This attack involves hacking one or more 'neutral' (preferably popular) websites, so that visitors automatically involuntarily download the so-called shortcut icon (known to some as a 'favicon') from the target of the attack. The attack may be harder to detect than including resources from the target using iframes or other methods.

The attack should work because most popular browsers always try to download a shortcut icon for any website, especially when the server has indicated it does not exist due to stupid caching techniques. By actively redirecting those requests to a DDoS target, the visitors effectively spam the target with HTTP requests, while they often wouldn't notice it. Generally, this would result in at least one request per unique user and at most one request per pageview.


Option 1: HTTP

Hack the HTTP server running the website and trick it to redirect any request to /favicon.ico to, where is the target's server, and /foo is preferably expensive to share and unrenderable as graphics.

Option 2: HTML

Hack the server and ensure that any HTML page includes a link tag like <link rel="shortcut icon" href="">.


As said, most graphical browsers download shortcut icons by default, most users don't change that default and some browsers don't even have an option to change it. If not specified in the HTML header, browsers will still try to download a shortcut icon from the default location /favicon.ico. Browsers may refuse to retrieve shortcut icons from different domains, and should refuse to do so when using HTTPS.

The efficiency of the attack may be increased by invalidating the client-side cache as much as possible; this can be done by various techniques, ranging from temporary redirects to constantly changing URLs for the shortcut icon.


  • Access logs of the HTTP server may reveal the redirects in case of the HTTP method, or the lack of requests in case of the HTML method.
  • There may be an increase in bandwidth usage with the HTML method, as all client-side caches are invalid as the header of the HTML files are changed. In some systems, this can be adverted by changing the timestamps of the changed files, but it would also slow down the attack.
  • There may be a higher server load, as the server-side cache is invalidated after the changes made.
  • Version control software may reveal any changes made by the attacker.
  • Some users may notice that the shortcut icon changes. The attack will be less obvious if the shortcut icon merely disappears.

Requirements / The Catch

Low-level administrative access to one or more web servers hosting popular websites is required.

Log in or register to write something here or to contact authors.