Bypassing DDoS-Protection with Proxies

OR: Why Your GeoIP-Restrictions Might Soon Become Obsolete

TL;DRThe use of proxy services for DDoS Attacks is an effective and cost-efficient tool for sophisticated attackers to circumvent classical rate-based detection/mitigation or GeoIP restrictions.

This is especially true for attacks targeting API endpoints, where the enormous potential for attackers becomes evident.

Intro

Occasionally, we have the pleasure of applying not only our standard testing methods but also more sophisticated DDoS – techniques/TTPS associated with the professional sphere — essentially supervised DDoS-Red-Teaming.

In this instance, we utilized Paid Proxy Services to test the extent to which various DDoS protection mechanisms could be bypassed to deliver the payload.

And low and behold… Jackpot.

Approach

We reported on Proxies as a valid TTP for advanced attackers last year [1], as it has been observed ITW, and wanted to evaluate firsthand the effort and costs involved in using proxies.

There are many free proxy lists available, which we have used in the past, but they are cumbersome to use and not always reliable. This time, as we needed to select geo-regions for the proxy requests, we opted for a paid proxy service of which there are plenty. The following features were crucial for our selection:

Residential and Mobile Proxies, selectable by region,
with options for rotating or fixed IPs.Datacenter proxies with a large IP Pool, also static and rotating IPS.

The pricing structure among major providers is similar: Residential proxies cost approximately $5/GB, datacenter proxies around $1/GB, and mobile proxies $10/GB (YMMV).

We chosed a provider with comprehensive documentation of all features, making integration into our Layer-7 generators seamless.

For attacks involving more than 1,000 bots, we routed only parts of the requests through the proxy services (30-50%), allowing each bot to autonomously decide whether to route the next request through the proxy farm. We also slightly throttled proxy requests with a delay.

In our analysis, we observed that the high-volume speakers (unthrottled IoT bots) were reliably detected and blocked, whereas proxy requests went through almost 100% of the time.

Results

Using Proxies (residential, mobile, & datacenter), we were able to:

Triple the number of visible IPs participating in the attack from 10,000 to 30,000, significantly complicating the defense’s efforts to repel the attack, as rate-based detection was completely circumvented.Conduct a low-and-slow attack on an “expensive” API, which bypassed all defenses and required manual mitigation. Every mitigation attempt was countered with fresh new proxy IPs.
Public APIs proved especially challenging to defend because CAPTCHA solutions or Behavioral Detection methods are ineffective, and rate-based detection is blind when every request comes from a new IP.Achieve the same results for browser-based attacks in combination with residential or mobile proxies.Completely bypassed GeoIP restrictions.Completely bypassed detection methods based on AS/CIDRas a sideffect, disturb mobile users by forcing the target to actually block IPs which also blocked other users because of CGNAT [6]

The cost for nearly 10 hours of testing was under $100, far below expectations. If you only go for Datacenter-Proxies, its even less than 50$.

Threat Level and Threat Actors

Currently, we do not expect paid proxies to be used anytime soon by the most botnet/booter-service based attacks; however, it cannot be neglected that in Cloudflare’s Q3 DDoS Report [5] for the 3rd quarter of 2024, over 50% of the attacks were carried out by extortionists and competitors (most probalby with the help of professional DDoS Actors via DDoS for Hire-Services ). These two actor groups are quite capable of using proxy technology.
It always depends on the individual threat level whether these types of attacks are to be expected.

Source: Cloudflare’s Q3 DDoS report / Threat Actors

Footnote: Proxy farms as a tool for various cybercrime groups are nothing new and have long been used [2] for credential-stuffing/password spraying attacks [3] or activity obfuscation. In the DDoS domain, attacks using free proxies are integrated into several frameworks [4]. This analysis aimed to evaluate the possibilities and costs of using paid services and assess the damage potential of such services.

Measurements

Our botnet consisted of 10,000 IoT bots, half of which were capable of launching browser-based attacks. Additionally, the IoT bots were equipped with cookie stores and could follow simple redirects.

By routing 50% of our requests through the proxy network, we gained nearly 20,000 additional IPs, though we did not fully utilize the provider’s potential. With additional proxy services, this number could easily be doubled or tripled. For under $500 per day, it would be feasible to simulate a 100k-botnet.

We found a good distribution amongst various ISPs, Citties, and also the sticky or rotation-feature for IPs worked fine.

A few measurements using 100 bots with a 10-second delay (approximately 10 requests per second in total), with 100% of requests routed through the proxy farm:

Residential: ~300 IPs ( x 3)Mobile: ~400 IPs (x 4)Datacenter: ~500 IPs (x 5)

Residential Proxies, by ISP (Count, DE Only)Residential Proxies, by City (DE Only)

Residential Proxies, by ISP (Treemap, DE Only)

Residential Proxies, Requests per IP (DE Only)

Mobile Proxies, by ISP (DE Only)

Mobile Proxies, CGNat at work (DE Only)

Mobile Proxies, by Cities (DE Only)

References

Bypassing Geofencing in Modern DDoS AttacksAkamai State of the Internet Report 2019BeyondTrust on Password Spray AttacksA Collection of DDoS FrameworksCloudflare’s Q3/2024 DDoS ReportDDoS – Disrupting Mobile Users via CGNat