DDoS defences spiked by CloudPiercer tool - paper

The real IP addresses of some 70 per cent of websites protected by popular distributed denial of service attack protection providers like CloudFlare, Prolexic and Incapsula can be revealed using a simple web tool built on newly uncovered flaws, according to a recent paper.

Sensitive websites admins wishing to protect against attackers are now exposed, according to the researchers, thanks to a tool published as part of research into how cloud-based security providers' efforts to cloak customer IP addresses can be mitigated.

Cloud security providers alter the DNS settings of a domain name to reroute distributed denial of service attack traffic through their infrastructure. Cloaking a server's true IP address helps this process by making it harder to attack machines hosting a site.

The new work that apparently circumvents those defences is underpinned by novel "origin-exposing" attacks which have been worked into the CloudPiercer web scanning tool.

It is described in the paper Manoeuvring Around Clouds: Bypassing Cloud-based Security Providers [PDF] by lead author Thomas Vissers with colleagues Tom Van Goethem, and Wouter Joosen from Belgian institution KU Leuven, plus Nick Nikiforakis of New York's Stony Brook University.

Assistant professor Nikiforakis told Vulture South a "semi-dedicated" attacker could find and launch DDoS attacks against most sites protected by the popular security services.

"Our results show that the problem is severe: 71.5 per cent of the 17,877 CBSP-protected websites that we tested, expose their real IP address through at least one of the evaluated vectors," Nikiforakis says.

"We believe this is really problematic because tens of thousands of sites are currently using CloudFlare and friends thinking that this makes them safe against DoS attacks.

"What we are showing is that, for the majority of websites that use CloudFlare, Incapsula, and similar companies, a semi-dedicated attacker can fully bypass the security services provided by these companies by discovering the true IP address where a victim's servers are located, versus where CloudFlare claims they are located."

The paper details eight so-called origin-exposing vectors, of which four are new. Those relate to temporary DNS exposure, SSL certificates, and sensitive files and outbound connection triggering which combined underpin the CloudPiercer tool.

The authors tested cloud security providers CloudFlare, Incapsula, Sucuri, Prolexic and DOSarrest and said they had been notified of the vulnerabilities prior to publication. Here's a sample of their revelations:

So, in principle, if attackers are able to discover the real IP address of the origin, they can target traffic to the web server directly, thereby circumventing all security mechanisms present in the CBSP's network

… Many different potential vulnerabilities exist that might expose a CBSP-protected website's origin. We refer to these potential vulnerabilities as origin-exposing vectors.

Vulture South has requested comment from the companies concerned.

The boffins note a "silver lining" that the tool could be used by police to investigate hacking sites such as the scuppered LulzSec which use the DDoS protection sites to hide.

The team says cloud-based security like CloudFlare and Incapsula are used by nine percent of the world's 10,000 most popular sites. ®