A team of researchers has developed a tool designed to find the origin IP addresses of websites protected by cloud security providers, and the results of their experiments show that the IPs of more than 70 percent of sites are exposed.
With distributed denial-of-service (DDoS) attacks becoming increasingly problematic, many website owners turn to cloud security providers such as CloudFlare, Incapsula and Prolexic to protect them against such threats. Cloud-based DDoS protection services rely on changing a domain’s DNS settings to that incoming traffic passess through the infrastructure of the service provider, which ensures that only legitimate traffic reaches the server.
For this method to be efficient, it’s important that the protected server’s real IP address remains hidden. If attackers can obtain the real IP, they can simply direct their DDoS attacks at the server and bypass the security provider’s systems.
DDoS protection bypass techniques have been known for years and many of them were detailed in a Black Hat USA presentation back in 2013 by security researcher Allison Nixon.
Researchers from the University of Leuven in Belgium and Stony Brook University in the United States have recently published a paper detailing a total of eight attack vectors that can be used to obtain the origin IP addresses.
Experts have pointed out that attackers might be able to find a website’s origin IP in databases that store historical data about the site, in DNS records, or in the code of the site’s web pages. It’s also possible that some of a website’s subdomains are configured to resolve directly to the origin.
While these methods have been known for quite some time, experts also claim to have identified four novel ways of obtaining the origin IP. These include temporary exposure of the IP when the protection service is paused for maintenance or server migrations, through SSL certificates, sensitive files hosted on the server, and by triggering outbound connections.
All of these attack vectors have been combined into CloudPiercer, an automated scanning tool that website administrators can use to check if their website’s real IP is exposed.
Researchers used the tool to scan a total of 17,877 websites protected by CloudFlare, Imperva’s Incapsula, DOSarrest, Akamai’s Prolexic, and Sucuri for at least a period of six months. In order to verify if the origin IP obtained by the tool is actually the real IP of the targeted website, experts used intelligent HTML comparison techniques to compare the webpage returned via a request to the domain name and the page obtained via the IP.
The experiment showed that 71.5 percent of protected domains are bypassable using CloudPierce, with the success rate ranging between roughly 40 and 95 percent for the tested vendors. Subdomains, particularly the “ftp” subdomain, were in most cases responsible for origin IP exposure, experts said in their research paper.
Contacted by SecurityWeek, the vendors whose customers have been put to the test don’t seem to be concerned about the results.
John Graham-Cumming, the CTO of CloudFlare, says the methods presented by the researchers have been known for some time. He has pointed out that some website owners rely on CloudFlare’s services for CDN and performance optimization, and CloudPierce is not a threat for them because they are usually not concerned about DDoS attacks and their origin IP being exposed. On the other hand, Graham-Cumming noted that in the case of customers who rely on CloudFlare for DDoS protection, the company ensures that they are aware of the importance of protecting and changing origin IPs.
David Fernandez of Akamai’s Security Intelligence Response Team has also commented on the report.
“To date, we have been unable to confirm a large number of documented discovery cases using these types of techniques. The security community has been aware of these methods for several years,” Fernandez told SecurityWeek. “A layered security mitigation strategy is necessary for any organization to protect their environment which includes having a properly configured cloud-based DDoS mitigation solution deployed at the edge, origin protection, and hosted DNS.”
Imperva representatives also stated that they inform customers on the importance of protecting the origin IP.
“We commend the researchers for raising awareness of the importance of safeguarding origin IP addresses. As a standard practice, our implementation guidelines recommend that customers change their origin server IP addresses when they onboard with us,” said Marc Gaffan, GM for the Incapsula service at Imperva. “Those customers operating with their own IP ranges can also take advantage of our Infrastructure Protection service, which protects origin IP addresses directly. A version of this service for customers with individual IP addresses, who do not own a full IP range, was announced earlier this year and is currently in Beta, expected to be available by the end of the year. With this range of solutions Imperva Incapsula can protect any type of network or server from direct-to-origin attacks.”