Captcha-solving Botnet


Due to the nature of my website, I’m used to getting DDOS’ed on a daily basis at this point and Cloudflare is doing a pretty good job blocking them with auto ddos detection and custom firewall rules when configured properly.

However, today I received a very interesting attack, so I figured I should share it here.

Normally, none of the malicious traffic ever gets to the origin server due to strict WAF configuration and “always on” CAPTCHA & Managed Challenge rules.
Challenge passage is 30 minutes, and security level is set to high.

But according to nginx logs, there was around 10 million requests made in just around 60 seconds. With randomized path parameters & a specific “referrer” header. Before you might say, I have proper iptables configuration to drop non-cloudflare packets. Also I clearly see the traffic bump on Cloudflare graph as well.

When I filtered them by CF-Connecting-IP, I was left with around 15-20 IPs from various hosting companies. All of the attacker IPs are clear, with 0% threat score in databases.

The interesting part is, each IP made one request at the beginning:

After around 10 seconds, all of them, simultaneously started spamming GETs to a specific file on the server, but due to the attacker adding its own random path after the URI, it returned 404 to all of them.
Each IP made around 500k-1mil requests before cloudflare kicked in with auto DDoS alert.

Also, they seem to be adding their own “Referrer” header during DDoS requests. And the value of this header contains the URL of the page that captcha was solved on. (See first line).

I mitigated this issue by adding ratelimit rules, but still an interesting one. They bypassed enforced captcha.

Are they emulating real browsers and once cloudflare hands them the valid captcha passage cookie, they start flooding? Beacuse the favicon request (see second line) makes me think it’s a legit browser (at the beginning at least). Or are they just slightly advanced python scripts?

Would like to hear your opinions

1 Like

Not sure how they achieved that, but it is notable. Captchas aren’t perfect at the end of the day. I know that there are some services out there that you can pay an amount of money for it to bypass different types of captchas. I think the pricing is around $1-$3 for 1,000 captcha bypasses.

You could try to reverse engineer one of the services or get some site analytics tool to records the users moments on the site. Of course, you’ll only be able to see what happens like mouse movements after the captcha is solved.

Yeah but the thing is, normally Cloudflare expects these requests to originate from real browsers since it is a captcha that’s supposed to be solved on a browser.

Once captcha is solved, future requests must include a certain cookie in the requests (called “cf_clearance”) so cloudflare knows that it indeed solved the initial captcha. Now the main question is, why does cloudflare not know that a legit browser instance will never make 10k requests/second? They could have easily invalidated the “cf_clearance” cookie to force the browser to re-take the captcha, or even get blocked.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.