WordPress Trivia, Part 2

Oh, crap, I did it again.

WordPress core will send headers that prevent caching by browsers and RFC-compliant reverse proxies (like Ledge) when a user is logged in, or an error (such as 404) is returned. These headers are defined in wp-includes/functions.php:

Nothing crazy. But what’s so special about January 11, 1984? Beats me, I wasn’t alive then. But we have the Internet (and copious amounts of free time while I’m stuck on a graveyard rotation)!

Continue reading

Bypassing CloudFlare’s Layer 7 DDoS Protection

Volumetric layer 7 (HTTP) DDoS typically relies on overwhelming the target by inundating the target with a large number of (pseudo) legitimate HTTP requests, the end goal being resource starvation (typically, CPU cycles or available bandwidth, e.g. NIC saturation). Because layer 7 attacks require a full three-way handshake, spoofing source information is impossible (though using a proxy is a viable alternative- remember the XMLRPC issues earlier this year?); as such, the ability to control a large number of attacking machines becomes critical as the size of the target increases. Of course, other forms of HTTP DoS exist outside of volumetric resource starvation (such as Slowloris), but I wanted to take a look at common methods of defending (and circumventing said defenses) against resource starvation attacks via HTTP. This will also serve to demonstrate the weakness in deploying WAFs that rely exclusively on signature-based matching.

Continue reading