Some sites I visit take me to a page that says roughly, "Checking your browser before accessing example.com. DDoS attack protection by CloudFlare".
What exactly about my browser is being checked and how will that help protect against a DDoS attack?
Some sites I visit take me to a page that says roughly, "Checking your browser before accessing example.com. DDoS attack protection by CloudFlare".
What exactly about my browser is being checked and how will that help protect against a DDoS attack?
Most Denial-Of-Service (DOS) attacks rely on some asymmetry between the resources involved on attacker side and on target side. In other words, to be successful, a DOS needs an action to require very few resources client-side (so the each clients can send a lot of requests) while involving larger resources server-side (so the server(s) will be unable to handle the load).
Due to this, DDOS attacks (the "Distributed" version of DOS attacks) are obviously not engaged by real humans clicking on links in a browser tab, but by bots sending massive amount of parallel requests to the target. The consequence of this is that the DDOS "client" is not a real browser, but a tool which may more-or-less simulate one.
Cloudflare DDOS protection system is quickly described on their website as follow: "an interstitial page is presented to your site’s visitors for 5 seconds while the checks are completed".
Two things trigger my attention here:
The checks: the most obvious way to sort real website users from automatic DDOS bots is to check whether the HTTP client is a real browser or not. This can go through testing the client's behavior against a panel of tests (see the post "bot detection via browser fingerprinting" for instance) and compare the result with the one expected from a genuine instance of the browser the client claims to be (for instance if the client claims to be a Firefox version 52 running on a Windows 10 machine, does it present the same characteristics?).
5 seconds: Executing JavaScript tests and redirecting the visitor could be a very fast and almost transparent operation, so I believe that this "5 seconds" timeout is not there by accident but is meant to revert the computational asymmetry back in favor of the server.
The most light version of such principle would simply be to ask the client to wait (sleep) 5 seconds before resubmitting the same request (with a unique identifier stored in a cookie, as described on Cloudflare page). This would force the DDOS client to somehow handle a queue of pending redirections, and would finally make the overall DDOS process less effective.
A more brutal alternative would be to request the browser to solve some mathematical challenge which would require a few seconds to be solved on an average home system. In such a case, attackers would have no other choice than spend computational power to solve these challenges if they would like to proceed, but doing so will completely void the asymmetry since all the attacker's resource will be busy in solving challenges instead of sending requests, finally "DOSing" the attacker's system instead of the target's one.
Just to add what I know from experience: Cloudflare blocks non-graphical browsers (tested: links, lynx), not on the first page view, but from the second one. These browsers (presumably) don't load images, at least does not show them, and they don't support javascript either.
How do I know? Being stuck with a broken graphical environment & searching the web for answers…
What does the “browser challenge” do?
A simple mediocre calculation in JavaScript. Then it sets a UID as a cookie in your browser. So the next time you visit the website it checks if the cookie is there and if it’s not expired. If the cookie is not there or it is expired it will ”challenge” you again.
How?
There is a hidden form inside the page and JavaScript, the form gets random “secret” numbers and JavaScript does the math and submits the form to the server.
This is the most mediocre way to mitigate Layer 7 DDoS attacks, because only a real(ish) browser can run JavaScript and do the math. Regular DDoS scripts like eg: slow loris cannot run JavaScript, and since the server does not receive the calculation it just returns 403/503.
That means the owner of the page hired Cloudflare services to protect his/her page against DoS attacks. Is some kind of intermediate page which check the connection and then redirect and show you the final page if the check is passed.
They check the origin (IP) of the connection, the kind of packet, the size of the packet, the number of packets received (rate), the user agent of the browser, etc... is how they meassure if the connection is legitime or not to pass the filter or not.