favicon.ico

The longest (and weakest) distributed denial-of-service attack ever

The average web server administrator has noticed (if he reads his logs) many attempts to download a file called favicon.ico. Nonexistent files are occasionally requested because of outdated links on other web sites, or typing errors by a user entering an address manually. This is not one of those. These favicon.ico requests are always the same (unlike any typing mistakes which are by nature somewhat randomized), and there is no erroneous external web page which can be updated to fix the problem. These requests aren't even intentionally sent by the user whose client is responsible.

The attempts to download favicon.ico are rationalized as follows: there is a compelling need to associate web sites with little pictures. (And I mean tiny pictures. So tiny that they can't convey any information. So tiny they can only be perceived as a blur of at most 2 distinguishable colors.) A web server administrator has a duty to create a little picture and put it in a file called favicon.ico, which will then be downloaded by everyone with an interest in the web site. (If this doesn't sound stupid to you, stop reading now; you're beyond hope).

The dimwit who came up with that idea (after a head injury, I presume), implemented it and distributed the code as part of an "upgrade" to existing software, without any discussion. The people affected by it had no vote in the matter. The users, who might have said "My privacy will be affected by a client feature that (without my knowledge) effectively notifies server administrators of my level of interest in specific sites", were never consulted. The server administrators, whose error logs were about to be clogged with senseless requests for nonexistent files, obscuring real problems that deserve attention, were not invited to debate the issue.

This horrific misfeature was inflicted on us unilaterally by the maker of the world's most abundant web client. Eventually, the other bloatware authors, being spineless and suffering from incurable me-too-ism, faithfully mimicked it.

To review, these are the facts about favicon.ico request generating code:

  1. Nobody installed it on purpose. Most people who have it don't know they have it.
  2. It generates network traffic without the user's knowledge.
  3. This traffic is unsolicited by the destination server.
  4. A particular destination server receives the same unsolicited traffic from many sources.
  5. Being generally useless, this traffic eats resources that could be better spent on something else (almost anything else).
Those are the features that define a distributed denial-of-service agent.

I would prefer that visitors to this web site not attack it. In pursuit of that goal, I will occasionally deny access to those who attempt to download favicon.ico for a short period of time after the bogus request. Those banished will be able to access this explanatory page and no others. If you are one of the unlucky ones, I suggest you use the next 15 or 30 minutes to find a web client that does not attempt to download things behind your back.