Use JavaScript scripts to defend against DDOS attacks

Use JavaScript scripts to defend against DDOS attacks

Next, I continued to use JavaScript scripts to defend against DDOS attacks.
Vs v2
The previous tricks are purely entertaining and cannot last long.
But it is simple and fun. It seems that this is the pleasure of confrontation. I never imagined that I could use the script black Technology for network defense.
As a result, we had to fight for a while.
It was not easy to upgrade frequently, so I changed to a more complex script. A large number of algorithm libraries are packaged. Code alone can scare away some intensive phobias.
In addition, some self-check functions are hidden to interfere with script analysis and cracking.
At this time, it is extremely difficult to port the script logic.
This forces attackers to use another method...
Vs v3
Why do we need to crack the script and understand the details? Let the attacker run the script directly!
I was worried about it. After the upgrade, the attacker will pop up the webpage, and it looks like a normal user...
Black box attack! Encryption obfuscation is useless. You can only find some flaws. Start collecting the black magic that distinguishes "Real Web page" from "embedded web page.
For example, some attackers play webpages out of the screen for concealment. Therefore, the analysis page screenLeft and screenTop can be identified.
For example, the size of Embedded Web pages is locked. The pop-up page may be able to adjust the size, you can try to change one or two pixels.
.....
So, the size of the Light coordinate took a while.
In fact, most attackers do not pay attention to details. Therefore, there are still many flaws.
However, what should I do after discovering flaws? Is it directly suspended on the front end? Of course not. This is too obvious.
Even if it is identified, requests will still be sent and can still be added to the whitelist. However, the request is quietly marked, suggesting that this is a suspicious user-the validity period of the final whitelist is much shorter than normal.
In this way, the test results will be postponed and the cracking time will be increased.
In addition, the firewall policy is upgraded and the "Blacklist" mechanism is added. The IP address in the blacklist cannot be white.
Therefore, some users' suspicious values accumulate to a certain extent, and then they are blacklisted directly.
As the number of installed firewalls increases, the blacklist is shared to avoid repeated analysis.
Vs v4
Front-end secrets were discovered early or late.
Finally, the attacker also adopted "embedded web pages "! The previous black magic has become ineffective...
However, there are still some flaws.
The program interface is hidden from many attackers. This causes some rendering differences.
For example, Flash has such a mechanism: when the interface is invisible, the frame rate will be reduced to 2 fps to save costs.
For example, complex JS animation effects are not smooth. However, when the interface is blocked, it can run without any pressure.
.....
Of course, these can only be used for reference and are not necessarily correct.
At the same time, the firewall policy is also adjusted: interception is enabled only when the machine is under heavy pressure. Minimize the possibility of being accidentally hurt by "Black technology.
In this way, it takes another year to complete the repairs.
Vs v5
Since the popularity of Chrome browser, it has aroused people's enthusiasm for front-end research. At the same time, script debugging has become easier.
In order not to lose the final advantage, we decided to "do the opposite"-replace part of the logic of the script with VBScript, forcing it to stay on IE.
At the same time, some features are implemented in Flash.
The entire process can only be completed through interaction such as JS, VBS, Flash, and iframe, greatly increasing the debugging complexity.
Vs v6
In the fight against embarrassment, I even tried some other strategies. For example, a dialog box is displayed:
The following is a code snippet:
Alert ('Restore to XXX ')
You can continue running only after you click OK. So some counterfeits are stuck here.
Of course, the attacker quickly responded-blocking the dialog box.
How do you know this? Because the pause time is recorded in each dialog box:
The following is a code snippet:
T = time ()
Alert (...)
T = time ()-t
However, there are actually 0 ms !!!
　　

In the end
Vs v7
After a while, the attacker found out the rule and did not block it directly.
It may be the first time it pops up, the delay is several seconds, and then the return key is sent to close... I think about it, and people want it.
Later, I tried to play two, three, and a random dialog box, and the other may only point one. Of course, this is a temporary funny solution.
...
Finally, the system dialog box cannot be used. Instead, you can use HTML to draw one, and you can only click to close it.
In fact, this has long been thought about, but has never dared to implement it-because it is only an embedded web page, even if it is not clicked, it does not affect the use of the program. Some users may miss it if they do not notice it.
The following is a code snippet:
The system dialog box does not have this problem. Because it will block the message of the entire program, no other operations can be performed without clicking it.
In order not to let users miss it, this time we made an extremely eye-catching float layer with sound and flickering effects.
Back to HTML, the confrontation advantage is greatly increased.
Although attackers can simulate mouse clicks. However, simply clicking is far from enough-the mouse cannot come out, just on the close button, and it must be moved in first.
Therefore, events such as move, over, and out are also counted. It is extremely suspicious if the number is very small.
Of course, there are still many similar behavior analysis methods. Along with the unique ideas, we will update them one after another until the end.
Other confrontation
Of course, not all attacks start with scripts.
There are still many simple and violent attacks. In particular, the "Authorization server" naturally becomes the target of the public.
Using traditional load balancing? Simple, but not concealed. Attackers only need to track domain names to traverse IP addresses.
For concealment, the IP list is written in the script to load the script program. The scripts are encrypted and obfuscated.
In this way, attackers are taken back to the "Black Front-end magic" trap!
Of course, we can still observe it during the runtime, but it is a little troublesome.
At the same time, some policies are also optimized in the structure.
For example, a "Authorization Service" is also opened on the game server ".
In normal times, when the interception is not enabled, you can directly go through this "Green Channel"; only when the access fails, you can pass the "Authorization server" for transit.

In this way, the dependency on the "authorized server" is greatly reduced!
The following is a code snippet:
Of course, there are also drawbacks: the logic of the Authorization Service is leaked. Therefore, some modules of the firewall are also shelled.
End
As front-end technologies become increasingly mature, their advantages are far inferior to those in the past. In addition, black technologies and other work have gradually been updated.
By the end of the University, the update had been completely abandoned.
Although there are many interesting things, this is the longest and most Scientific Section. No, there is no high technology, unless "thinking" is the same.
The vast majority of the time is spent on "thinking", and the process of "code" is very small.
Of course, I also thought about some other types of "JavaScript firewalls", such as "Cross-Site firewalls" and "Traffic hijacking firewalls. Later, I turned it into reality and used it in my work.
Use a front-end script to play with security defense. From that moment on, it has continued to this day.