[kemonoparty] DDoS Guard bypass

[ghost]

Just a few notes I have from some testing/reverse engineering, hopefully this helps gallery-dl work a bit better with Kemono.

• __ddg2 appears to be the only cookie that matters. DDoS-Guard will set __ddg1 in the response if it was absent from the request, but will not trigger the check screen if it isn't there.
• __ddg2 cookie can be retrieved from this endpoint; https://check.ddos-guard.net/check.js. An example in Python is shown below;

  
  import requests

def get_ddg_cookies(url): r = requests.get('https://check.ddos-guard.net/check.js', headers = { 'referer': url }) r.raise_for_status() return r.cookies.get_dict()['__ddg2']

k = requests.get('https://kemono.party', cookies = { '__ddg2': get_ddg_cookies('https://kemono.party') }) k.raise_for_status()

- But apparently, `__ddg2` can be set to any random value without any issues? I've tried this, and any text works consistently to get past the check screen with no issues, as long as the cookie is there.
``` python
import requests

requests.get('https://kemono.party', cookies = { '__ddg2': 'mionaganoharaisbestgirl' }).raise_for_status()
print('werks')
requests.get('https://kemono.party').raise_for_status() # ddos-guard will complain

[mikf]

Setting __ddg2 to a random value seems to work, at least for me, so that's what gallery-dl is doing now when that cookie isn't set: https://github.com/mikf/gallery-dl/blob/1f02878351731c207b51a17dc528ef0a47d726bc/gallery_dl/extractor/common.py#L342-L345

Say, is this service reliable enough to actually block real DDoS attacks when its check can be tricked that easily, at least by single, individual users?

[ghost]

Say, is this service reliable enough to actually block real DDoS attacks when its check can be tricked that easily, at least by single, individual users?

Should be. The actual DDoS detection happens on a different layer than the browser check, and has stopped major attacks on the site before. As to why the browser check exists at all then... ¯\_(ツ)_/¯