Web challenges or web-based verification methods are crucial in differentiating between human users and automated bots, particularly effective against layer 7 DDoS attacks involving numerous HTTP requests. Here are the common types of web challenges:

• Javascript: This challenge identifies legitimate browsers that support Javascript, which most bots cannot bypass.
• CAPTCHA: Requires users to solve visual puzzles or identify elements, designed to be easily solvable by humans but challenging for bots. However, CAPTCHA can lead to user experience issues and more false positives.
• Cookie Validation: Ensures session authenticity by validating cookies set on the client side, thereby confirming the user's session integrity.

Red Button Best Practice:

• Use multiple web challenges wherever possible, especially at endpoints that can be configured to support them, ensuring no legitimate traffic is inadvertently blocked.
• Considerations:
  • Apply web challenges to publicly exposed endpoints to reduce DDoS threats.
  • Avoid challenges on endpoints expecting legitimate bot traffic, like APIs, to prevent false positives.
  • Use CAPTCHA sparingly due to its impact on user experience, particularly for groups like the elderly.

Rate-based vs. Permanent Web Challenges:

• Leading WAF vendors provide options for rate-based challenges, which are triggered only when request rates from sources exceed set thresholds. These challenges offer adequate DDoS protection.
• Permanent challenges might be necessary for 'under the radar' attacks with low request rates from numerous sources.

Procedure

1. Risk Assessment:

• Perform a comprehensive evaluation to pinpoint vulnerabilities and DDoS attack vectors, including endpoint mapping to understand risks before and after user login.

2. Web Challenges Lab:

• Red Button maps out all relevant endpoints and determines which can support web challenges.

3. Select Web Challenge Methods:

• Choose methods based on security needs and user experience.

4. Permanent vs. Rate-based Decision:

• Implement challenges that scale with traffic patterns, using vendor solutions that activate challenges based on traffic thresholds.

5. API Traffic Handling:

• Bypass challenges for known legitimate bot traffic at API endpoints to maintain service functionality.

6. Set Challenge Parameters:

• Define how often challenges are presented and what constitutes a successful verification.

7. Whitelist Trusted Sources:

• Exempt trusted IPs and known crawlers from challenges to ensure they are not blocked.

8. Monitoring and Analysis:

• Monitor performance and impact, analyzing logs to tweak settings for better protection and user experience.

9. Testing and Optimization:

• Rigorously test to confirm that challenges effectively counter DDoS while allowing legitimate traffic. Optimize settings to balance security with usability.

Conclusion

Implementing web challenges as part of your DDoS mitigation strategy requires careful planning, ongoing monitoring, and regular adjustments based on real-world performance and user feedback. This procedure helps maintain robust security without compromising user experience.