I noticed today that upon my initial visit to the Namecheap.com home page I was prompted with the message:
"We're just verifying you are a real human and not a bot. After a couple of seconds, our site will automatically load and the rest of your visit will be nice and fast. We apologize for the inconvenience."
Further inspection reveals some obfuscated JavaScript along with a base64 encoded .png image.
Anyone familiar with the method being used here and it's level of effectiveness?
The obfuscated javascript seems to solve a challenge response riddle that is then submitted back (to cloudflare) and confirmed to be correct on cloudflares proxy servers. The obfuscation is probably there to prevent simple ddos attack tools from just parsing out the response.
I built something similar to that for a client. When doing DDOS prevention you have to detect malicious clients. In a simple setup you only have the very first request and you have to decide whether to allow or deny it. So all you have are request headers and various metadata (for example geoip, etc). It's hard to do that.
What cloudflare does is to first serve the page you saw if the browser doesn't provide a cookie that cloudflare sets (delete all cookies and the cloudflare site appears again). Once a legitimate browser sends the response to the challenge, cloudflare can set a cookie and then reloads the site. During that second request a legitimate browser now sends cloudflares cookie. This can be used as a powerful signal when deciding whether or not a request is forwarded to the backend server.
Type that into the Goog: https://www.google.com/search?q="spinner-2013.gif"&oq="spinn...
Might be a good start.
The gif itself is almost certainly not malicious. There's probably two things happening here. Firstly, the hosting domain of the gif scanned could be known to be malicious. And secondly and more generally, Cloudflare is heavily used by the criminal scene, so to play safe a number of scanners may flag any cloudflare element as malicious.