Problem solve Get help with specific problems with your technologies, process and projects.

How to protect an origin IP address from attackers

Cloud security providers protect enterprises from DDoS attacks, but attackers can still find the origin IP addresses. Expert Rob Shapland explains why that's a significant threat.

The increase in distributed denial-of-service attacks is bringing heightened awareness to larger businesses of...

the risks of this type of attack and how to address it. DDoS attacks can now be purchased by threat actors on the Dark Web as a service without breaking the bank, and they are used to force websites offline by sending huge amounts of data that overload the underlying servers. Companies that rely on their websites to generate revenue, such as online-gambling companies, can be severely impacted by these attacks.

The origin IP address of the server can be revealed through websites that track the IP history of domains or through files on the web server that reveal the address in the source code.

Many companies are now using cloud-based security providers (CSPs), such as CloudFlare and Incapsula, as a way of mitigating these attacks. Essentially what these DDoS mitigation services provide is a buffer between any potential attacker and the website by relaying all traffic through the CSP's infrastructure. Any requests to the website are actually handled by the CSP; the traffic is analyzed and any malicious traffic is discarded, without it affecting the client's website.

However, the integrity of using CSPs is entirely dependent on the ability of the client to keep the real address of their Web servers hidden. However, if the attacker knows the origin IP address of the server that is hosting the target website, then it can be targeted directly. Because all website requests go through the CSP, it should be relatively easy to protect the origin IP address from attackers. But there are a number of ways the real address can be inadvertently exposed through mistakes in how the application or the server is configured. For example, the origin IP address of the server can be revealed through websites that track the IP history of domains or through files on the Web server that reveal the address in the source code.

In a recent paper titled "Maneuvering Around Clouds: Bypassing Cloud-based Security Providers," a group of security researchers recently delved into what they called "origin-exposing attacks" on websites that are protected by cloud-based DDoS mitigation services. The research team introduced the CloudPiercer tool, which scans for a number of different identified methods of exposing the original IP address, and listed the following possible exposure methods in its paper. I've outlined those methods below and added recommendations on how to address them and protect origin IP addresses:

  1. IP history: Some websites track the IP history of websites, and the real address could be exposed by these histories. Enterprises should change their Web server IP address when first implementing a CSP.
  2. Subdomains: These are not covered by the CSP and they can expose the origin IP address. The best way to address this potential vulnerability is to use uniquely named subdomains that cannot be easily guessed by an attacker.
  3. DNS records: These can reveal the real IP address in MX, TXT or AAAA records -- all publicly available. Enterprises must ensure origin IP address information is removed from all DNS records. For example, here's more information on how to change a DNS server's MX record.
  4. Pausing DDoS mitigation services: This can cause a temporary exposure of the origin IP address. If an enterprise must pause the service for a short time, the best course of action is to change the origin IP address after pausing the CSP service.
  5. SSL certificates: Mistakes in SSL certificate configuration can lead to the IP address being exposed. With that in mind, enterprises should allow the CSP to organize the SSL certificate for the domain.
  6. Sensitive files: On occasion, files containing origin IP address information are left on the Web server and can be obtained by potential attackers. Therefore, it's imperative for security teams to check through the source code of all files on the Web server.
  7. Content links: An IP address can be used as a link to content instead of a domain name. So a developer could reveal the real IP address in source code when using the address as a substitute for the actual domain name. Enterprise security teams, therefore, should check through all files and content to make sure the origin IP address hasn't slipped through the cracks.
  8. Outbound connections: Unlike any incoming connections to the Web server, which are routed through the CSP, any outgoing connections from the Web server to another server would expose the real IP address. Prevention of this exposure type is simple: Ensure no one clicks on any links from the Web server itself, which eliminates the possibility of outgoing connections exposing the Web server address.

Overall, the authors of the CloudPiercer tool found that more than 70% of websites using CSPs expose their origin IP address by one or more methods. The effectiveness of the CSP and its DDoS mitigation service is entirely dependent on keeping this address secret, so if your organization is using this service, be sure to confirm the points above have been addressed.

Next Steps

Read more on hybrid DDoS prevention techniques for enterprises

Learn how cloud DDoS mitigation compares to traditional DDoS mitigation

Find out about how new DDoS threats are affecting enterprises

This was last published in March 2016

Dig Deeper on Cloud Network Security Trends and Tactics

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

5 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How does your organization prevent IP addresses from being exposed to attackers?
Cancel
There are two standard mechanisms to route traffic through DDoS mitigation services.  One as you show here is DNS which isn't always 100% foolproof but the other is BGP redirect.  With BGP, the origin IP is in use -- traffic is just forced through the DDoS mitigation service before it can get there.  Admittedly, BGP is not available to anyone (you typically need access to a /24 address space that you are responsible for announcing).  
Cancel
You mean, BGP redirect can protect origin WWW servers from DDoS?
Cancel
Just might have to look into that.

Cancel
You can now use the new Incapsula IP Protection service that completly eliminates targeted origin attacks
Cancel

-ADS BY GOOGLE

SearchSecurity

SearchCloudComputing

SearchAWS

SearchCloudApplications

SearchServerVirtualization

SearchVMware

ComputerWeekly.com

  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...

Close