Ask HN: "Creative" ways to handle abusive http traffic?
I run a pretty popular site that is constantly experiencing some form of abusive traffic- most notably attackers running password dumps against our login endpoint (sometimes from 10k+ ipv4 addresses among several subnets and ASNs). We've mostly mitigated this with rate limiting, captcha and other forms of "suspicious login" detection. But I've been recently pondering ways to waste their time or resources to make password dumping less appealing.
The most recent attack could be accurately and precisely detected, and I noticed the abusive traffic would follow 301 redirects, so I decided to redirect all requests back to their own IP addresses.
I don't think it really slowed them down, but got me thinking of otherwise to stop/slow them down:
* 301 redirect them to a "honeypot" server that holds onto sockets for as long as possible and/or causes the client to waste time/cpu cycles (perhaps, constantly asking the client to renegotiate TLS)
* 301 redirect to https://nsa.gov so they might get on someone's radar with the time and resources to stop them
* Redirect them to a non http protocol, like geo:, potentially blocking the abusive client with a dialog "Want to open this with <Maps Application>?" (Some attacks originate from Android devices- I'm not sure how deeply the custom protocol hooks are registered and if that would even work)
I know abusive web traffic is pretty widespread and was curious how others dealt with it other than standard captcha, rate limiting and iptables rules
142 comments
[ 3.7 ms ] story [ 192 ms ] threadBut if you can ID them easily then iptables rules might be the most effective use of your time, especially if you can use fail2ban, which makes the whole process very easy.
The TLS thing is interesting, but if some of this traffic is coming from compromised devices it would probably be less harmful for the owner of the device if you didn't make them burn a ton of CPU cycles.
It's fairly easy to create fake, but checksum compliant credit cards.
1. https://en.wikipedia.org/wiki/Tarpit_(networking)
https://home.nuug.no/~peter/pf/en/bruteforce.html
Require your clients to perform some amount of computation to do a request.
Something like this: https://www.npmjs.com/package/work-token
* native code can almost certainly run faster than javascript code, even if you're using webassembly. in my experience js cryptominers operate at around half the speed compared to their native counterpart on the same machine
* the attacker can leverage GPUs to compute solutions hundreds of times faster than what your users can
* users have to wait 30 seconds before they can login. you can generate the key while the user's filling in the form to shave off a few perceived seconds, but that will result in a sluggish login form
* users with slow CPUs (ie. anything slower than what's in a c5.large) will take even longer to generate a solution. this is especially problematic for people on smartphones
* users might think that your site's high CPU usage is because you're running a cryptominer on your site!
What if you write it in Electron though?
If your attacker isn't even paying for the resources they use, such as from botnets or borrowed, then your attack value has gone out of the window. If the indivdual attack is free to the attacker, then you're left with time. PoW guarantees a time value. If a single PoW is too cheap, then ask for more values.
https://github.com/tinspin/rupy/blob/master/src/se/rupy/http...
It's secure and solves this problem too.
So it solves this problem AND it's secure! No brainer.
But you can keep using HTTPS if you want.
Someone who wishes just to abuse your API with no intention to actually log in will just flood you with reams of requests to obtain new work tokens without executing any of them.
So you're back to regular rate limiting, etc.
I do share your desire though to try to direct the traffic towards some entity that could be better equipped at cutting it off at its source. It's automated traffic for the most part, so perhaps a clever automated solution could be effective at stirring a bigger or more well-equipped entity to cut if off. Past attempts at FBI reports and such have not amounted to anything for us.
https://en.wikipedia.org/wiki/Blue_Frog
It didn't work out so well.
[1] http://labrea.sourceforge.net/labrea-info.html
As a 10 year redditor, that really frustrates me, since I can't go back and see my early posts any more.
I'd much rather they let you get your own history out and then make it impossible to get said history for anyone else (unless that person chooses to allow it).
https://www.reddit.com/r/announcements/comments/8m2yr4/were_...
To the first part: I would characterize certain scraping, usually behind an authentication wall, as malicious--though admittedly that's not the right word. An example would be scraping Facebook profiles to build a marketing list.
So, by 'non malicious,' i mostly mean 'publicly available data'
But I didn't try anything fancy. In retrospective, I probably should have turned on my VPN and see what happened.
That way you can easily control the fake success rate, and you make sure that if the attacker realises they are being tricked, they can't just retry successful logins to double check, since they get the same result every time.
OP mentioned the attack is easily identified so legitimate traffic gets served correctly bad traffic gets "logged in" to the poisoned honeypot. 301 after login perhaps
It will hopefully waste their time and discourage them from trying to find other ways.
- not on company time, this is not crucial to the business
- try to collect as much information on the attackers (are they really "hackers"?) as possible, the info they send you, how they react to your challenges ... and share it with us!
Thanks and have fun!
https://news.ycombinator.com/item?id=14707674
ie) perl -e "print '0' for (1..1000000000)" | gzip > zipbomb.gz
This will create a ~ 1MB file that will expand into something 1000 times its size.
?
0) Return massive amounts of data.
1) Return empty on requests that go over a requests/second ratio (use memcache)
2) Return fake success pages. [This is super mean]
3) Return dictionary printouts. [Destroys pattern matching]
Some attacks claim to originate from Android devices.
If you want to try to crash the client, you can try gzipping a large amount of null bytes and reply with that. It should compress about 1000 to 1.
Someone else suggested faking a successful login a small percentage of the time, which is a nice trick.
Note that by doing this stuff you could very well provoke a DDoS. Just block the traffic.
CFAA is a tractor beam they can use against anyone they don't like.
I work cyber security (well, mostly application security these days and not so much networking/telecomms) and I've also been involved with a small spat as a contractor a few years back. Basically, I had broken a collection source for the FBI by fixing and securing a resource for a certain department for a certain state, and maybe hypothetically it had to do with a very sunshiney state and maybe hypothetically it was a department that involved wheeled objects.
The firm I worked for was contacted by an investigator, which, lemme tell you, when an FBI agent appears at your work and asks your boss what sort of assignment you're working on, have no illusion that he's not about to cover for you in any way. Not that I did anything wrong. So anyways, the investigator asked me why I made all these WAN changes and about what packet filtering I had added/removed/reconfigured, all this technical domain knowledge and be really had a good idea of what I was actually doing. So I was comfortable. Eventually he left, basically saying we may be contacted further or potentially if the "investigation" became more serious, be made to appear in court.
Well the following week, a different guy comes in, and basically sealed me in our little coffee room and interrogated me. I was cooperative as I could be because I thought he was well informed like the other guy and generally had an understanding with my work, but he was a complete asshole.
It ended up that (thank God) all my paperwork was in order and my contract was pretty intensively detailed about what work I was going to be doing, I hired an attorney and he took good care of me. Never made it to court, but I ended up owing the lawyer a couple grand (funny how THEY always get paid) and yeah. Luckily I didn't go to federal prison, and my gratitude pushed me to greener pastures and better states.
TL;DR, your judgment has gotten you this far, so trust yourself, but I've poked the government before and I almost went to federal prison. Ymmv
What did he do?
"oh! I see, you want to stop the government from looking up drivers' social security numbers..."
"no, but that data doesn't need to be in the same table that the civilian website queries from, just in case."
"just in case what? Just in case I don't catch you stealing civilian's personal information? Just in case I don't catch your ass performing treason in my goddamn system?!"
"no no no, I'm just saying that information should be divided according to where it is expected to be used from, that way if there was ever to be an incident, the more sensitive information is farther away from where the attack surface is"
" so you've thought this through, tell me: how are you gonna do it? When I'm not looking, you empty out a government database and sell it to someone. Who? How? When?? Are you gonna make me sit here all day before you tell me?"
That type of shit.
Because if not, you're not out of the woods.
I hired the attorney too. I thought (and he thought) it wasn't ever going to make it to court. I moved on to a different job in a different state. Years later, surprise surprise.
NEVER say anything but the word "lawyer" to a law enforcement official. FBI agents make a policy of not recording interrogations (euphemistically referred to as "interviews") with anything but their own notes. Every word you thought he was trying to put in your mouth, he did, successfully, and when and if it makes it into court, it's your word against his, and nobody will believe you.
I realized later how badly I fucked up that second interview because you're right, I shouldnt have said anything. It's embarrassing but I was more or less "good fed, bad fed"'d.
I've not had any major incidents of this nature since then, but rest assured, I know what to do now.
Were you a contractor too, or a state employee? How bad did it end up?
The bad part is that the agent's notes can be used to convict not only you, but other innocent parties as well. That happened with me- I've never talked to an FBI agent in my life, but after being woken up half-naked with 17+ FBI agents storming the house and pointing M4 assault rifles at her head, trapped in a fenced backyard, my wife did talk to them, no Miranda warning (2011).
Naturally, half the things in the notes were literally impossible for her to have said. The agent himself didn't even memorialize them in a 302 until 2 days after the whole-house search and seizure. That was good enough for the judge to call it consensual and admissible.
For more details, mattchannon dot org.
https://www.youtube.com/watch?v=d-7o9xYp7eE
What to do:
https://www.youtube.com/watch?v=b8S4isIxo2w
It's simple really:
https://lawcomic.net/guide/?p=2897
https://en.wikipedia.org/wiki/Billion_laughs_attack
Also, see if they crash with invalid responses. You can serve a malformed document or something like that.
Question is, would this approach get their attention? Seems unlikely, but maybe some users would wonder why their computer was sluggish, and run a virus scan, do a system update, or take other steps to check for malware.
Let's be clear, I'm not claiming it would work for sure. I said "maybe." Point is, the computer being a desktop should not lead to shutting the idea down.
Eating CPU though should do the trick.
1. just redirect them to their OWN IP .
2. Just welcome them with a WebJelPool Note : WebJelpool will have infinite ( random ) list of Links with no factual result .. these links will only open a new Pool of random & infinite list of URL .. & so on . bot / person will be in a mess with no facts .