Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Hazi’s Bachelor Thesis - STOP Layer 7 attacks now!
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Hazi’s Bachelor Thesis - STOP Layer 7 attacks now!

FlorinMarianFlorinMarian Member, Host Rep

Hello!
Because by migrating the servers to the mini-datacenter at home I did not manage to finish my bachelor's thesis, it will be completed and presented in February 2023.
Although currently the protection does its job very well by automatically validating the browser via Javascript, I am aware that with the appearance of a botnet with an integrated browser, the protection is null.
In this sense, I want to ask you: what kind of puzzle would you like to solve when entering a website for the first time so that it is not very disturbing for you, but is still hard enough to be bypassed by bots?

Thanked by 2fatchan greentea
«134

Comments

  • Can you share your thesis or give us a link?

    Thanked by 1greentea
  • FlorinMarianFlorinMarian Member, Host Rep

    @Hotmarer said:
    Can you share your thesis or give us a link?

    It is not yet public, I will gladly share it when it is ready.

  • NeoonNeoon Community Contributor, Veteran

    Javascript can be rendered without a browser.
    Most of the captchas can be already bypassed by some A.I
    The rest will be outsourced to cheap human labour.

    What is your goal?

  • tentortentor Member, Host Rep

    @Neoon said: Most of the captchas can be already bypassed by some A.I

    I doubt there is any sense in using AI-proof captcha when protecting from DDoS attack - if the attacker needs to use AI they will run out of money very fast

  • FAT32FAT32 Administrator, Deal Compiler Extraordinaire

    Open webcam and perform face recognition + liveness check to prevent from pre-recorded videos / face swap

  • tentortentor Member, Host Rep

    @FAT32 said:
    Open webcam and perform face recognition + liveness check to prevent from pre-recorded videos / face swap

    Know Your Customer Visitor

  • NeoonNeoon Community Contributor, Veteran

    @tentor said:

    @Neoon said: Most of the captchas can be already bypassed by some A.I

    I doubt there is any sense in using AI-proof captcha when protecting from DDoS attack - if the attacker needs to use AI they will run out of money very fast

    As far as I know you can solve these with speech recognition.
    No idea if they use LLM's for that.

    You don't need a lot of bots to come through though.
    If you know any weak points, you hit them with the bots and the server load will do the rest.

  • tentortentor Member, Host Rep

    @Neoon said: As far as I know you can solve these with speech recognition.
    No idea if they use LLM's for that.
    You don't need a lot of bots to come through though.
    If you know any weak points, you hit them with the bots and the server load will do the rest.

    Entire point of DDoS protection is to make the cost for the attacker higher than victims'

    Thanked by 1emgh
  • NeoonNeoon Community Contributor, Veteran

    @tentor said:

    @Neoon said: As far as I know you can solve these with speech recognition.
    No idea if they use LLM's for that.
    You don't need a lot of bots to come through though.
    If you know any weak points, you hit them with the bots and the server load will do the rest.

    Entire point of DDoS protection is to make the cost for the attacker higher than victims'

    Isn't the point to keep your services and systems running?
    You don't wanna seem them down.

  • tentortentor Member, Host Rep
    edited October 2023

    @Neoon said: Isn't the point to keep your services and systems running?

    To be able to keep the target reachable you need to to have sufficient resources for that. To accomplish this, you need to efficiently utilize available resources as well as force challenge that is computationally harder for attacker to solve comparing to verification costs for a victim.

    Thanked by 2fatchan emgh
  • FlorinMarianFlorinMarian Member, Host Rep

    My undergraduate work started last year when I had those attacks with 6.800.000 requests unclassified by CloudFlare in just 8 hours.
    The only information I have left from Miguel (and it's a very precious one), is the following: If the attack has reached your backend, it's already too late. (I'm trying to explain to him that I'm trying to apply limitations at the application level)
    My goal is to create a good enough proxy protection to keep my own applications (and those of clients, why not?) online.
    I know that perfect protection does not exist, but I want to have the best one that I can have according to my budget and knowledge.

  • You mean 2024?

    Thanked by 2FlorinMarian k4zz
  • @FlorinMarian said:
    Hello!
    Because by migrating the servers to the mini-datacenter at home I did not manage to finish my bachelor's thesis, it will be completed and presented in February 2023.

    surely you mean 2024

  • fatchanfatchan Member
    edited October 2023

    @FlorinMarian said: In this sense, I want to ask you: what kind of puzzle would you like to solve when entering a website for the first time so that it is not very disturbing for you, but is still hard enough to be bypassed by bots?

    You should try a proof of work challenge. It provides low friction for real users while increasing cost significantly for attackers. Visitors have to perform a computation to solve a probabilistic algorithm. On average it will take a certain amount of CPU time depending on the configured difficulty and can't be sped up or bypassed by paying for cheap labor or using AI.

    I am developing a product for this and somebody had posted it on LET previously, here. If you are interested, contact me.

    Here is an example of it enabled (on a low difficulty): https://ptchan.org/int/

    Of course, in a full L7 ddos mitigation system, it should be used in combination with CAPTCHA and other methods to increase effectiveness.

    @tentor said: To accomplish this, you need to efficiently utilize available resources as well as force challenge that is computationally harder for attacker to solve comparing to verification costs for a victim.

    🎯

  • tentortentor Member, Host Rep
    edited October 2023

    @FlorinMarian said: My undergraduate work started last year when I had those attacks with 6.800.000 requests unclassified by CloudFlare in just 8 hours.

    Isn't it about 236 rps? Looks pretty low bandwidth, however it is sufficient for bloated applications like WHMCS to fall down

  • FlorinMarianFlorinMarian Member, Host Rep

    Thanks for the idea, but the computational one is not in my area of interest and Google Recaptcha would do a lot of validations that would weaken the motivation to create your own solution (I don't know how it is in other countries, but in Romania at the Faculty of CS you have to prove that your solution is different from the existing ones and better from certain points of view).
    Then, as personal feedback, I used OpenLiteSpeed with Recaptcha but it's useless, I had the site down quite often :)

  • FlorinMarianFlorinMarian Member, Host Rep

    @tentor said:

    @FlorinMarian said: My undergraduate work started last year when I had those attacks with 6.800.000 requests unclassified by CloudFlare in just 8 hours.

    Isn't it about 236 rps? Looks pretty low bandwidth, however it is sufficient for bloated applications like WHMCS to fall down

    There were much more, 6.8M requests reached the backend because cloudflare did not find any malicious activity in them.
    Of course, many other requests were blocked, but the error rate was much too high.

  • tentortentor Member, Host Rep

    @FlorinMarian said: Google Recaptcha would do a lot of validations that would weaken the motivation to create your own solution

    ... or to visit your website after finding hundreds of thousands of traffic lights :)

    I find hCaptcha better than recaptcha from that perspective - their challenge is a bit harder, but two steps is enough in most cases.

  • tentortentor Member, Host Rep

    @FlorinMarian said:
    There were much more, 6.8M requests reached the backend because cloudflare did not find any malicious activity in them.
    Of course, many other requests were blocked, but the error rate was much too high.

    Well I meant that hundreds of rps passed to a backend is not that much, because the issue in an extremely weak backend (i.e. poorly written application). AFAIK WHMCS does not have any caching at all, thus even unauthenticated requests to a billing root causing high load...

    Protecting such applications is a nightmare.

  • @FlorinMarian said: Thanks for the idea, but the computational one is not in my area of interest and Google Recaptcha would do a lot of validations that would weaken the motivation to create your own solution

    FYI, recaptcha, hcaptcha, cloudflare likely utilize proof of work as part of their validation. Math is math and that won't change so don't discount it completely 🙂. It's one part of multi-faceted approach which still includes CAPTCHA, ratelimits, etc.

  • A skilled attacker doesn't need volume to cause DoS, most web apps have application code that can be attacked without much volume -- if any.

    It does help that mose DDoSers are just skids trying to become famous.

  • ValVal Member

    @FAT32 said:
    Open webcam and perform face recognition + liveness check to prevent from pre-recorded videos / face swap

    Live push-ups.

  • risharderisharde Patron Provider, Veteran

    @FAT32 said:
    Open webcam and perform face recognition + liveness check to prevent from pre-recorded videos / face swap

    What????????????

  • FlorinMarianFlorinMarian Member, Host Rep

    @FAT32 said:
    Open webcam and perform face recognition + liveness check to prevent from pre-recorded videos / face swap

    This works well with @Calin ’s customers who are free to host porn on their VPSs.
    Maybe in 2024 we’ll have a partnership for this.

  • @FlorinMarian said: This works well with @Calin ’s customers who are free to host porn on their VPSs.

    Maybe in 2024 we’ll have a partnership for this.

    For Romanian equivalent of 'van down by the river' your hosting sure has a lot of rules. :/

  • host_chost_c Member, Patron Provider, BF Ambassador
    edited October 2023

    @FlorinMarian said: My goal is to create a good enough proxy protection to keep my own applications (and those of clients, why not?) online.

    You mean, your webpage for hazi.ro?

    Edit:

    Or Web Services in general?

  • @FlorinMarian said: In this sense, I want to ask you: what kind of puzzle would you like to solve when entering a website for the first time so that it is not very disturbing for you, but is still hard enough to be bypassed by bots?

    Perhaps something like archive.ph? It analyzes the user based on their IP and headers and assigns a risk score. Based on that, it either shows you a captcha screen or not.

  • FlorinMarianFlorinMarian Member, Host Rep

    @host_c said:

    @FlorinMarian said: My goal is to create a good enough proxy protection to keep my own applications (and those of clients, why not?) online.

    You mean, your webpage for hazi.ro?

    Edit:

    Or Web Services in general?

    The proxy will be available for anyone who would like to use it, they will have an API where they will configure their endpoints, like with CF.

    @sillycat said:

    @FlorinMarian said: In this sense, I want to ask you: what kind of puzzle would you like to solve when entering a website for the first time so that it is not very disturbing for you, but is still hard enough to be bypassed by bots?

    Perhaps something like archive.ph? It analyzes the user based on their IP and headers and assigns a risk score. Based on that, it either shows you a captcha screen or not.

    Yes, but the hard part for me is to create a puzzle which replaces captcha being more efficient and still not very unpleasant for end users.

  • DooDoo Member

    The easiest way is to set a unique cookie based on visitors' browser UA, IP and other factors, and to verify it, just like what path.net is doing now.

  • @FlorinMarian said: Yes, but the hard part for me is to create a puzzle which replaces captcha being more efficient and still not very unpleasant for end users.

    Hmmm, maybe something like BasedFlare or Kiwiflare? It requires the client to complete a proof-of-work task to verify that they are a real user.

    It works pretty well for the Kiwifarms in terms of handling L7 DDoS attacks and it also requires 0 user interaction.

Sign In or Register to comment.