Article

CloudFlare can’t stop DDoS attacks ?

Written by admin2 on . Leave a comment

Most of the time I see this happen because someone mistakenly thinks we are a DDoS service & mentions it on board. When it comes to an attack, unfortunately, people rush to find a quick fix to the problem.

There are some things that we do that can help with smaller attacks & there are some things in the threat control panel you can do as well. But a monster attack will most certainly cause us to go direct to a site.

I have been seeing more and more people start to recommend CloudFlare for the prevention of DDoS attacks, Why is this?

The nature of the service alone allows traffic to be spread across various POPs, which can help isolate a DDoS attack pretty well. This alone doesn’t do much to help with larger attacks (for that, you’ll need other mitigation methods), but I can see CloudFlare being useful for smaller attacks.

CloudFlare doesn’t work well on high-end DDoS attacks but works fine when script kiddies attempt to take your website(s) offline.

Most script kiddies have a tool which they refer to as a “Booter”. A Booter, in logical terms, is a program which sends a command to multiple hacked servers. These hacked servers use their connection to attack your website’s IP Address.

When your site is behind CloudFlare, the hacked servers attack CloudFlare, instead of your website. CloudFlare isn’t really made for DDoS protection, BUT it is able to filter these small attacks much better than your average web host.

When it comes to the protection of DDOS attacks, well I suppose in a way it can work but it surely is not going to prevent such an enormous attack on there networks by any means.

Is cloudflare business plan will stop ddos attack?

If Hacker know the Your Website IP address, nothing will stop them.

Cloud-Based DDoS Protection Is Easily Bypassed!

Some cloud-based services that provide monthly denial of service protection for their clients may be easily bypassed by a hacker determined to disrupt a specific website, according to a penetration tester that has found a way to easily exploit a common configuration weakness in the way many services are set up.

The cloud-based DDoS protection bypass can be used against services that require DNS-based DDoS mitigation to reroute and scrub traffic of unwanted packets, said Allison Nixon, a penetration tester and incident response handler at Bloomfield, Conn.-based managed security service provider Integralis. At the Black Hat security conference Wednesday, Nixon provided details about the configuration weakness and released a tool to automate the process of exploiting the flawed setup. Black Hat is owned and operated by UBM, CRN’s parent.

“Bypassing these services is extremely easy; at this point I can bypass DDoS protection in almost every situation,” Nixon said.

Bypass Cloudflare DDoS protection

First of all, let me explain how user integrity check works and why it is a problem for HTTP based (layer 7) attacks.

Basically, it checks for two different factors: Cookies validation and Javascript validation.

Now for the methods explanation:

*Bots – Using bots with regular browser requests will bypass the validation due to the simple fact that they can run the javascript code without an issue (and storing the cookies of course). Therefore, using this type of flood with a botnet on a booter would actually bypass cloudflare and hit the backend.

*Smart requests – This is the more interesting script and is extremely rare. The script basically processes the Javascript code in the server-side without directly running it. This would require calculating the math and afterwards storing the cookies. Now of course it would be much more complicated and of course slower than a regular get flood, but it would hit the backend. This type of method is not yet established in public booters or stressers but I would guess that they soon would.

Malware evolving to defeat anti-DDoS services like CloudFlare?

Could distributed denial of service (DDoS) malware be evolving to defeat anti-DDoS security measures like CloudFlare? We do not usually see a lot of innovative denial-of-service malware in our day-to-day work. What we do see usually boils down to the basic flooding techniques: TCP Syn, UDP and ping floods, and sometimes HTTP-oriented floods.

Of course, many products and services are available to webmasters who want to defend against such DDoS attacks. CloudFlare is one of them. When we analyzed a new piece of malicious software that looked suspiciously like yet another DoS tool, we did not expect to find anything particularly interesting. However, it turns out that the malware dubbed Win32/DoS.OutFlare.A implements a technique we have not seen before: a routine intended specifically to defeat the very popular CloudFlare anti-DoS service.

Win32/DoS.OutFlare.A modus operandi

On execution, the malware will attempt to create a mutex with the string “Globalsad_day”. If it succeeds, it will copy itself to %APPDATA%, add a registry entry to start itself at boot, and relaunch itself. The new process will then launch iexplore.exe in suspended mode and inject its payload into it. The payload is obfuscated with API call redirection. The callflow is also obfuscated in the sense that every major function is called within a CreateThread call.

Win32/DoS.OutFlare.A DoS Cloudflare-savvy malware

Before even connecting to its C&C, OutFlare will perform three upload speed tests, using a public service from www.speakeasy.net, and store the results in memory.

Once completed, the bot will connect to an IRC server on the domain 7.[redacted].lt (7.nnn.nnn.nnn at time of analysis) on port tcp/9835 and join the channel #main.

At this stage, the bot will sit idle in the channel, waiting for a specific command. Most of these commands are related to various DoS techniques. The one labelled ‘cf’ is particularly interesting.

Win32/DoS.OutFlare.A bot methods

DOS techiques
This consists of a special routine made specifically to bypass the CloudFlare client-side DoS detection mechanism. To fully understand the bypass mechanism, a little knowledge about how CloudFlare works is required.

CloudFlare – how does it work?

CloudFlare is a very popular service that adds speed, reliability and some level of protection to websites. Taken from their website:

CloudFlare protects and accelerates any website online. Once your website is a part of the CloudFlare community, its web traffic is routed through our intelligent global network. We automatically optimize the delivery of your web pages so your visitors get the fastest page load times and best performance. We also block threats and limit abusive bots and crawlers from wasting your bandwidth and server resources.

One of the techniques used to protect CloudFlare’s clients is to validate that the requests are coming from a legitimate browser. They implemented a simple but clever way to do this by forcing the client to evaluate Javascript in order to solve a mathematical challenge on the CloudFlare infrastructure. The client’s request will make it to the real webserver only if the correct answer is provided.

Here is an example. On its initial visit to a CloudFlare-protected website, the client’s browser is presented with a special Challenge web page.
CloudFlare challenge page

 This page contains a special hidden POST form to be used in order to

submit the answer to the challenge.

 

Right below this form is a small Javascript snippet that computes a simple math operation and performs a POST on the previous form.
CloudFlare solver script

Normal web browsers will interpret the Javascript and produce an HTTP POST request similar to this one, which contains the response to the challenge.

 CloudFlare DDoS challenge-response
If the answer is correct, the CloudFlare infrastructure will reply to the POST with a clearance cookie. Presenting this cookie along with any further HTTP requests will bypass the challenge and allow the request to reach the real webserver directly.

 CloudFlare clearance cookie

Bypassing the Javascript test

Of course, this looks like a trivial job for a typical web browser, but not for a dumb DoS script. And that’s where the Win32/DoS.OutFlare.A is innovative, implementing some functionality to parse the challenge parameters, then compute and send the expression in order to obtain the clearance cookie which is necessary to perform an effective DoS against the real web server.
Parsing CloudFlare challenge
Extracting the challenge operation.
Computing the CloudFlare challenge
Computing the challenge.

Conclusion

The administrators at the domain being abused by this malware have been contacted (2013-02-08) regarding what seems to be a rogue subdomain registered without their knowledge. We have also spoken with CloudFlare. The company indicated that defensive measures were already in place to defeat this type of attack and of course they are continually enhancing the techniques used to thwart DDoS attacks on their customers.

Given the popularity of CloudFlare and similar services, it makes sense for the DoS malware out there to evolve techniques–such as we have seen in our analysis of Win32/DoS.OutFlare.A–to help them perform their nefarious operations more efficiently. However, services like CloudFlare are also evolving. Improvements to the technology are rolled out all the time.

While the code we see in Win32/DoS.OutFlare.A suggests that we might be at the beginning of an arms race between anti-DDoS services and commodity DoS malware, continued cooperation between security vendors and researchers will hopefully keep blunting the effectiveness of this particular type of malware.

CloudFlare’s very interesting take on these developments can be found on the CloudFlare blog posted by CEO, Matthew Prince.a

Leave a Reply

Your email address will not be published. Required fields are marked *