How to protect a website from a query SMS to the attacker?

The website can say "DDoS". The registration is confirmation of a phone number. So. Attacking endlessly request SMS. Our balance on the gateways to send SMS over. The queries coming from different IP, user-agent.
How to defend against such an attack? As other protected sites?
April 3rd 20 at 18:45
8 answers
April 3rd 20 at 18:47
Solution
1. After confirming your email, sending EACH! request SMS through a new captcha challenge.
2. The interval between requests SMS 5,10,15,30,60 minutes and then lock Akka.

DDoS protection and security of the web server
Simple and free replacement CloudeFlare from most types of attacks: here.

Ask the user to send a message to our virtual number with a code that was displayed. This is the main method of struggle.
Struggle with conversion, which spent own forces and means. Competitors will say: "THANK you!"
DAMN it! Yes-I better authorization/verification using akkov SOC.the network will be connected through the same Google!
Than going to lose your potential clients, for which I pay is!

PS:-------------
I want to open your service of protection against DDoS attacks
TOALL: if someone is willing to help the author of the question - Welcome!
Protection against DDoS recaptcha v2?
How to make failover a web application (website, database), without BGP?
Your service of protection against DDoS?
How does protection from dudosa?
Of course))))
In the same REGISTER. New user. The user comes to the registration page. Enters there username, password and phone number. He sent the code to confirm ownership of the room. - Dimitri_Leffler commented on April 3rd 20 at 18:50
@Dimitri_Leffler, what a way not to answer a specific question, once again, SMS is sent after the confirmation mail? - raymond_Rodriguez commented on April 3rd 20 at 18:53
@Dimitri_Leffler, did not understand.
Captcha for every SMS query, checking e-mail with the link and the timeout between sending an SMS is? - lonny commented on April 3rd 20 at 18:56
@lonny, funny is not it, understand. Not enough to register 1 account and thousands. Enough to pay 160 rubles so we lost 2,500 rubles. Captcha, Google and the rest go for 16 cents.
Now full of sites that sell avtoreg mail 100 pieces per 1 ruble. And for them there are APIs to parse and looking for references to the confirmation email etc I see no reason to torment the user to check mail, etc. - Dimitri_Leffler commented on April 3rd 20 at 18:59
@Dimitri_Leffler,
Not enough to register 1 account and thousands of
Timeout on Lok nick on time to send SMS or nick is released.

Captcha, Google and the rest go for 16 cents.
Still I see no reason to torment the user to check mail, etc.
What prevents to make their captchas and add a validation mail? - lonny commented on April 3rd 20 at 19:02
@lonny, Nicki can be changed. This system is no good. Everything can change, different email, logins, passwords, ip, user agent, etc.
Its captcha will not do for 16 cents and 5 cents. There is no point in torturing the user. Moreover, as said above, avtoreg mail sold in packs of 100 pieces for the ruble. - Dimitri_Leffler commented on April 3rd 20 at 19:05
@Dimitri_Leffler, OK. Can a log file with statistics DDoS requests to see? - lonny commented on April 3rd 20 at 19:08
@lonny, mute logs. What are you specifically interested in? - Dimitri_Leffler commented on April 3rd 20 at 19:11
@Dimitri_Leffler, Except that you can filter by IP (+country/region and/or to determine the analysis of the behaviour of these IP queries to weed out suspicious) - no options have me no more.
Perhaps You can tell me what should be and how it would look? - lonny commented on April 3rd 20 at 19:14
@Vince, Yes.
Want to make services better than cloudflare - Dimitri_Leffler commented on April 3rd 20 at 19:17
@Dimitri_Leffler, I'm all FOR it.
The main thing - that he was at least no worse than cf. - lonny commented on April 3rd 20 at 19:20
April 3rd 20 at 18:49
Solution
Unfortunately, the experience of sitting on this forum people do not have to answer at least the questions of average difficulty, not to mention difficult.
A solution to this problem (fighting the attacker) was quite simple measures.
1) Enter the recaptcha v2 everywhere for unregistered users, so the user and fart without going through the captcha failed.
2) Ask the user to send a message to our virtual number with a code that was displayed. This is the main method of struggle. Especially now SMS for the user - penny business. Now 2k20 year, almost all sitting on bezlimita.
3) Put everything on CloudFlare. A paid plan. $ 20. Put the rules in a firewall at the entrance only with the desired countries (for cutting off foreign botnets), block entrance Tor (in fact, CloudFlare has this option). And of course cut in the wafer (WAF) from the CloudFlare. Cut in the mode Under Attack so the bots were eliminated immediately. Of course cut in this regime is not desirable, but it is almost 95% likely to stop nobska attack and attack most of the ddoser.
4) Stand behind CloudFlare, not all IP. To naramig not zadori. If originally the website was not cloudplane and then you closed, you will hit the old IP. So we change the IP, and better hosting provider and DC. Because if you are a serious business, you can lay down the whole uplinks and data centers.
5) Cloudpiler cloudera, but DDoS on schedule. Unable to prochukhan the IP and hit it. So buy a server or hosting in normal hosts in the large DC (preferably in Europe). A good example OVH, Voxility, etc.
Summary: by following these rules you will be limited from many attacks and you will sleep soundly. But if you want to merge, you will have capital to spend on the purchase of protection from a number of providers of protection and make balance.
Still I see no reason to torment the user to check mail, etc.

2) Ask the user to send a message to our virtual number with a code that was displayed. This is the main method of struggle. Especially now SMS for the user - penny business. Now 2k20 year, almost all sitting on bezlimita.

Torment not want, let them pay money(even a penny).
You know about the scams that ask "send SMS with the code and win a iPhone" how to separate you from them?) Where is the guarantee that I will receive and I will not remove 20K rubles?
Like people who have found "the answer" to your question and said solution. - alexandro_Wi commented on April 3rd 20 at 18:52
@alexandro_Wi, just so smart that offer a solution for the problem note. While this decision is good, in contrast to the decisions of cripples from the forum who can't even understand the problem and offer all the game oblivious to the fact that the yard 2k20 and none seem to meet are not even aware of the existence of ways to change ip and user-agent.
None of our visitors will not send SMS to our room not knowing that there will be any operation. - Dimitri_Leffler commented on April 3rd 20 at 18:55
@Dimitri_Leffler, send him to number SMS and let him fill code from a text message? as do many services.
In response, you can send arifmeticheskie operation, where the operation is drawn, you will have to parse and recognize the image.
I don't do that, if that.
Another option is to find an expert and pay him for the consultation and then ask.
Toaster is good, but with the "not complicated" problems I here was not. - alexandro_Wi commented on April 3rd 20 at 18:58
@Dimitri_Leffleras a normal user I would not use your site immediately after the request to send SMS to some number

>just so smart that offer a solution to the problem - I note
>can't understand the problem and offer every game
not to suggest a game, suggest it is a normal things you can implement at their level without additional costs.

well, in a strange way- to be an inconvenience to the user by check through the mail you do not want to force it to send SMS as normal.
cheaply want to verify user, use the new/less common apple services sign-on, Sberbank and etc. - Luna_Rat commented on April 3rd 20 at 19:01
@Luna_Rat, only need a phone - nothing more.
Sending SMS is not that difficult. - Dimitri_Leffler commented on April 3rd 20 at 19:04
@Dimitri_Leffler, once again, to Shine phone obscure website, not a good idea.
if email spam is still possible to filter the annoying calls, SMS spam, subscription to a paid call contact base Scam, it's all for a phone number not very desirable

in your opinion, why all sites are not moved for registration through phone number and use awkward email? - Luna_Rat commented on April 3rd 20 at 19:07
@Dimitri_Leffler,
1. Listen to what others say in your approach with sending SMS.

2. And if you think that by changing the ip/user agent/etc. you can escape from the configured and trained behavioral filter site on the historical log normal users - it will be your last mistake on this website.

Just realize the entire process and he'll understand...
(or quietly ask the question without rudeness...) - lonny commented on April 3rd 20 at 19:10
@lonnythat behavioral filter and how can it be done? - Dimitri_Leffler commented on April 3rd 20 at 19:13
@Dimitri_Leffler, read here the Task is to identify trail users on the logs. - lonny commented on April 3rd 20 at 19:16
@lonny, and if no such paths. And the man immediately gets to the registration page? - Dimitri_Leffler commented on April 3rd 20 at 19:19
@Dimitri_Leffler, the path is not only stupid transition on links, but the HTTP Protocol + all browser events (request reference (s), the boot sequence, mouse movement, etc.) and all network activity of the client. Especially, the intervals between these events! - lonny commented on April 3rd 20 at 19:22
@lonny, is it impossible to simulate?
this data is sent via JS. And in scripts, you can dig and see the collection of this "trail" and generirovanie random input in the range of "pathways" actual user and send to the server. - Dimitri_Leffler commented on April 3rd 20 at 19:25
@Dimitri_Leffler, it is Possible to generate 1-to-1, if you know this path.
And her clients - no one will know except the owner of the service.
Any deviation from the behavior of the total mass of normal users of the service is immediately detected. - lonny commented on April 3rd 20 at 19:28
@lonny, I did not understand. This trail is going on the client side? If so then it should be sent to the server in order to process the data. If this data is sent to the server - this means that they can just copy from trails obenix users or at least to take his or generirovanie accident.

For example. The number of pixels that passed the cursor. Taken and sent to the server value as the real user. Or as you say interval send the data. Just take it and wait a few seconds and then send a request to the server again, or adjust our path.
If the bot sends the following data: ['a Time to send data': '0.001 with', 'movements of the cursor': '0'], what prevents us to modify data ['sent Time data': '10.401 with', 'movements of the cursor': '53'] - Dimitri_Leffler commented on April 3rd 20 at 19:31
@Dimitri_Leffler, the path - is collected from the client and from the server.
The combination of all data activity and inactivity - this is the the trail.
If this data is sent to the server - this means that they can just copy from trails obenix users or at least to take his or generirovanie accident.
It is impossible to forge a common behaviour. This is the whole meaning of such trails.
Each user has an imprint of conduct. Whether it fits into normal or not is decided by the weight of the behavioral conformity of the filter (relative to the total paths/behaviours).

Two factors that prevent to become "hedgehog":
1. The unavailability of real trails.
2. The inability to change their usual behavior.
One mistake suspicion, two ban. - lonny commented on April 3rd 20 at 19:34
@lonny, This trail is a combination of factors of behavior? So? So. And why to fake the combination of these factors and send lonnoy path?
The unavailability of real trails? Are you kidding me? The client sends his / her behavioral factors on the server, and this is a vulnerability, because the client can send anything no matter the encrypted set of behavior factors, or stupid transfer of each factor separately in the POST request. - Dimitri_Leffler commented on April 3rd 20 at 19:37
@Dimitri_Leffler, send - he can do anything, but the path is the behavior of the majority.
The probability that he guesses ("will fit in all the turns of the trail") - close to 0.
Otherwise - it is not malicious visitor.

I repeat:
Trail - is collected from the client and from the server.
The combination of all data activity and inactivity - this is the the trail.
and added:
The client behavior is data only for that customer.
The trail system is the set of all regular users who do not forge on the client side and use the site/service as designed by its developer. - lonny commented on April 3rd 20 at 19:40
@lonny, and if he understand how to behave in normal people and vytsepit data that is sent to the server, and understand how they are formed, you can send random behavior on the server that will fit into the range of normal behavior. - Dimitri_Leffler commented on April 3rd 20 at 19:43
@Dimitri_Leffler, Yes, bloody well no one vytsepit normal: the path - is stored on the serv (all of her weight).
Want to try to forge at the front (there is even easier than the behavioral filter! the whole protection on the client!): Wellcome. - lonny commented on April 3rd 20 at 19:46
@lonny, I still don't understand why it can't be circumvented.
You either do not understand what they say, or do not want to explain.
Better give a couple of links to articles. - Dimitri_Leffler commented on April 3rd 20 at 19:49
@Dimitri_Leffler, moonlight naive to believe that the bots you only get the "stray", you stupid brute of typical vulnerabilities. From this it follows that the attacker would not sit at the computer to register like normal people, does not analyse what goes on server, and certainly does not copy the data with the addition of a small amount of "noise".
While similar, and not particularly successfully Google is protected from a fake registration on Android - the chinks just collect the farm from thousands of SMARTS for 30 bucks. In General, its solution is complex, requiring constant attention, but by small and large scale worthless.

If your website does not break it deliberately, it is enough for something unpretentious, but self-made + visible to the user simulating the model captures (fake bots find a captcha, fill it and, more importantly, get back the "all is well"). On the pocket a single forum spammers appear once in six months, although there is the protection of the student for 10 seconds. - Gust.Murray59 commented on April 3rd 20 at 19:52
@Dimitri_Lefflerif it's intentional manual spam check - this behavior will come under one behavioral pattern that is tracked with the 2nd attempt.
Is normal behavior - it's the trail, just.
And there is a very similar and repetitive behavior: this is the autopilot script or passing along a trail where all the accurately to seconds.

Using three segments of a behavioral filter : no trail, autopilot - can be simply and very accurately identify spam regi.

@Gust.Murray59, You are absolutely and badly mistaken: I did not put.
But thanks for the suggestive comments for the formation of a clarification for @Dimitri_Leffler.

In regard to this:
In General, its solution is complex, requiring constant attention, but by small and large scale worthless.
I would like explanations and specifics. Attention to it does not require, as is an automatic filter.
But why my decision difficult and worthless - do not understand, explain how You made this conclusion? - lonny commented on April 3rd 20 at 19:55
@lonnyto your decision in principle has earned the desired reference data set "normal user" plus test "spam" data. Of course, you need a comparison algorithm trails. Then you need to periodically look hacked if the filter registration normal users, for example, due to the fact that you wrote about Australia and your model is at odds. This requires the clustering locks - do not look for 30 Australians among the thousands of bots. Needs a viewer of the recorded tracks, to make sure that people can behave like this, then we need to bring them into normal paths and to create accounts if there is a chance that the user will return.
If you had hundreds of registrations per minute - again, you need to understand that successful advertising, the students were promised $ 5 for uchetku or someone wrote a script for selenium.
Students will behave normally, but not identical.

Difficult? At least a couple orders of magnitude more complex captchas and puzzles, if you write from scratch.
Attention requires? Yes, without this, will be cut indefinitely large percentage of normal users.
For protection against targeted attacks - weak.

Maybe you have something else described? - Gust.Murray59 commented on April 3rd 20 at 19:58
@Gust.Murray59, the Essence You describe is absolutely true. But here we have a discrepancy in understanding the implementation.
How I imagine it:
1. To accumulate the path - you need to take the lion's share of the longest activities (full metric) of all registered users.
2. To weed out machine - you need to take the anti-metric to claim 1
3. To identify the new behavior - need to look to the specific conduct did not fall under any of the preceding paragraphs. Then highlight it in the admin with the flag "suspicious" and the system will continue to see a more detailed analysis: exceeded the frequency of requests for transitions relative to the total mass - to mark the new behavior as negative, etc. on each of the criteria metrics.

Ie to manual monitoring is to keep the bare minimum that what failed auto filter (on all counts).
But one problem - he even writes letters to the TP. - lonny commented on April 3rd 20 at 20:01
@lonny, you can throw articles or books on this topic? - Dimitri_Leffler commented on April 3rd 20 at 20:04
@Dimitri_Leffler, Googly. - lonny commented on April 3rd 20 at 20:07
@lonny, I found nothing about any of the trail users, etc. - Dimitri_Leffler commented on April 3rd 20 at 20:10
@Dimitri_Leffler, then it is up to you: try to understand or just believe my experience. - lonny commented on April 3rd 20 at 20:13
@Dimitri_Leffler, it really is. And not only on the progressive West. In one of the projects that I worked, but can't point the finger because of the NDA, the front real-time buck sends all the information about the user, which may collect, and all his actions, and buck the flow of these events is fed from Spark' for operational analysis and user interaction in the current session and stored in a repository for background analysis neyroseti and further training. There neurostock very accurately distinguishes one user from another only on the behavior and every day more and more useful predictions about users does. - lizzie11 commented on April 3rd 20 at 20:16
@lizzie11, I Hope that at least your comments will help the author of the question to change their faith in the AI... :) - lonny commented on April 3rd 20 at 20:19
@lonny, I doubt it. 've been watching the questions and comments of this user, everything is very bad. - lizzie11 commented on April 3rd 20 at 20:22
@lizzie11, then, tell me: what purpose it serves? I already speculated, but I know for sure that this is not the PR of the service and not the desire to know the direction deeper. - lonny commented on April 3rd 20 at 20:25
@lonny, I think that people live in illusions of their own competence and ask questions that seem reasonable to him, expecting any answers and is unhappy with the discrepancy between their own expectations and ideas meet. - lizzie11 commented on April 3rd 20 at 20:28
@lizzie11, glad I'm not one of the same opinion)
Most likely we are not wrong. - lonny commented on April 3rd 20 at 20:31
@Vince, @lizzie11, so what do you recommend to do if you are so clever?
To give a superficial answer without links to examples, etc. and wonder why I am speaking against. It may be because you do not show any advantages of your solutions? - Dimitri_Leffler commented on April 3rd 20 at 20:34
@Dimitri_Leffler, I'm sorry, but don't have time to prepare personally for You (create a post or find worthy of Your attention material). - lonny commented on April 3rd 20 at 20:37
@Dimitri_Leffler, I suggest to read books on networking and the design of information systems, to build up experience and not to take while for the solution of problems that not even understand able. - lizzie11 commented on April 3rd 20 at 20:40
@lizzie11, all I understood,reading a book. I'll learn the Zen of networking. - Dimitri_Leffler commented on April 3rd 20 at 20:43
@lonny, forgive for the first time - Dimitri_Leffler commented on April 3rd 20 at 20:46
@Dimitri_Lefflerthat prevented earlier to educate ourselves? - lonny commented on April 3rd 20 at 20:49
April 3rd 20 at 18:51
Solution
Set a limit of no more than 1 Message per minute for one IP. Moreover, the limits will increase - more messages - more limit, the increase in multiple - 1/2/5 and so on.
The most optimal option is the use of captcha.
Start with Google, due to the fact that analyses many behavioral factors - around it is not so easy, but nevertheless real.
Second step - enter captcha which will be hard to get around.
If you know the internal kitchen of the services to bypass captchas, then you can come to the conclusion that we need to come up with a captcha which is not common and only you.
The first thing that comes to mind

1. the task for the user is given not text, but a picture(but you can start for and text).
2. If it is text or image - it is hard to get her out of the html. For example, if it is a picture - I can't get just the link to the image that would give to the service captcha.
-
If the text - make some blocks hidden in the derivation, and the user display only what you need. Each time a random hidden blocks.
Yes you can work around this by checking the display: none to each of the elements in the parent block. But still need to get around.
--
3. To do some action on the site, you will need to do user. Of course to add variation. For example: move some blocks of numbers were for each other, that is, located in ascending order. Text give not naked, and puts beside it the spaces/letters. Yes, to get the number will be more than real, but it's extra effort for an attacker. But if you take a number from the block, then it is much more difficult. For example: there is 3 blocks on the site. Task: press the FIRST number of the first, third and fifth block. The number of press/using spaces/commas. In Parts of the text, some letters replace English, but it looked readable and not servigliano - it would complicate the parsing significantly. Send a captcha token and the answer to the database - when the Form is submitted a token will compare and check the answer.

Where to dig, I think you understand. Just don't overdo it - users are not bots, they do not need to annoy once again.
Still as a variant - to move away from SMS and to start the user test in the mail. If appropriate/feasible. And sms use as an additional function to check user
Just make generator complete NP-problems for different captchas.
It was impossible to make antikapchu can create) - lonny commented on April 3rd 20 at 18:54
A huge like! - oswald commented on April 3rd 20 at 18:57
April 3rd 20 at 18:53
The simplest way to connect CloudFlare and enable aggressive mode.
CF checks whether the user is a bot.
Can. As an option. - Dimitri_Leffler commented on April 3rd 20 at 18:56
April 3rd 20 at 18:55
There are already enough options offered, but
as an option to make the dialer to the phone number of the user (of course a range of numbers should be sufficient),
to reset after a few seconds and ask the user to enter the last four digits with the caller's number.

Of course captcha and increasing the delay between calls
April 3rd 20 at 18:57
Captcha is?
Worth it. It is avoided for 16 cents, and we are losing 2.5 ruble - Dimitri_Leffler commented on April 3rd 20 at 19:00
April 3rd 20 at 18:59
And the rooms are all real? When sending SMS, they are checked for the existence of your gateway?
Well as the option to change the strategy, "we will send you SMS" "send SMS to our number" then we will register.
This idea has already been invented. 2 days ago. Sending us a SMS. So far the only way of dealing with these anal bugs - Dimitri_Leffler commented on April 3rd 20 at 19:02
April 3rd 20 at 19:01
And can go to the other side??
To deliver two-factor authentication? And can you refuse a text.
The second factor is what? The author of the SMS confirmation. - Marcelo.McDermo commented on April 3rd 20 at 19:04
@Marcelo.McDermo, I haven't quite finished writing.

Using google authenticator. - angelina.Goyette55 commented on April 3rd 20 at 19:07
@angelina.Goyette55, it is about the unique akkov, not about the defense authorization. - lonny commented on April 3rd 20 at 19:10
@angelina.Goyette55, once I took it, then after half a year had to disconnect, since the second factor is tied to the system time and the time difference is 15 seconds or more, the authentication fails. The user will not be able its time to synchronize with the system time on the server and lose access to your account. Moreover, if the server is in another country in another time zone. The transfer clock to winter/summer time on the server dumps all users. - Marcelo.McDermo commented on April 3rd 20 at 19:13
@Marcelo.McDermo, an Interesting case. I will keep in mind. - angelina.Goyette55 commented on April 3rd 20 at 19:16

Find more questions by tags DDoS protectionWeb Development