-
Notifications
You must be signed in to change notification settings - Fork 103
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
JavaScript challenge for HTTP DDoS mitigation #536
Comments
The module can be configured with following syntax:
e.g.
<html>
<body>
<p></p> <p></p>
<h2 align='center'>
<a href="http://tempesta-tech.com">Tempesta FW</a>
is verifying your browser, please wait a little bit...
</h2>
<p></p> <p></p>
<script>
var prefix = "[% STICKY_NAME %]";
var delay_min = [% DELAY_MIN %];
var delay_range = [% DELAY_RANGE %];
if (navigator.cookieEnabled
&& document.cookie.startsWith(prefix))
{
var ts = "0x" + document.cookie.substr(prefix.length + 1, 16);
setTimeout(function() {
location.reload();
}, delay_min + Number(ts) % delay_range);
} else {
document.write("<h3 align='center' style='color:red'>"
+ "Please enable cookies and reload"
+ " the page</h3>");
}
</script>
</body>
</html> Note that this is template which must be compiled at system start by JavaScript challenge module replies to all requests with Having the script executed, all following requests will have the right cookie value, so with the challenge switched on we should block all following requests having no set cookie. However, the challenge can not be used for all requests, e.g. images - a browser won't execute the JS code if receives the challenge. Thus, the module sends the redirect only for requests having in The algorithm for the challenge:
Please add the description of the feature to Configuration and DDoS mitigation Wiki pages. |
FYI: cloudflare returns 503 status code when site is in 'under attack' mode and you see JS challenge (and 403 with captcha, as far as I know). |
@hroost yes, good comment. I adjusted the configuration requirement to make the response code configurable. I also agree that returning 200 code isn't good if we actually return something other than requested resource. Thank you! |
If DDoS bot is able to process cookies and do redirects sent by sticky cookie, then JavaScript is useful to challenge a bot. So
http_sticky
module should be extended tohttp_challenge
module which should implement JavaScript challenge as well.The module shall do basically the same as sticky cookie, but using JavaScript instead of HTTP redirects: send 200 response with HTML document containing JavaScript code which sets encrypted/hashed Cookie and requests the same URI.
There is reference implementation by @kyprizel.
There is a good discussion about PhantomJS detection, but all the methods aren't infalliable,
The text was updated successfully, but these errors were encountered: