Denial of Service is an attack favored by hacktivists as a form of protest, and also used by criminal hackers to disguise hack and grab raids. Its purpose is to overwhelm a website with ‘illegitimate’ requests in order to deny access by legitimate requests. Basic DDoS mitigation consequently seeks to filter out bad packets and allow only the good packets to reach the server. While it can be done to a certain extent by firewall rules, this is not very effective against large scale attacks such as those that have and still are being targeted against the US banks.
Third-party DDoS mitigation services sit between the internet and the target and seek to recognize and block DDoS attacks while allowing normal service. One such service is CloudFlare. It was used, for example, by WikiLeaks following last summer’s DDoS attack.
Now ESET has discovered a new DDoS tool that includes code specifically designed to circumvent CloudFlare defenses. “It turns out,” blogged Alexis Dorais-Joncas, a Canada-based ESET malware researcher yesterday, “that the malware dubbed Win32/DoS.OutFlare.A implements a technique we have not seen before: a routine intended specifically to defeat the very popular CloudFlare anti-DoS service.”
One of the methods used by CloudFlare to ensure that a request is coming from a legitimate browser – and is therefore more likely to be a legitimate request – is to force that browser to perform a simple javaScript computation. A successful response leads to CloudFlare adding a cookie to the browser which will then allow that IP address through the blockade without further hindrance.
“Of course, this looks like a trivial job for a typical web browser,” notes ESET, “but not for a dumb DoS script.” But the malware it calls OutFlare includes a routine to recognize the challenge and deliver the correct response; thus gaining free passage. This doesn’t mean that CloudFlare is broken – it isn’t. ESET reported its concerns to the company, and was told “that defensive measures were already in place to defeat this type of attack and of course they are continually enhancing the techniques used to thwart DDoS attacks on their customers.”
What it does mean, however, is that “the code we see in Win32/DoS.OutFlare.A suggests that we might be at the beginning of an arms race between anti-DDoS services and commodity DoS malware.”