Understanding Under Attack Mode

Introduction :logo:
Under attack mode (UAM from now on) is the first shield Cloudflare has to offer against DDoS and Bot attacks, it’s been around for nearly a decade, and even after all this time, it still holds strong against most attacks.

While its performance is good, customers must understand how it works and, most importantly, its limitations and how to deal with them.

The technique :logo:
It makes sense that we study the big picture of what’s going on behind the scenes of this screen.

Detecting bots is complicated; however, things get even more complex when you want to detect bots while keeping compatibility between all major browsers. Security vendors need to craft a solution that works with all browsers, requires minimal user interaction, and is effective against any generic bot.
Through observation, everybody can notice that most bots have the following lacks:

  1. Ignores cookies. Why would a bot respect the cookies a webserver asks to use?
  2. Ignores code. Why would a bot put effort into executing your website’s javascript code?

With those concepts, the industry came up with the idea of challenging visitors to prove they are humans.
Before a user can access your site, their browser should solve a challenge that executes a piece of code (typically written in JavaScript). The result of this code is submitted to an endpoint that verifies the legitimacy of the visitor.
If the result is correct, the browser receives a cookie that grants temporal access to the website (or websites) the legitimate client wants to access.

At this point, you might be wondering how a concept this simple can be effective against bots. Like other security products (such as anti-viruses, anti-cheats, or obfuscators), the implemented details on top of the base make the difference between a good and a mediocre product.
Any product can detect bots; you as a customer should be asking yourself:

  • How many more bots can product A detect that product B doesn’t?
  • Will lose traffic from adding a new bot protection solution?
  • How much am I willing to spend to safeguard my project against bots?

Security products are complicated to market; the average customer doesn’t understand what’s happening behind the scenes, the best way to appeal to them is by using good-looking words.
While evaluating the products is out of the scope of this post, I’d like to give the reader some rational thinking that might help to choose a product.

  1. Detects 99% of bots attacks How does a vendor claim to detect 99% of all bots? How do they know 100% of the bots? Bots are part of an arms race battle; it’s impossible to measure effectiveness under all scenarios. However, you can measure how complex the bots you are detecting are.
  2. Smart Protection/AI. Machine learning is, without a doubt, a step forward to the next generation of detecting bot attacks. This technology is expensive to compute in real-time. Be cautious of any solution (especially if it’s cheap) that claims to use intelligent technologies on their filtration.

Expectations and performance :logo:
The UAM mode is effective against most attacks; however, as protections evolve, the attacks do as well. If that weren’t the case, captchas wouldn’t be needed by now :smile:
It’s important to understand that complex attacks can “bypass” this protection under some scenarios.
Without going into all the details, attackers will typically solve a challenge in one of the following ways:

  1. Static parsing. Attackers grab the information they need to generate a valid cookie.
  2. JavaScript Emulation. Attackers intercept the delivered challenge and emulate the code to solve the challenge dynamically.
  3. Headless browser. To solve the challenge, attackers use a headless browser and dump the browser’s cookies.

These attacks equally affect all the vendors that offer bot protection; the critical factor is studying how resilient the security vendor is against those attacks, how fast they respond, and how complex the tools to bypass the protection are.
In many cases, the bots used to launch attacks are not very powerful (routers or other small IoT devices); complex challenges are essentially unsolvable for them.

Assuming the worst, you will have to deal with a situation where you need to mitigate an attack where UAM isn’t enough.
Luckily, it’s safe to assume that attackers will leave inconsistencies while bypassing the UAM; this is where Cloudflare truly shines, as you have the tools to mitigate the attacks yourself without being required to wait for third parties to update their challenge.
Tips to look into:

  1. There are inconsistencies in the client’s behavior. HTTP version changes before and after solving the challenge.
  2. The requests are missing headers.
  3. The bots write requests at abnormal rates

I made a guide a while ago that studied how to use Cloudflare dashboard and its firewall to mitigate DDoS attacks manually. I recommend checking it out as the modus operandi to mitigate even attacks of this complexity are similar.

I need help mitigating an attack :logo:
Some attacks can be tough to mitigate, both support and the community are prepared to help you. To speed up this process, I suggest that you provide this information before opening a post or a support ticket:

  1. Unique visitors visiting your site during the attack:
  2. Unique visitors that normally visit your site:
  3. Percent cached:
  4. Firewall Events overview: (Image)
  5. Firewall Top events by source:
  6. Activity log: (Image of at least five random examples with status BLOCK, CHALLENGE or CAPTCHA)
  7. Current plan of Cloudflare:
  8. UAM enabled: [y/n]
  9. Custom firewall rules deployed (if any):

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.