Deflect Labs

From Deflect Public wiki
Jump to: navigation, search

Deflect Labs is Deflect's project that leverages and enriches the large amount of data available to the Deflect DDoS mitigation system to:

  • provide sophisticated intelligence about the nature of DDoS attacks;
  • profile attacks and create a taxonomy of attacks;
  • inform efforts to mitigate, prevent and discuss attacks;
  • develop visualization tools for data analytics to profile botnet activity history, DDoS attack metrics and forensics.


Deflect Labs publishes regular reports on the most interesting cases we observe:

Deflect Labs' goal is to raise the costs for launching DDoS attacks by keeping the Internet Freedom community informed about new and incoming cyber-threats and by exposing adversary methods and identities, thus discouraging future attacks.

Deflect provides an excellent resource to study the characteristics and nature of DDoS and other attacks on civil society websites. The network can be seen a honeypot of sorts for collecting attack data, since a large number of Deflect-protected sites are subject to frequent DDoS attack. The Deflect Labs project aims to use this information to strip away some of the impunity currently enjoyed by botnet operators and their benefactors, so as to raise the costs for launching attacks against our clients and civil society in general. While complete revelation of the identity of attackers is an impossible technical challenge for us to undertake, Deflect Labs allows for better attribution of attacks to specific hosts, botnets and causes. We believe this research may help attack victims or third parties form opinions about the provenance, or perhaps even the objectives, of attacks.

If your site is protected by Deflect and you would like to work with us on researching attacks you have experienced, please contact us via the support form in Deflect Dashboard.

Deflect Labs tests and defines the limits of attribution in the current and evolving landscape of DDoS attacks.

At the core, the Deflect network is capable of logging information about any and all aspects of the web traffic sent to origin web servers (this includes traffic over SSL). This means that (unless the client running a Deflected website requests us not to keep logs) for each visitor accessing the Deflect network it is possible to record or otherwise ascertain:

  • Site accessed
  • Browser user agent
  • Deflect server queried
  • Time of request
  • Response code to the request
  • Cache status of the request

The key elements of Deflect Labs are:

  • Deflect itself, by its nature a rich target for DDoS attacks.
  • BotnetDBP - a set of tools to actively and accurately differentiate between legitimate and malicious requests in order to further reduce the load on the Deflect network.
  • BotHound and Grey Memory - Bothound detects and classifies the attacks using the anomaly-detection and machine-learning tool Grey Memory.
  • Sniffles and Edgemanage provide an unfiltered view of inbound traffic, and give an unmistakable indicator of which site is targeted.
  • Opsdash - ElasticSearch cluster where the majority of collected data is stored and queried.

Deflect Labs Components---digraph.png

We use these tools to gather, store and analyze information for attack diagnostics and user-facing statistics, as well as to study series of attacks and historical behaviours. What we can observe when analyzing bots through Deflect Labs' components and open third-party resources includes:

  • The geographic location of the bot (GeoIP databases lookups): This information can be used to inform decisions as to whether the bot is part of a malware-based botnet or a voluntary botnet using tools such as LOIC or other packaged denial of service tools that are used in participatory DDoS attacks. Bots proximity will be noted and can be used to indicate whether a high number of attackers are clustered geographically.
  • Whether the visitor has used the site regularly: Hits on the aggregation system will be used to indicate whether the IP address has been seen before
  • How much traffic a particular user has incurred
  • Whether the user's profile has changed drastically since last visit: learn2ban profiles visitor activity and uses machine-learning techniques to determine whether a user is behaving in a malicious non-human manner.
  • Whether the user's profile matches that of a known bot type or bot cluster (Ban filter rules): Some malware toolkits use very obvious patterns of attack or identify themselves in an obvious manner. This information makes classification of attackers easy.
  • Whether the host has been seen as part of a botnet in the past