Today's commercial DDoS mitigation technologies employ many different techniques for identifying DDoS traffics and blocking these threats. Common techniques range from basic malformed traffic check, to traffic profiling and rate limiting, to traffic source verification and so on, with captive redirection utilizing Javascript- or CAPTCHA-based authentications being the most effective by far. However, in our research weaknesses were found in each and every such technique.
We rolled all our exploits into a PoC attack tool, giving it near-perfect DDoS mitigation bypass capability against all existing commercial DDoS mitigation solutions. The ramification is huge because for vast majority of web sites, these mitigation solutions stand as their last line of defense, having this last line breached can expose these web sites' backend to devastating damages.
We have surveyed extensively the entire range of DDoS mitigation technologies available on the market today, uncovering the countermeasure techniques they employ, how they work and how to defeat each of them. Essentially bypass is achieved through emulating legit traffic characteristics. Afterwards our attack tool is introduced to demonstrate how all these exploits can be brought together to execute a "combo attack" to bypass all layers of protection in order to gain access to the backend.
To coincide with the publication of this talk, our highly effective attack_tool_will_be_made_freely_available. The effectiveness of this tool is illustrated via testing results against specific DDoS mitigation products and popular web sites known to be protected by specific technologies. To conclude our research, a next-gen mitigation technique is also proposed as a countermeasure against our attack methodology.