Most of the time I see this happen because someone mistakenly thinks we are a DDoS service & mentions it on board. When it comes to an attack, unfortunately, people rush to find a quick fix to the problem.
There are some things that we do that can help with smaller attacks & there are some things in the threat control panel you can do as well. But a monster attack will most certainly cause us to go direct to a site.
I have been seeing more and more people start to recommend CloudFlare for the prevention of DDoS attacks, Why is this?
The nature of the service alone allows traffic to be spread across various POPs, which can help isolate a DDoS attack pretty well. This alone doesn’t do much to help with larger attacks (for that, you’ll need other mitigation methods), but I can see CloudFlare being useful for smaller attacks.
CloudFlare doesn’t work well on high-end DDoS attacks but works fine when script kiddies attempt to take your website(s) offline.
Most script kiddies have a tool which they refer to as a “Booter”. A Booter, in logical terms, is a program which sends a command to multiple hacked servers. These hacked servers use their connection to attack your website’s IP Address.
When your site is behind CloudFlare, the hacked servers attack CloudFlare, instead of your website. CloudFlare isn’t really made for DDoS protection, BUT it is able to filter these small attacks much better than your average web host.
When it comes to the protection of DDOS attacks, well I suppose in a way it can work but it surely is not going to prevent such an enormous attack on there networks by any means.
Is cloudflare business plan will stop ddos attack?
If Hacker know the Your Website IP address, nothing will stop them.
Cloud-Based DDoS Protection Is Easily Bypassed!
Some cloud-based services that provide monthly denial of service protection for their clients may be easily bypassed by a hacker determined to disrupt a specific website, according to a penetration tester that has found a way to easily exploit a common configuration weakness in the way many services are set up.
The cloud-based DDoS protection bypass can be used against services that require DNS-based DDoS mitigation to reroute and scrub traffic of unwanted packets, said Allison Nixon, a penetration tester and incident response handler at Bloomfield, Conn.-based managed security service provider Integralis. At the Black Hat security conference Wednesday, Nixon provided details about the configuration weakness and released a tool to automate the process of exploiting the flawed setup. Black Hat is owned and operated by UBM, CRN’s parent.
“Bypassing these services is extremely easy; at this point I can bypass DDoS protection in almost every situation,” Nixon said.
Bypass Cloudflare DDoS protection
First of all, let me explain how user integrity check works and why it is a problem for HTTP based (layer 7) attacks.
Now for the methods explanation:
Malware evolving to defeat anti-DDoS services like CloudFlare?
Could distributed denial of service (DDoS) malware be evolving to defeat anti-DDoS security measures like CloudFlare? We do not usually see a lot of innovative denial-of-service malware in our day-to-day work. What we do see usually boils down to the basic flooding techniques: TCP Syn, UDP and ping floods, and sometimes HTTP-oriented floods.
Of course, many products and services are available to webmasters who want to defend against such DDoS attacks. CloudFlare is one of them. When we analyzed a new piece of malicious software that looked suspiciously like yet another DoS tool, we did not expect to find anything particularly interesting. However, it turns out that the malware dubbed Win32/DoS.OutFlare.A implements a technique we have not seen before: a routine intended specifically to defeat the very popular CloudFlare anti-DoS service.
Win32/DoS.OutFlare.A modus operandi
On execution, the malware will attempt to create a mutex with the string “Globalsad_day”. If it succeeds, it will copy itself to %APPDATA%, add a registry entry to start itself at boot, and relaunch itself. The new process will then launch iexplore.exe in suspended mode and inject its payload into it. The payload is obfuscated with API call redirection. The callflow is also obfuscated in the sense that every major function is called within a CreateThread call.
Before even connecting to its C&C, OutFlare will perform three upload speed tests, using a public service from www.speakeasy.net, and store the results in memory.
Once completed, the bot will connect to an IRC server on the domain 7.[redacted].lt (7.nnn.nnn.nnn at time of analysis) on port tcp/9835 and join the channel #main.
At this stage, the bot will sit idle in the channel, waiting for a specific command. Most of these commands are related to various DoS techniques. The one labelled ‘cf’ is particularly interesting.
This consists of a special routine made specifically to bypass the CloudFlare client-side DoS detection mechanism. To fully understand the bypass mechanism, a little knowledge about how CloudFlare works is required.
CloudFlare – how does it work?
CloudFlare is a very popular service that adds speed, reliability and some level of protection to websites. Taken from their website:
CloudFlare protects and accelerates any website online. Once your website is a part of the CloudFlare community, its web traffic is routed through our intelligent global network. We automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. We also block threats and limit abusive bots and crawlers from wasting your bandwidth and server resources.
Here is an example. On its initial visit to a CloudFlare-protected website, the client’s browser is presented with a special Challenge web page.
This page contains a special hidden POST form to be used in order to
submit the answer to the challenge.
If the answer is correct, the CloudFlare infrastructure will reply to the POST with a clearance cookie. Presenting this cookie along with any further HTTP requests will bypass the challenge and allow the request to reach the real webserver directly.
Of course, this looks like a trivial job for a typical web browser, but not for a dumb DoS script. And that’s where the Win32/DoS.OutFlare.A is innovative, implementing some functionality to parse the challenge parameters, then compute and send the expression in order to obtain the clearance cookie which is necessary to perform an effective DoS against the real web server.
Extracting the challenge operation.
Computing the challenge.
The administrators at the domain being abused by this malware have been contacted (2013-02-08) regarding what seems to be a rogue subdomain registered without their knowledge. We have also spoken with CloudFlare. The company indicated that defensive measures were already in place to defeat this type of attack and of course they are continually enhancing the techniques used to thwart DDoS attacks on their customers.
Given the popularity of CloudFlare and similar services, it makes sense for the DoS malware out there to evolve techniques–such as we have seen in our analysis of Win32/DoS.OutFlare.A–to help them perform their nefarious operations more efficiently. However, services like CloudFlare are also evolving. Improvements to the technology are rolled out all the time.
While the code we see in Win32/DoS.OutFlare.A suggests that we might be at the beginning of an arms race between anti-DDoS services and commodity DoS malware, continued cooperation between security vendors and researchers will hopefully keep blunting the effectiveness of this particular type of malware.
CloudFlare’s very interesting take on these developments can be found on the CloudFlare blog posted by CEO, Matthew Prince.a