Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Cloud Security

Websites Fail to Hide Origin IP From DDoS Attackers: Researchers

A team of researchers has developed a tool designed to find the origin IP addresses of websites protected by cloud security providers, and the results of their experiments show that the IPs of more than 70 percent of sites are exposed.

A team of researchers has developed a tool designed to find the origin IP addresses of websites protected by cloud security providers, and the results of their experiments show that the IPs of more than 70 percent of sites are exposed.

With distributed denial-of-service (DDoS) attacks becoming increasingly problematic, many website owners turn to cloud security providers such as CloudFlare, Incapsula and Prolexic to protect them against such threats. Cloud-based DDoS protection services rely on changing a domain’s DNS settings to that incoming traffic passess through the infrastructure of the service provider, which ensures that only legitimate traffic reaches the server.

For this method to be efficient, it’s important that the protected server’s real IP address remains hidden. If attackers can obtain the real IP, they can simply direct their DDoS attacks at the server and bypass the security provider’s systems.

DDoS protection bypass techniques have been known for years and many of them were detailed in a Black Hat USA presentation back in 2013 by security researcher Allison Nixon.

Researchers from the University of Leuven in Belgium and Stony Brook University in the United States have recently published a paper detailing a total of eight attack vectors that can be used to obtain the origin IP addresses.

Experts have pointed out that attackers might be able to find a website’s origin IP in databases that store historical data about the site, in DNS records, or in the code of the site’s web pages. It’s also possible that some of a website’s subdomains are configured to resolve directly to the origin.

While these methods have been known for quite some time, experts also claim to have identified four novel ways of obtaining the origin IP. These include temporary exposure of the IP when the protection service is paused for maintenance or server migrations, through SSL certificates, sensitive files hosted on the server, and by triggering outbound connections.

Advertisement. Scroll to continue reading.

All of these attack vectors have been combined into CloudPiercer, an automated scanning tool that website administrators can use to check if their website’s real IP is exposed.

Researchers used the tool to scan a total of 17,877 websites protected by CloudFlare, Imperva’s Incapsula, DOSarrest, Akamai’s Prolexic, and Sucuri for at least a period of six months. In order to verify if the origin IP obtained by the tool is actually the real IP of the targeted website, experts used intelligent HTML comparison techniques to compare the webpage returned via a request to the domain name and the page obtained via the IP.

The experiment showed that 71.5 percent of protected domains are bypassable using CloudPierce, with the success rate ranging between roughly 40 and 95 percent for the tested vendors. Subdomains, particularly the “ftp” subdomain, were in most cases responsible for origin IP exposure, experts said in their research paper.

Contacted by SecurityWeek, the vendors whose customers have been put to the test don’t seem to be concerned about the results.

John Graham-Cumming, the CTO of CloudFlare, says the methods presented by the researchers have been known for some time. He has pointed out that some website owners rely on CloudFlare’s services for CDN and performance optimization, and CloudPierce is not a threat for them because they are usually not concerned about DDoS attacks and their origin IP being exposed. On the other hand, Graham-Cumming noted that in the case of customers who rely on CloudFlare for DDoS protection, the company ensures that they are aware of the importance of protecting and changing origin IPs.

David Fernandez of Akamai’s Security Intelligence Response Team has also commented on the report.

“To date, we have been unable to confirm a large number of documented discovery cases using these types of techniques. The security community has been aware of these methods for several years,” Fernandez told SecurityWeek. “A layered security mitigation strategy is necessary for any organization to protect their environment which includes having a properly configured cloud-based DDoS mitigation solution deployed at the edge, origin protection, and hosted DNS.”

Imperva representatives also stated that they inform customers on the importance of protecting the origin IP.

“We commend the researchers for raising awareness of the importance of safeguarding origin IP addresses. As a standard practice, our implementation guidelines recommend that customers change their origin server IP addresses when they onboard with us,” said Marc Gaffan, GM for the Incapsula service at Imperva. “Those customers operating with their own IP ranges can also take advantage of our Infrastructure Protection service, which protects origin IP addresses directly. A version of this service for customers with individual IP addresses, who do not own a full IP range, was announced earlier this year and is currently in Beta, expected to be available by the end of the year. With this range of solutions Imperva Incapsula can protect any type of network or server from direct-to-origin attacks.”

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

Microsoft and Proofpoint are warning organizations that use cloud services about a recent consent phishing attack that abused Microsoft’s ‘verified publisher’ status.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cloud Security

Cloud Disaster Recovery - Ingredients for a Recipe that Saves Money and Offers a Safe, More Secure Situation with Greater Accessibility

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...