Researchers claim websites fail to hide origin IP from DDoS attackers

Most of the Cloud-Based Security Providers (CBSP) are not effective in keeping the websites safe from DDoS attacks shows recent research paper. The main reason is that they are not able to completely hide the origin website's IP address from attackers.

In order to place itself between the attackers and the target website, most cloud-based security solutions work by changing a website's DNS settings.

However, the problem is that if the attackers know the website's origin IP, then this kind of DDoS mitigation can be easily bypassed. The mitigation service can be bypassed in this case by being able to send the DDoS traffic directly to the IP.

There are eight methods through which these mitigations services can be bypassed, claim five security researchers from the US and Belgium.

While four of them were extensively spoken about after Allison Nixon and Christopher Camejo presented them (PDF) at the Black Hat USA 2013 security conference, four new methods were also discovered by the researchers.

The four older methods of getting a website's origin IP address depend on hackers searching in DNS records, through historical Web traffic databases, subdomains that settle to the main domain directly, and the site's own source code.

The researchers further also discovered that the origin IP can be found out during the temporary exposure of the IP when the protection service is paused for maintenance or server migrations, through SSL certificates, sensitive files hosted on the server, and by triggering outbound connections.

After scanning 17,877 websites for six months, the researchers found out during their studies that 71.5% of the sites disclosed the origin IP address mostly through the FTP subdomain.

The researchers put together CloudPiercer, a tool that compares a version of the website obtained from the real IP address, with one obtained through the cloud mitigation service, to aid the webmasters recognize issues with their own websites.

"Complete mitigation of origin exposure is hard, as administrators are required to fully understand the potential risks and comprehensively address all vulnerabilities in order to fully  prevent  an  attacker  from  circumventing the CBSP," say the researchers. "However, a tool similar to CloudPiercer could be deployed by CBSPs to proactively scan their client's domains for exposed origins, creating awareness and helping administrators fix specific vulnerabilities."

The entire Maneuvering Around Clouds: Bypassing Cloud-based Security Providers report is available for download. Provided below is a sample of the CloudPiercer report.