 02:29

39

Disclaimer: I'm not an IT guru nor a security expert.

First, I agree with @D.W. that it can't hurt to contact the site owner and explain what happened. (For all you know, the 509 responses may be totally unrelated to your haywire script.)

Second, in the future, it's a simple matter to include your email address or other contact info in the User-Agent field. Not only does it give the sysadmin at the other end a way to reach you if something has gone haywire, but the presence of your contact information itself is a sign that you're not trying to be malicious.

Just my $0.02.

answered Apr 02 '12 at 02:29

fearless_fool

391
2
2

8

+1 for pointing out that 509 might be unrelated. The website owner invited people to try to hack it. It could have been somebody else, or a combination of different people trying to hack the site that led to this. Or it might be a custom message, as pointed by @schroeder – Yoav Aner Apr 02 '12 at 08:17
3

As a developer, I'd say it's even money. If you find yourself DDos'ed, it is wise to intentionally return a 509 error to limit the damage, and certainly for such a "challenge" website that's a reasonable precaution. – MSalters Apr 02 '12 at 12:07
3

+1 for the idea of including contact information in your user agent header. I never thought about doing that before, but I really like the idea. – Chris Allen Lane Apr 03 '12 at 19:13

score 16 · Answer 3 · answered Apr 02 '12 at 00:58

16

If the owner invited people to hack the site, then he accepts such things as DoS. It is possible that he configured the server to limit brute-force attempts by instituting rate-limiting. If he did, then you did not exceed the limit for his pipe, just the limit he gave you.

Either way, no need to write an apology.

answered Apr 02 '12 at 00:58

schroeder

123,438
55
284
319

I just checked using a different computer (with a different ip address, and such) and it seems like the 509 error is global. I still feel really guilty, though. Would it do any harm/make me liable if I wrote an apology anyways? – Michael0x2a Apr 02 '12 at 01:03
12

I don't agree with this answer. It is one thing to give people permission to try to hack your site. However, usually it is understood that denial-of-service attacks are not in scope and are not cool. – D.W. Apr 02 '12 at 01:07
10

The first thing someone is going to do is to brute-force the password, just as the OP did. The website owner, if providing an open invitation like that, has got to have rate-limiting in place or fail2ban to tone things down. – schroeder Apr 02 '12 at 02:08
I agree with D.W.: DDoS != hacking ... one requires script kiddy skills, the other requires actual hacker skills. – 0xC0000022L Apr 03 '12 at 20:12
2

My point is that by opening up the floodgates, the owner has to accept getting wet. If there is a request not to DoS, then fine, be more targeted in the hacking attempts. But, still, from the owner's perspective, he has to put protections in place in the case of someone doing something just like the OP did. From that perspective, there is no need to be overly apologetic. Stop the attack, modify, keep going, but don't feel the need to email an apology. – schroeder Apr 03 '12 at 20:29

score 2 · Answer 4 · answered Apr 02 '12 at 14:21

Unless they were a severely poorly configured web site you likely did not DoS anything.

You likely DoSed yourself.

http://bwmod.sourceforge.net/

bwmod is an apache module for controlling how much resources a given virtual host can have an a user can request.

This module should be able to limit access to certain areas of the website and to limit mailicious users.

Unless you confirmed for another source IP address that the site was inaccessible, then there is nothing to worry about. You could email them and say you are sorry for triggering their bandwidth limiting system.

Given the invite to hack the system, it is likely that this limiter is also part of the hacking challenge. Hack them without triggering the limiter.

I confirmed via 3g on my phone, and using a school computer -- it's returning 509 errors for all of them. — Michael0x2a, Apr 02 '12 at 16:48

I think I accidentally DoS'd a website. What should I do?

4 Answers4

Linked