Spamming and DDoS attacks have increased by a large margin in the past few years. While there are already a lot of rigid mitigation methods for guarding against lower-layer attacks (such as SYN or ICMP flooding, Smurf attack, DNS amplification, and more), implementation on an application layer can prove to be more troubling. Application layer DDoS mitigation requires the service itself to differentiate between a bot and a human in order to provide services only to legit human users and to curb mass spamming. Attempts at so-called "Turing" tests were implemented to do so, hence the original captchas. However, bot-makers rendered them . useless with text recognition powered by machine learning Google then led the switch to , which is seriously a very bad user experience. Because it makes the test harder for bots, the images are barely categorizable in plenty of cases. Personally, I really hate ReCaptchas, especially when the topic is something like “Choose all the Bridges”. Therefore, I decided to provide an easy alternative with a much better UX: “simply wait for your browser to do the rest for you”. image-based ReCaptcha How it Works PoW Shield provides DDoS protection on the OSI application layer by authenticating traffic using a simple proof-of-work validation process. So basically, the PoW Shield works as a proxy in front of the actual web app/service. It conducts verification and through to the actual server. The proxy is easily installable and is capable of protecting low-security applications. only proxies authorized traffic Here’s what happens behind the scenes when a user browses a PoW Shield-protected web service: The server generates a and sends it along with the PoW Shield page to the client. random hex-encoded “prefix” The browser JavaScript on the client-side then that, when appended with the prefix, can produce a SHA256 hash with the number of leading zero-bits more than the “difficulty” D specified by the server. i.e. SHA256(prefix + nonce)=0…0xxxx (binary, with more than D leading 0s) attempts to brute-force a “nonce” The client-side JavaScript then sends the calculated nonce to the server for verification, if verification passes, the server for the client to pass authentication. generates a cookie The server the now authenticated client traffic to the server. starts proxying Installation and Configuration Simply clone the repository to the server you want PoW to run on, install dependencies, edit configurations, and you’re all set. PoW Shield Github Repository Here’s a detailed walkthrough: npm install cp -n .env.example .env npm run build npm start # 1.clone repo # 2.install dependencies # 3.copy sample configuration # 4.edit .env(we'll cover this later) # 5.build JavaScript files(project is in TypeScript) # 6.start PoW Shield Configuration explanation: : secret key for cookie signatures, use a unique one for security reasons, or anyone can forge your signed cookies SESSION_KEY : toggles WAF functionality on/off (WAF is a work in progress) WAF : toggles PoW functionality on/off (if not temporarily switched off, why use this project at all?) POW : specifies the maximum time a nonce has to be submitted to the server after generation (used to enforce difficulty change and filter out stale nonces) NONCE_VALIDITY : initial difficulty, number of leading 0-bits in a produced hash (0:extremely easy ~ 256:impossible, 13(default): takes about 5 seconds for the browser to calculate) INITIAL_DIFFICULTY : location to proxy authenticated traffic to, IP and URLs are both accepted BACKEND_URL Future Work : additional web application firewall to provide an extra layer of protection WAF : block IPs spamming nonce calculation results automatically IP Blacklisting : alter difficulty base on bandwidth and number of requests Dynamic Difficulty : unit testing for services and library Unit Testing : make it even easier to use Dockerization : sync blacklist and authentication information between multiple instances for deployment on multiple instances behind a load-balancer Multi-Instance Syncing Final Words PoW Shield is currently still a work in progress, feel free to lend me a hand on implementing these features or providing suggestions (features or optimization). (Also published at https://ruisiang.medium.com/pow-shield-application-layer-proof-of-work-ddos-filter-4fed32465509 )

Google

Read My Stories

Too Long; Didn't Read

Let Your Engineers & PMs focus on Product. Apply for $50K Credits!

HackerNoon Mobile

PoW Shield: An Application Layer Proof of Work DDoS Filter

Too Long; Didn't Read

Company Mentioned

@ruisiang

RELATED STORIES