124

Some sites I visit take me to a page that says roughly, "Checking your browser before accessing example.com. DDoS attack protection by CloudFlare".

What exactly about my browser is being checked and how will that help protect against a DDoS attack?

Automatic DDoS protection from CloudFlare

Stevoisiak
  • 1,515
  • 1
  • 11
  • 27
  • Could you add a link to such a site? – Fabio says Reinstate Monica Mar 27 '17 at 11:34
  • 6
    @FabioTurati : No. Many websites with large organizations do this, but usually when you visit the page, you just see their normal page. e.g., if CNN does this, then the URL is simply http://cnn.com (so it's not like this is a special page that does this). I've seen this from big companies and universities. Been a while though, maybe over a year: Maybe Cloudflare learned that my IP address is likely legitimate. – TOOGAM Mar 27 '17 at 12:43

4 Answers4

114

Most Denial-Of-Service (DOS) attacks rely on some asymmetry between the resources involved on attacker side and on target side. In other words, to be successful, a DOS needs an action to require very few resources client-side (so the each clients can send a lot of requests) while involving larger resources server-side (so the server(s) will be unable to handle the load).

Due to this, DDOS attacks (the "Distributed" version of DOS attacks) are obviously not engaged by real humans clicking on links in a browser tab, but by bots sending massive amount of parallel requests to the target. The consequence of this is that the DDOS "client" is not a real browser, but a tool which may more-or-less simulate one.

Cloudflare DDOS protection system is quickly described on their website as follow: "an interstitial page is presented to your site’s visitors for 5 seconds while the checks are completed".

Two things trigger my attention here:

  • The checks: the most obvious way to sort real website users from automatic DDOS bots is to check whether the HTTP client is a real browser or not. This can go through testing the client's behavior against a panel of tests (see the post "bot detection via browser fingerprinting" for instance) and compare the result with the one expected from a genuine instance of the browser the client claims to be (for instance if the client claims to be a Firefox version 52 running on a Windows 10 machine, does it present the same characteristics?).

  • 5 seconds: Executing JavaScript tests and redirecting the visitor could be a very fast and almost transparent operation, so I believe that this "5 seconds" timeout is not there by accident but is meant to revert the computational asymmetry back in favor of the server.

    • The most light version of such principle would simply be to ask the client to wait (sleep) 5 seconds before resubmitting the same request (with a unique identifier stored in a cookie, as described on Cloudflare page). This would force the DDOS client to somehow handle a queue of pending redirections, and would finally make the overall DDOS process less effective.

    • A more brutal alternative would be to request the browser to solve some mathematical challenge which would require a few seconds to be solved on an average home system. In such a case, attackers would have no other choice than spend computational power to solve these challenges if they would like to proceed, but doing so will completely void the asymmetry since all the attacker's resource will be busy in solving challenges instead of sending requests, finally "DOSing" the attacker's system instead of the target's one.

WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • 17
    Couple points - a) this only works because cloud flare can absorb the attack. Part of how cloudflare works is by being big, big enough to be bigger than the DDoS attacker. And b) theoretically, because this is a DDoS, the attacker can just get more machines, so that those 5 seconds spent waiting matter less. Of course this costs more, but i gather cloudflare were involved in a different massive attack? – Tim Mar 27 '17 at 00:48
  • 3
    Sometimes DDoS *are* done by humans clicking a link... for example when a big news story happens which directly/indirectly relates to a small website. The sudden increase in (genuine) load on the server can have the same characteristics of a "machine DDoS". – Bakuriu Mar 27 '17 at 06:05
  • 6
    @Bakuriu That's not technically a DDoS. It may have the same effect, but a DDoS usually refers to a malicious attack intended to prevent users from accessing a website. – Micheal Johnson Mar 27 '17 at 07:36
  • @WhiteWinterWolf Your last point about the equation, is this something you just thought of? Or do you have a link/reference where an explanation and real world usage is documented? (If you thought of it: That is an awesome idea :D!) – Wealot Mar 27 '17 at 07:46
  • @Tim: Cloudflare is precisely playing this game, both telling customers they are safe and potential attackers that they would need so many machines to attack them it would not be practical. Their capacity is also in constant raise, the [French version](https://www.cloudflare.com/fr/ddos/) of this page hasn't been updated yet and still mentions an 8 Tbps capacity as 20 times the largest recorded DDOS attack, the English version shows they upgraded to 10 Tbps being now 10 times the [largest DDOS](https://www.theguardian.com/technology/2016/oct/26/ddos-attack-dyn-mirai-botnet). – WhiteWinterWolf Mar 27 '17 at 09:55
  • @Wealot: This is not really a new idea, I inspired myself from a DOS issue affecting SSL handshakes caused by the fact that they often require far more computational power on server-side than on client-side (see [this](https://www.ietf.org/mail-archive/web/tls/current/msg07553.html) and [that](https://vincent.bernat.im/en/blog/2011-ssl-dos-mitigation) for instance). There is some research on how to invert or at least balance the scales, for instance by using new algorithms such as Elliptic Curves and ChaCha20. – WhiteWinterWolf Mar 27 '17 at 10:27
  • 10
    @Wealot This is known as a [proof of work system](https://en.wikipedia.org/wiki/Proof-of-work_system). – March Ho Mar 27 '17 at 18:20
  • 3
    @Bakuriu we always called that the slashdot effect ;) – Wayne Werner Mar 27 '17 at 21:12
  • 1
    @MichealJohnson Well, you could post a piece of "fake news" that goes viral and add a link to a target. In this case it *is* a DDoS. The only difference is that instead of hacking a machine to perform the requests for you directly, you hack (i.e. social engineer) real people to make their machines perform those requests. So: slashdot + social engineering === DDoS by humans. – Bakuriu Mar 28 '17 at 17:06
  • 1
    @Bakuriu Yes that is, technically, a DDoS. But a genuine popular article that links to a website hosted on a low-powered server is not a DDoS; it's just an ability for other users to access a website as a result of high load on the server. The difference is the intention. – Micheal Johnson Mar 28 '17 at 19:30
  • A proof of work system in a browser would be woefully inefficient. JavaScript, even with JIT, is incredibly slow compared to optimized assembly, or even C. A low-end laptop could likely compute in seconds what would take dozens of browsers many minutes. – forest Apr 25 '18 at 01:30
  • @forest Inefficiency doesn't stop sites from installing Coinhive's Monero miner and making its use a condition of access. – Damian Yerrick Dec 17 '18 at 17:06
  • @DamianYerrick That's true, and I forgot about WebAssembly too... So I take back that comment. – forest Dec 18 '18 at 01:31
19

Just to add what I know from experience: Cloudflare blocks non-graphical browsers (tested: links, lynx), not on the first page view, but from the second one. These browsers (presumably) don't load images, at least does not show them, and they don't support javascript either.

How do I know? Being stuck with a broken graphical environment & searching the web for answers…

user2394284
  • 289
  • 1
  • 4
3

What does the “browser challenge” do?

A simple mediocre calculation in JavaScript. Then it sets a UID as a cookie in your browser. So the next time you visit the website it checks if the cookie is there and if it’s not expired. If the cookie is not there or it is expired it will ”challenge” you again.

How?

There is a hidden form inside the page and JavaScript, the form gets random “secret” numbers and JavaScript does the math and submits the form to the server.

This is the most mediocre way to mitigate Layer 7 DDoS attacks, because only a real(ish) browser can run JavaScript and do the math. Regular DDoS scripts like eg: slow loris cannot run JavaScript, and since the server does not receive the calculation it just returns 403/503.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Mecanik
  • 155
  • 2
2

That means the owner of the page hired Cloudflare services to protect his/her page against DoS attacks. Is some kind of intermediate page which check the connection and then redirect and show you the final page if the check is passed.

They check the origin (IP) of the connection, the kind of packet, the size of the packet, the number of packets received (rate), the user agent of the browser, etc... is how they meassure if the connection is legitime or not to pass the filter or not.

OscarAkaElvis
  • 5,185
  • 3
  • 17
  • 48