Mitigation

Deflect protects your website from a multitude of cyber attacks, including distributed denial of service (DDoS), brute force attacks against your login password, connection hijacking and much else. To achieve this level of protection we employ several methods. They are briefly described herein and more broadly in the ‘For Adminsitrators’ section.

  • Distributed infrastructure
  • Banjax authentication
  • Challenger
  • Captcha
  • Baskerville

Distributed infrastructure

Deflect is built on decentralization, with rented infrastructure in dozens of datacenters around the world. This approach offers flexibility and avoids central points of failure. Over the years we have worked with many providers and select among them by hardware specifications and network access, as well as their internal operating policies. We are keen to reduce the carbon footprint of our infrastructure and are continuouslylooking for datacenters powered by sustainable energy sources.

Due to our dynamic infrastructure model, we provision all machines with filesystem-level encryption.

Provider HQ Country Datacenter Country
Gorilla USA Ogden, Utah USA
Hetzner Germany FSN1-DC3; FSN1-DC11; FSN1-DC12; FSN1-DC1; NBG1-DC1; FSN1-DC13 FSN1-DC2; FSN1-DC10 FSN1-DC6; FSN1-DC7 Germany
One Provider Canada Baltimore, Montreal USA, Canada
OVH France Beauharnois; Roubaix; Canada, France
Linode UK   UK
Limestone      
NOCIX      
SeFlow      
Secured Servers      
Veeble      
SiteValley      

Banjax authentication

When your website is behind Deflect, requests for a new page will come from our caching servers. This means that they may be several minutes old and may not have the very latest updates. This is not ideal for when you are editing the website and need to see updates immediately. Deflect provides a special way to authenticate yourself to the system and access your website without caching. We call this Banjax authentication. After you have created the password in the Dashboard, the login page to your website (e.g. /wp-admin, /login, /administrator, etc.) will appear like this:

Banjax Authentication

Banjax Authentication

Only those in possession of the authentication password will be able to proceed. This has an extra side effect of protecting your website editorial from password brute-force attacks.

Challenger

When a DDoS attack is not automatically mitigated by Deflect rules and begins to have a negative impact on your server, you can enable the Challenger filter. It will help Deflect distinguish between real website readers (who are using a web browser) from automated bots. Challenger does this by serving everyone who requests access to the website a mathematical challenge in JavaScript. The browser solves the challenge and sends back their reply. The bot cannot do this. When a challenge has been solved, Deflect returns a cookie to the reader’s browser. No further challenges are required from this reader for the next 24 hours.

_images/deflect_challenge.gif

Information for website readers

In order to successfully receive and process a challenge, your browser will need to have JavaScript enabled. If you are using a JavaScript blocker like e.g. “NoScript”, it will result in an error message telling you that JavaScript is blocked and should be enabled:

NoScript blocking JavaScript on the Black Lives Matter website

NoScript blocking JavaScript on the Black Lives Matter website

Information for Deflect clients

Challenger is a strong measure of defense. It will not only block all malicious traffic, but also legitimate traffic. This may result in website crawlers not being able to access your website. Use Challenger as a last resort. We have white listed the following crawlers and IPv4 address ranges to make sure websites behind the challenger can still be indexed:

# Google crawler

# PayPal IPN servers

# Facebook

# Testing

Website or crawler banned?

If the challenger filter blocks your website or crawler we can white list your IP address. Please submit a ticket to the Deflect team and provide the following information:

  • Name of your organization and a brief description of work
  • Link or IP address / ranges

If your request is legit we will add your website or crawler to the white list.

Banjax Challenger Code

Here’s a link to the code served by Challenger. It should only take a second or two for your computer or smartphone to solve the challenge.

For more information about BotnetDBP, Banjax, early stage filtering and challenging and banning of bots, you can navigate to this page

Baskerville

Baskerville is a complete pipeline to implement the theory behind BotnetDBP. It receives as input incoming web logs, either from a Kafka topic, from a locally saved raw log file, or from log files saved to an Elasticsearch instance. It processes these logs in batches, forming request sets by grouping them by requested host and requesting IP. It subsequently extracts features for these request sets and it predicts whether they are malicious or benign using a model that was trained offline on previously observed and labelled data. Baskerville additionally cross-references with MISP to determine if each IP is already known to be malicious. Finally, it saves all the data and results to a Postgres database, and it publishes metrics on its processing (e.g. number of logs processed, percentage predicted malicious, percentage predicted benign, processing speed etc) that can be consumed by Prometheus and visualised using a Grafana dashboard.

As well as an engine that consumes and process web logs, a set of offline analysis tools have been developed for use in conjunction with Baskerville. These tools may be accessed directly, or via two Jupyter notebooks, which walk the user through the machine learning tools and the investigations tools, respectively. The machine learning notebook comprises tools for training, evaluating, and updating the model used in the Baskerville engine. The investigations notebook comprises tools for processing, analysing, and visualising past attacks, for reporting purposes.

A brief overview of the current state of the Baskerville project is here, and the full in-depth documentation is available here.

Baskerville Schematic

Baskerville Schematic