Previous discussion:<p><a href="https://news.ycombinator.com/item?id=7371176" rel="nofollow">https://news.ycombinator.com/item?id=7371176</a><p>For sites like Gravatar[1] that generate an image from a given URL:<p>> In addition to allowing you to use your own image, Gravatar has a number of built in options which you can also use as defaults .... Most of these work by taking the requested email hash and using it to generate a themed image that is unique to that email address.<p>Not only would it such an attack function as a network DDOS, but could also cause CPU thrashing as thousands of images are generated simultaneously.<p>There may also a danger of an amplification attack using Gravatar (or a similar site). For instance, from the Gravatar docs:<p>> If you'd prefer to use your own default image (perhaps your logo, a funny face, whatever), then you can easily do so by supplying the URL to an image in the d= or default= parameter.<p>Which will cause a Gravatar server to fetch the image in question.<p>So - in the Google spreadsheet an attacker could also add an additional Gravatar line for each image, doubling the number of requesting servers with little extra effort.<p>[1] <a href="https://en.gravatar.com/site/implement/images/" rel="nofollow">https://en.gravatar.com/site/implement/images/</a>