Connect with us

Hi, what are you looking for?


Cloud Security

Websites Fail to Hide Origin IP From DDoS Attackers: Researchers

A team of researchers has developed a tool designed to find the origin IP addresses of websites protected by cloud security providers, and the results of their experiments show that the IPs of more than 70 percent of sites are exposed.

A team of researchers has developed a tool designed to find the origin IP addresses of websites protected by cloud security providers, and the results of their experiments show that the IPs of more than 70 percent of sites are exposed.

With distributed denial-of-service (DDoS) attacks becoming increasingly problematic, many website owners turn to cloud security providers such as CloudFlare, Incapsula and Prolexic to protect them against such threats. Cloud-based DDoS protection services rely on changing a domain’s DNS settings to that incoming traffic passess through the infrastructure of the service provider, which ensures that only legitimate traffic reaches the server.

For this method to be efficient, it’s important that the protected server’s real IP address remains hidden. If attackers can obtain the real IP, they can simply direct their DDoS attacks at the server and bypass the security provider’s systems.

DDoS protection bypass techniques have been known for years and many of them were detailed in a Black Hat USA presentation back in 2013 by security researcher Allison Nixon.

Researchers from the University of Leuven in Belgium and Stony Brook University in the United States have recently published a paper detailing a total of eight attack vectors that can be used to obtain the origin IP addresses.

Experts have pointed out that attackers might be able to find a website’s origin IP in databases that store historical data about the site, in DNS records, or in the code of the site’s web pages. It’s also possible that some of a website’s subdomains are configured to resolve directly to the origin.

While these methods have been known for quite some time, experts also claim to have identified four novel ways of obtaining the origin IP. These include temporary exposure of the IP when the protection service is paused for maintenance or server migrations, through SSL certificates, sensitive files hosted on the server, and by triggering outbound connections.

All of these attack vectors have been combined into CloudPiercer, an automated scanning tool that website administrators can use to check if their website’s real IP is exposed.

Advertisement. Scroll to continue reading.

Researchers used the tool to scan a total of 17,877 websites protected by CloudFlare, Imperva’s Incapsula, DOSarrest, Akamai’s Prolexic, and Sucuri for at least a period of six months. In order to verify if the origin IP obtained by the tool is actually the real IP of the targeted website, experts used intelligent HTML comparison techniques to compare the webpage returned via a request to the domain name and the page obtained via the IP.

The experiment showed that 71.5 percent of protected domains are bypassable using CloudPierce, with the success rate ranging between roughly 40 and 95 percent for the tested vendors. Subdomains, particularly the “ftp” subdomain, were in most cases responsible for origin IP exposure, experts said in their research paper.

Contacted by SecurityWeek, the vendors whose customers have been put to the test don’t seem to be concerned about the results.

John Graham-Cumming, the CTO of CloudFlare, says the methods presented by the researchers have been known for some time. He has pointed out that some website owners rely on CloudFlare’s services for CDN and performance optimization, and CloudPierce is not a threat for them because they are usually not concerned about DDoS attacks and their origin IP being exposed. On the other hand, Graham-Cumming noted that in the case of customers who rely on CloudFlare for DDoS protection, the company ensures that they are aware of the importance of protecting and changing origin IPs.

David Fernandez of Akamai’s Security Intelligence Response Team has also commented on the report.

“To date, we have been unable to confirm a large number of documented discovery cases using these types of techniques. The security community has been aware of these methods for several years,” Fernandez told SecurityWeek. “A layered security mitigation strategy is necessary for any organization to protect their environment which includes having a properly configured cloud-based DDoS mitigation solution deployed at the edge, origin protection, and hosted DNS.”

Imperva representatives also stated that they inform customers on the importance of protecting the origin IP.

“We commend the researchers for raising awareness of the importance of safeguarding origin IP addresses. As a standard practice, our implementation guidelines recommend that customers change their origin server IP addresses when they onboard with us,” said Marc Gaffan, GM for the Incapsula service at Imperva. “Those customers operating with their own IP ranges can also take advantage of our Infrastructure Protection service, which protects origin IP addresses directly. A version of this service for customers with individual IP addresses, who do not own a full IP range, was announced earlier this year and is currently in Beta, expected to be available by the end of the year. With this range of solutions Imperva Incapsula can protect any type of network or server from direct-to-origin attacks.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Conversations

SecurityWeek talks to Billy Spears, CISO at Teradata (a multi-cloud analytics provider), and Lea Kissner, CISO at cloud security firm Lacework.

Cloud Security

Cloud security researcher warns that stolen Microsoft signing key was more powerful and not limited to and Exchange Online.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.