Re: Anti HTTP DOS for haproxy

[Lazy]

Thank's for sharing this !

You are right lua in 1.6 will be, a better fit to handle this scenario.
For now I will add some features to my current solution but I will
give LUA a try.



Regards,
Muchal



2015-06-26 11:17 GMT+02:00 Willy Tarreau w...@1wt.eu:
 Hi Michal,

 On Fri, Jun 26, 2015 at 01:39:57AM +0200, Lazy wrote:
 Hi All,

 Some time ago I created a small patch for haproxy 1.5 which is acting
 in a simmilar way to cloud anti dos CAPTHA pages
 (https://github.com/lazy404/haproxy/compare/ddos)

 The idea is that when the site is attacked by bots sending http requests,
 haproxy sends them a webpage with some javascript which is setting a cookie
 with a product of some simple calculations.

 Usually simple ddos bot's aren't capable of passing this kind of
 defences. Magic number
 depends on bot ip address so adding a static cookie header won't do.

 That's interesting, thanks for sharing this. I may have some elements to
 place here because I've been doing such things for about 10 years to help
 various web sites with varying degrees of success.

 What I've seen all the time is that such mechanisms are efficient enough
 to stop basic scripts which randomly spot your site. If the attacker
 targets your protected site, then he switches to other tools, or modifies
 the tools he uses. In your case this means that he will probably send the
 pre-computed cookie all the time, or just grep for the few fields
 he needs in the response to break your computation. Don't get me wrong,
 what you have done *will* be efficient against blind attacks, there's
 no doubt about it, as I've been doing it with some success for years, it's
 just that it doesn't last long. If you're getting attacked for one hour or
 more, you'll see that the attack changes a number of times and that your
 defence will break.

 The second point is that many attacks target specific products. The
 simple fact that your mechanism would get merged would weaken it even
 further. That's one of the reasons for having integrated Lua in 1.6,
 it will allow everyone to build their own defence without being exposed
 to well-known weaknesses. It's just like changing the lock on your door
 when you realize that all the appartments in the building use the same
 type of locks. If a guy comes in with a locksmith, he will open all doors
 but will not want to waste his precious time on yours just because it's
 different.

 The third point is that you'll notice a very high number of DDoS attacks
 come from infected browsers who easily pass through all these protections.

 At Haproxy Tech, we have built a module which does similar things and
 we purposely don't merge it so that it remains unexposed. In short, it
 does more or less the same, but with some extra complexity for the
 attacker :
   - it randomly scrambles the javascript code with fake code and uses
 random methods to compute the requested values in JS using constants,
 functions, etc... in order to prevent extraction using simple parsers.
 For example value 10 can also be expressed sqrt(4) / e(0) xor 12.
 That's just to give an idea of course ;

   - it employs methods I will not develop here to prevent pre-computation
 of the challenges ;

   - it ensures using various methods that it's running in a real browser and
 not a smart script ;

   - it makes use of cryptographic signatures with user-defined keys to
 ensure that the cookie was not forged ;

   - it does its best to prevent the attacking browser from sharing the cookie
 with other nodes from the same botnet.

   - it automatically rate-limits the attackers from the browser to ensure we
 don't move the stress to the rest of the infrastructure.

 Despite all this we've seen it defeated once (that's not much) by a huge
 swarm of infected browsers, so we have added human detection to it in order
 to also protect against these (I will not expand here either). We're quite
 proud of it and our customers seem very happy with it now.

 As any such tools, disclosing more about it could weaken it and reduce
 some of our customers' protection level so you can easily understand that
 I won't go into further details.

 What I want you to understand with this is that I'd strongly encourage you
 to port your work to Lua code using 1.6 and possibly to make it easily
 configurable so that anyone can pick your code, adapt it to their needs
 and avoids being exposed by not adopting a well-known behaviour.

 That way your mechanism could be usable in mainline without requiring
 patching, and could remain strong for everyone at the same time (and
 flexible, which is absolutely needed in such circumstances).

 Best regards,
 Willy

Anti HTTP DOS for haproxy

[Lazy]

Hi All,

Some time ago I created a small patch for haproxy 1.5 which is acting
in a simmilar way to cloud anti dos CAPTHA pages
(https://github.com/lazy404/haproxy/compare/ddos)

The idea is that when the site is attacked by bots sending http requests,
haproxy sends them a webpage with some javascript which is setting a cookie
with a product of some simple calculations.

Usually simple ddos bot's aren't capable of passing this kind of
defences. Magic number
depends on bot ip address so adding a static cookie header won't do.

On the next request if the cookie value is correct (it's based on
client ip and some random secret)
client will be whitelisted. If the number is wrong for a number of
times the client get's
banned and it's connections are getting rejected (an external script
can pick up those
addresses and add them to an external firewall or iptables).

The code is based auth.

From my lab tests and some short real word attacks it works good
enough for me, I know that the
cookie_auth name is misleading, and number generation might be
vulnerable to secret leakage,
there are no docs, and the code is not up to haproxy standards in many places.

I plan on adding some features to it I might as well try to clean the
code, add documentation, rename
if this kind of feature might be welcomed in haproxy.

Regards,
Michal

Stick tables

[Lazy]

Hi,

I'm implementing something similar to cloud flare IUAM
(javascript based client verification engaging under layer7 ddos attack)

Is it normal that http table exp counter gets updated even if src
address is whitelisted sc1_get_gpc0(backend)  0 ?

Is it possible to force expire an entry using an acl ?

Is it possible to define multiple stick tables storing gpc0 in a
single frontend,
now it's using one from the frontend and one from the backend but how
to define sc2 without adding another backend ?

config follows

backend backend
stick-table type ip size 1m expire 10m store gpc0

tcp-request content track-sc1 src if !whitelist

acl flag_fail sc0_inc_gpc0(http) ge 0
acl flag_ok sc1_inc_gpc0(backend) ge 0
acl rm_black src_clr_gpc0(http) ge 0

acl whitelist sc1_get_gpc0(backend) gt 0

acl blacklist_candidate sc0_get_gpc0(http) gt 0

#send chalanges if session rate  500
acl normal_rate be_sess_rate lt 500

#checks if chalange response is correct
acl cauth_ok cookie_auth

#add to whitelist if chalange response is correct
http-request allow if whitelist or cauth_ok flag_ok rm_black

#send javascript chalange
http-request cookie_auth if !auth_ok !normal_rate flag_fail
http-request cookie_auth if !auth_ok blacklist_candidate flag_fail

frontend http
bind 0.0.0.0:8080

stick-table type ip size 1m expire 20m store gpc0

acl flag_fail sc0_inc_gpc0(http) ge 0

acl blacklist sc0_get_gpc0(http) gt 500
acl whitelist sc1_get_gpc0(backend) gt 0

tcp-request connection track-sc0 src if ! whitelist

tcp-request connection reject if blacklist flag_fail

Thanks,
Michal Grzedzicki