HTTraP

This scripting and programming project started about seven years ago when we started thinking about web defense. The concept turned much larger because we came to realize that all services offered over the internet - DNS, FTP, SSH - are all naturally defensive. The service is sitting there running with a port open and attackers can just apply scripted attacks or manual techniques (rare these days) to penetrate the host system.

The idea behind HTTraP was similar to a honey pot in that it tried to analyze the activity, but only for a couple tries before it stored the activity in a database, then blocked the IP. The idea was a web presence that would give the user strict usage rules and once 404 or 50x errors are thrown, then IP, geo-location, error number, and reason (url injected) would be stored and analyzed, but the user/ip address would be blocked after a couple offenses. There is no reason for any random visitor to a website to type in “?wp-login.php” unless it is a related party. Even in that event, that login page would be bookmarked. That particular example would be blocked immediately.

After storing this activity, which happens quite a bit in even a single day, and analyzing common attempts, one can create a set of rules for the most common attempts and immediately block the perpetrator. While reading this, the more intuitive reader is probably thinking about how to DDoS such a site or circumvent the blocking. Or, forming an argument that this would reduce server performance.

After refining rules through database analysis, the later point was actually tested on Apache, which has medium performance, it turned out to be an advantage and tactical tool when loads became heavy. On NGINX and Lighttpd, the results in enhanced performance are immediate after establishing the rules. The reason is simple: the back end is automatically blocking promiscuous traffic, while the web server is actually serving up pages to legitimate visitors to the site.

For the first two points - DDoS and control circumvention - we need to point out that is at a different stage of the killchain. Most scripted web site scanning and injection attempts are at the reconnaissance level, where an attacker is looking for a target in general, or is just trying to find out more information about a particular site. At that point it is important to raise the bar and be hardened. As it relates to DDoS, if a web server is going to get attacked anyways. A simple script running in the background is not going to bring the whole thing down; especially if the attacker does not know it’s running in the first place. HTTraP is a hardening solution, and an active defense system - it learns and blocks according to behavior.

The current incarnation of HTTraP currently in development is a larger project that ties in adaptive technology and seeks to be implemented across a wider spectrum in order to create a greater, more accurate blocking. HTTraP GitHub project page is currently private but will open to the public some time in second quarter 2020. Stay tuned! In the mean time, if you would like to contact us about hardening your infrastructure, please click here to contact us.

After storing this activity, which happens quite a bit in even a single day, and analyzing common attempts, one can create a set of rules for the most common attempts and immediately block the perpetrator. While reading this, the more intuitive reader is probably thinking about how to DDoS such a site or circumvent the blocking. Or, forming an argument that this would reduce server performance.

After refining rules through database analysis, the later point was actually tested on Apache, which has medium performance, it turned out to be an advantage and tactical tool when loads became heavy. On NGINX and Lighttpd, the results in enhanced performance are immediate after establishing the rules. The reason is simple: the back end is automatically blocking promiscuous traffic, while the web server is actually serving up pages to legitimate visitors to the site.

For the first two points - DDoS and control circumvention - we need to point out that is at a different stage of the killchain. Most scripted web site scanning and injection attempts are at the reconnaissance level, where an attacker is looking for a target in general, or is just trying to find out more information about a particular site. At that point it is important to raise the bar and be hardened. As it relates to DDoS, if a web server is going to get attacked anyways. A simple script running in the background is not going to bring the whole thing down; especially if the attacker does not know it’s running in the first place. HTTraP is a hardening solution, and an active defense system - it learns and blocks according to behavior.

The current incarnation of HTTraP currently in development is a larger project that ties in adaptive technology and seeks to be implemented across a wider spectrum in order to create a greater, more accurate blocking. HTTraP GitHub project page is currently private but will open to the public some time in second quarter 2020. Stay tuned! In the mean time, if you would like to contact us about hardening your infrastructure, please click here to contact us.

 
5
Kudos
 
5
Kudos

Now read this

The CISO Role Is Technical

Recently there has been a bit of discussion about information security leadership. The other night I was put on the spot when I made a comment and the response was, “so if you’re not technical, you cannot do security work?” Or, something... Continue →