top | item 33095403

(no title)

If you expose a web server to the internet today you'll get 10 malicious requests for every 1 legitimate request.

This constant and unrelenting beating at your doors doesn't go away unless you add perimeter protection.

The options here are:

1) Block the IP and cidr ranges that are giving you trouble

2) Silently scan the connection request and block it when things look fishy

3) Provide a challenge in the return response that is difficult for bots to complete

Most of the bot protection on the internet is #2 where you don't notice you've been verified as a human and the site just loads. People hate #3 of completing a challenge, but the other option here is #1 where the site doesn't load at all.

I'd argue that bots are breaking the internet.

discuss

tzs|3 years ago

Cloudflare seems to have a 4th:

4) Provide a challenge in the return response that is impossible for anyone to complete

One way to see this one is to use Selenium to launch your browser. E.g., run this code in Python:

from selenium import webdriver

browser = webdriver.Chrome()

then when the browser launches start using it manually to surf the web [1]. This works great on most sites I've visited this way, including my financial institutions. But if it hits a Cloudflare CAPTCHA it fails. For example try this on fanfiction.net. It hits the browser check page if I try to go to any category or story page. I click the checkbox to tell it I'm real, get the challenge to identify the lions or whatever, do that until it is satisfied I really can identify lions...and then just goes back to the browser check page. As far as I can tell it is just an endless loop of check the box and identify the things at that point.

There are some settings you can do in Selenium to tell it to to somewhat hide from the site that Selenium is involved, which for a while allowed getting past the CAPTCHA but that stopped working after a while.

There's also a project somewhere on Github to make a Selenium Chrome driver specifically designed to not trigger bot detection, which also worked for a while and then stopped.

[1] Why would I want a Selenium-launched browser if I'm going to be using it manually? It's for sites where I want to do some automated things on just some pages. For example one of my financial institutions has a lot of options on their transaction download page, so after I finish manually doing things like checking balances, looking at recent activity, paying bills and want to finish by downloading transactions, I can have the script that launched the browser handle that.

jscholes|3 years ago

Try launching the instance of Chrome with `--disable-web-security` and `--disable-features=IsolateOrigins,site-per-process` options. I use these when launching Chrome via Playwright, and CAPTCHAs seemed to work fine several months ago.

netsectoday|3 years ago

When a selenium worker is attached to a pay-for-solution captcha service the infinite loop of captchas that can be solved but don't provide access would be meant to drain you financially. You uncovered a pretty sweet (dark) pattern implemented by Cloudflare to screw bot owners.

This is just #2 and #3 combined.

It sounds like this is working as intended and also wastes your time with un-passable captchas instead of you spending more time trying to figure out how to get around their bot protection.

Another observation here is that you really shouldn't be hacking some scripts on top of your bank login. The banks know this and they are trying everything possible to dissuade you from doing this.

unknown|3 years ago

[deleted]

ynbl_|3 years ago

i have never had a site hacked and i dont even know or care if its being attacked - just dont litter it with rce vulns. if its being ddosed on the other hand, then use an anti ddos solution but your post is such corpo bullshit that i cant even tell if its talking about defending against ddos or defending against hacks (which you cant defend against, they will get around your filters within 5 minutes of playing around).

nrook|3 years ago

[deleted]

jimhi|3 years ago

I'm not sure you understand what Cloudflare is. They have various protections for websites including ones you do not like.

They don't host attacks. They don't even offer a hosting service for that code to run on really. Those attacks come from botnets, mostly hacked IOT devices and servers across the web.

netsectoday|3 years ago

Cloudflare provides products that protect against malicious requests. They don't help craft those requests, and they don't flood traffic to websites that aren't using their product. It's not a racket.