Table of Contents

1 Overview

2 IUAM: Simple but effective

3 War declarer Win32/DoS.OutFlare.A

4 CloudFlare’s answer

5 Conclusion

1 Overview

As you may know, DDoS (Distributed Denial of Service) attacks make computer or network systems become overloaded, consequently unable to continue providing services or even stop operating. The server is then overburdened with a huge number of connect requests, resulting in users’ failure to access services on websites being under DDoS attacks.

Of course, there are lots of products and services which aim to help network administrators struggle against this kind of attack. CloudFlare is one of them:

“CloudFlare protects and optimizes online websites. If your website belongs to CloudFlare network, all connections to it will be optimized to help users easily surf your site and experience the apps there. Besides, CloudFlare blocks threats, illegal connections to economize on bandwidth and resource.”

Our main character today is Win32/DoS.OutFlare.A, a malware that can successfully bypass anti-DDoS mechanism of CloudFlare.

Before studying this malware’s operation, let’s look over CloudFlare’s anti-DDoS mechanism.

2 IUAM: Simple but effective

CloudFlare’s anti-DDoS mechanism, which is named “I’m Under Attack Mode” (IUAM), is quite simple. When a web server receives the first connecting request from a client, instead of instantly responding with the requested content as usual, it returns the client a challenge page. This page requires the browser on client’s machine to do a small calculation written in JavaScript then send the result back to the server. If the calculation is accurate, web server will return the requested content together with a cookie (cf_clearance) to make sure that future connections from that client will not be checked with challenge page again.


Challenge page

A simple but surprisingly effective mechanism for struggling against attacks on network’s Application layer. Connect requests that are not launched from browsers cannot run JavaScript to do the calculations.


The JavaScript set requires client’s browser to do a simple calculation


The cookie string cf_clearance confirms the client’s using of browser

3 War declarer Win32/DoS.OutFlare.A

Win32/DoS.OutFlare.A operates just like other malwares: automatically enables startup together with Windows, connects to IRC server (domained through tcp/9835 port and accesses #main channel. The malware then lies there, waiting for commands to perform popular DoS behaviors. We can see in the command list a strange string “cf” (whether this strange string has any links with CloudFlare?)


Tracking of this string leads us to a special code to bypass IUAM anti-DDoS mechanism of CloudFlare.

First, the malware sends HTTP GET package to connect to the website. When the challenge page with JavaScript string is sent back, it analyzes the page’s HTML content to find the expression.


The code for finding and doing the calculation

Upon finding out the expression, a function will be called to analyze its syntax and do the calculation.

Next, the malware sends the result package to server.

If successful, web server will return the requested content and the confirming cookie set, which will be saved by the malware.

So, naturally, the malware’s bypass mechanism is as “simple but effective” as the way CloudFlare works out IUAM to struggle against DDoS attacks.

4 CloudFlare’s answer

Win32/DoS.OutFlare.A was first discovered on February 8, 2013. After only 5 days, CloudFlare succeeded in patching the vulnerability and its CEO blogged a writing about the issue and the enhancements.

How CloudFlare respond so quickly?

Basically, CloudFlare does not change its anti-DDoS mechanism which requires client’s browser to do a JavaScript calculation. The change is a new value added to the returned result, which is determined via some functions calculating the length of the JavaScript. Working out this value requires the real running of JavaScript and it’s difficult to analyze the syntax for the calculation.



CloudFlare adds a new calculation string

5 Conclusion

It’s has always been a tense race. During this race, new and strange techniques are continually added. Sometimes a simple technique shows amazing performance, just like the way CloudFlare has done. And we, the users, can benefit more from the systems that are getting more and more upgraded and secured.

Pham Cong Hieu

Malware Researcher

Leave a Reply

Name (required)
Mail (hidden) (required)
Text to Identify

Popup Date Time Portlet

Blogs Aggregator

Recent Posts

Blog Category Portlet


Store Portlet


Vote Baby Portlet