Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cloud DDoS Mitigation Services Can Be Easily Bypassed (softpedia.com)

Posted by ryuzaki0 on from the your-computer-is-broadcasting-an-IP-address dept.

An anonymous reader writes: A recent research paper shows that most Cloud-Based Security Providers are ineffective in protecting websites from DDoS attacks, mainly because they cannot entirely hide the origin website's IP address from attackers. As five security researchers from Belgium and the U.S. are claiming, there are eight methods through which these mitigation services can be bypassed. The techniques of obtaining a website's origin IP address rely on hackers searching through historical Web traffic databases, in DNS records, subdomains that resolve to the main domain directly, the site's own source code, when the main website triggers outbound connections, via SSL certificates, via sensitive files hosted on the website's server, and during migration or maintenance operations on the mitigation service itself, which leaves the target website temporarily exposed.

9 of 40 comments (clear)

  1. have your origin accessible to only your provider by Anonymous Coward · · Score: 3, Interesting

    Akamai sells as an add-on for "origin cloaking", called "Site Shield", inwhich the origin to limits access to only a subset of akamai systems (which then distribute to the rest of akamai), and drops the rest of the internet. I wonder if that is effective against these attacks?

  2. Paper finds most webmasters don't have a clue by neorush · · Score: 2, Insightful

    Wow, revelations here. I guess the point of the paper is to really show most webmasters don't know what they're doing. All of these things can totally be avoided if you do your job carefully and methodically. e.g. maybe change the IP address of the server after launching your DDoS mitigation service, oh look, now half that list is moot.

    --
    neorush
  3. Easily? by IamTheRealMike · · Score: 4, Insightful

    Let me summarise the key findings of the paper. The headline figure is stunning: over 70% of all sites they tested leaked their origin IP in some way.

    But. It's not quite as simple as that. Virtually all websites that are DDoS protected are using CloudFlare, probably because it's a free service. The vast majority of the times they were able to find the origin IP address, it was due to basic oversights by the website admin, typically, having subdomains that resolve to the origin IP or simply never moving the server after signing up for CloudFlare at all. The most common subdomain that leaked the IP was called "ftp".

    Who the heck actually still runs an FTP server as part of their website, in this day and age? No big websites do that's for sure.

    And sure enough the paper concludes, not surprisingly, that bigger more important websites are much less likely to leak their origin IPs than smaller ones.

    I think all this paper really says is that CloudFlare have a lot of small non-paying customers who aren't really playing in the big leagues and aren't being attacked by sophisticated attackers ... or possibly aren't being attacked at all .... and as a result are more likely to have made simple errors.

    So when the headline says these protections are "easily" bypassed, all it's really saying is that if someone using a defensive system makes mistakes, they can still be attacked. That's not really news and doesn't tell us anything about the efficiency of these services when the people using them have done their homework.

    1. Re:Easily? by ThatsMyNick · · Score: 4, Insightful

      I think all this paper really says is that CloudFlare have a lot of small non-paying customers who aren't really playing in the big leagues and aren't being attacked by sophisticated attackers ... or possibly aren't being attacked at all .... and as a result are more likely to have made simple errors.

      Or they are using it as a free caching CDN like me, and dont care about IP being exposed.

    2. Re:Easily? by Khyber · · Score: 2

      "Who the heck actually still runs an FTP server as part of their website, in this day and age? No big websites do that's for sure."

      Every site that provides downloadable drivers for your hardware almost certainly has an FTP mirror.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  4. Email Headers by XXeR · · Score: 4, Insightful

    One other detection method not specifically called out is via email headers. Often times automated emails are sent from the same origin IP (not always, of course). Even if the email is routed through an email service before delivery, you can still see the origin in the full header.

  5. Only applies to 'Proxied' Cloud DDOS services by cdogg4ya · · Score: 4, Informative

    This only applies if you are using a proxied service instead of a routed or tunneled service where you can't route around the proxy scrubbers. Most carrier DDOS service offerings allow you to route the traffic either through BGP steering or GRE tunneling such that your traffic must pass through the Cloud DDOS scrubbing center because the 'real' ip is routed that way.

  6. Re:Duh by fisted · · Score: 4, Insightful

    I'm not so sure if hard drives help mitigate DDoS. But hey, feel free to give it a try!

    --
    CLI paste? paste.pr0.tips!
  7. Re:have your origin accessible to only your provid by the+frizz · · Score: 2
    Levels of increasing protection:
    1. 1. Use a CDN and hope no one finds the origin domain or ips the CDN uses.
      Which as we can see from the article doesn't work due to the many ways they can be leaked.
      E.g., for www.example.com, try origin.www.example.com, ftp.example.com or IPs used in the past for www.example.com.
    2. 2. Have the origin servers only respond to white-listed IPs. That white-list needs to include those of the CDN.
      Still suspectible to a volumetric bandwidth attack. I.e., attacks with enough packets to overwhelm the origin server(s) or the ISP link to those servers.
    3. 3. Change your origin IPs periodically.
      Useless against a volumetric attack if they are just different IPs connected to the same uplink/router. Difficult to keep switching to use different ISP and each new provider brings its own problems.
    4. 4. Have origin(s) capable of withstanding a volumetric attack.
      Not cheap. The XOR DDoS botnet has recently produced DDoS attacks up to 150+ Gbps.
    5. 5. Use a BGP redirection service that routes all public internet packets whose destination IP address is the origin's through geo-graphically distributed scrubbing centers.
      Attackers sending traffic through the public internet to your origin are sending them to one of many scrubbing centers. The combined capacity on all these scrubbing centers can cope with volumetric attacks. The scrubbing centers will only forward desireable packets to the real origin using GRE tunneling.

    Akamai's BGP redirection service has some restrictions typical of other services. E.g.,

    • * A /24 prefix (Class C subnet) at a minimum. It needs to be is registered and belong to customer, as some ISP given not allow re-advertise.
    • * A BGP (Border Gateway Protocol) and GRE (Generic Routing Encapsulation) capable router.
    • * IP address space to terminate GRE tunnels located outside the prefixes you need to defend.