New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Hazi’s Bachelor Thesis - STOP Layer 7 attacks now!
FlorinMarian
Member, Host Rep
in Help
Hello!
Because by migrating the servers to the mini-datacenter at home I did not manage to finish my bachelor's thesis, it will be completed and presented in February 2023.
Although currently the protection does its job very well by automatically validating the browser via Javascript, I am aware that with the appearance of a botnet with an integrated browser, the protection is null.
In this sense, I want to ask you: what kind of puzzle would you like to solve when entering a website for the first time so that it is not very disturbing for you, but is still hard enough to be bypassed by bots?
Comments
Can you share your thesis or give us a link?
It is not yet public, I will gladly share it when it is ready.
Javascript can be rendered without a browser.
Most of the captchas can be already bypassed by some A.I
The rest will be outsourced to cheap human labour.
What is your goal?
I doubt there is any sense in using AI-proof captcha when protecting from DDoS attack - if the attacker needs to use AI they will run out of money very fast
Open webcam and perform face recognition + liveness check to prevent from pre-recorded videos / face swap
Know Your Customer Visitor
As far as I know you can solve these with speech recognition.
No idea if they use LLM's for that.
You don't need a lot of bots to come through though.
If you know any weak points, you hit them with the bots and the server load will do the rest.
Entire point of DDoS protection is to make the cost for the attacker higher than victims'
Isn't the point to keep your services and systems running?
You don't wanna seem them down.
To be able to keep the target reachable you need to to have sufficient resources for that. To accomplish this, you need to efficiently utilize available resources as well as force challenge that is computationally harder for attacker to solve comparing to verification costs for a victim.
My undergraduate work started last year when I had those attacks with 6.800.000 requests unclassified by CloudFlare in just 8 hours.
The only information I have left from Miguel (and it's a very precious one), is the following: If the attack has reached your backend, it's already too late. (I'm trying to explain to him that I'm trying to apply limitations at the application level)
My goal is to create a good enough proxy protection to keep my own applications (and those of clients, why not?) online.
I know that perfect protection does not exist, but I want to have the best one that I can have according to my budget and knowledge.
You mean 2024?
surely you mean 2024
You should try a proof of work challenge. It provides low friction for real users while increasing cost significantly for attackers. Visitors have to perform a computation to solve a probabilistic algorithm. On average it will take a certain amount of CPU time depending on the configured difficulty and can't be sped up or bypassed by paying for cheap labor or using AI.
I am developing a product for this and somebody had posted it on LET previously, here. If you are interested, contact me.
Here is an example of it enabled (on a low difficulty): https://ptchan.org/int/
Of course, in a full L7 ddos mitigation system, it should be used in combination with CAPTCHA and other methods to increase effectiveness.
🎯
Isn't it about 236 rps? Looks pretty low bandwidth, however it is sufficient for bloated applications like WHMCS to fall down
Thanks for the idea, but the computational one is not in my area of interest and Google Recaptcha would do a lot of validations that would weaken the motivation to create your own solution (I don't know how it is in other countries, but in Romania at the Faculty of CS you have to prove that your solution is different from the existing ones and better from certain points of view).
Then, as personal feedback, I used OpenLiteSpeed with Recaptcha but it's useless, I had the site down quite often
There were much more, 6.8M requests reached the backend because cloudflare did not find any malicious activity in them.
Of course, many other requests were blocked, but the error rate was much too high.
... or to visit your website after finding hundreds of thousands of traffic lights
I find hCaptcha better than recaptcha from that perspective - their challenge is a bit harder, but two steps is enough in most cases.
Well I meant that hundreds of rps passed to a backend is not that much, because the issue in an extremely weak backend (i.e. poorly written application). AFAIK WHMCS does not have any caching at all, thus even unauthenticated requests to a billing root causing high load...
Protecting such applications is a nightmare.
FYI, recaptcha, hcaptcha, cloudflare likely utilize proof of work as part of their validation. Math is math and that won't change so don't discount it completely 🙂. It's one part of multi-faceted approach which still includes CAPTCHA, ratelimits, etc.
A skilled attacker doesn't need volume to cause DoS, most web apps have application code that can be attacked without much volume -- if any.
It does help that mose DDoSers are just skids trying to become famous.
Live push-ups.
What????????????
This works well with @Calin ’s customers who are free to host porn on their VPSs.
Maybe in 2024 we’ll have a partnership for this.
Maybe in 2024 we’ll have a partnership for this.
For Romanian equivalent of 'van down by the river' your hosting sure has a lot of rules.
You mean, your webpage for hazi.ro?
Edit:
Or Web Services in general?
Perhaps something like archive.ph? It analyzes the user based on their IP and headers and assigns a risk score. Based on that, it either shows you a captcha screen or not.
The proxy will be available for anyone who would like to use it, they will have an API where they will configure their endpoints, like with CF.
Yes, but the hard part for me is to create a puzzle which replaces captcha being more efficient and still not very unpleasant for end users.
The easiest way is to set a unique cookie based on visitors' browser UA, IP and other factors, and to verify it, just like what path.net is doing now.
Hmmm, maybe something like BasedFlare or Kiwiflare? It requires the client to complete a proof-of-work task to verify that they are a real user.
It works pretty well for the Kiwifarms in terms of handling L7 DDoS attacks and it also requires 0 user interaction.