How to protect an origin IP address from attackers

The increase in distributed denial-of-service attacks is bringing heightened awareness to larger businesses of the risks of this type of attack and how to address it. DDoS attacks can now be purchased by threat actors on the Dark Web as a service without breaking the bank, and they are used to force websites offline by sending huge amounts of data that overload the underlying servers. Companies that rely on their websites to generate revenue, such as online-gambling companies, can be severely impacted by these attacks.

The origin IP address of the server can be revealed through websites that track the IP history of domains or through files on the web server that reveal the address in the source code.

Many companies are now using cloud-based security providers (CSPs), such as CloudFlare and Incapsula, as a way of mitigating these attacks. Essentially what these DDoS mitigation services provide is a buffer between any potential attacker and the website by relaying all traffic through the CSP's infrastructure. Any requests to the website are actually handled by the CSP; the traffic is analyzed and any malicious traffic is discarded, without it affecting the client's website.

However, the integrity of using CSPs is entirely dependent on the ability of the client to keep the real address of their Web servers hidden. However, if the attacker knows the origin IP address of the server that is hosting the target website, then it can be targeted directly. Because all website requests go through the CSP, it should be relatively easy to protect the origin IP address from attackers. But there are a number of ways the real address can be inadvertently exposed through mistakes in how the application or the server is configured. For example, the origin IP address of the server can be revealed through websites that track the IP history of domains or through files on the Web server that reveal the address in the source code.

In a recent paper titled "Maneuvering Around Clouds: Bypassing Cloud-based Security Providers," a group of security researchers recently delved into what they called "origin-exposing attacks" on websites that are protected by cloud-based DDoS mitigation services. The research team introduced the CloudPiercer tool, which scans for a number of different identified methods of exposing the original IP address, and listed the following possible exposure methods in its paper. I've outlined those methods below and added recommendations on how to address them and protect origin IP addresses:

1. IP history: Some websites track the IP history of websites, and the real address could be exposed by these histories. Enterprises should change their Web server IP address when first implementing a CSP.
2. Subdomains: These are not covered by the CSP and they can expose the origin IP address. The best way to address this potential vulnerability is to use uniquely named subdomains that cannot be easily guessed by an attacker.
3. DNS records: These can reveal the real IP address in MX, TXT or AAAA records -- all publicly available. Enterprises must ensure origin IP address information is removed from all DNS records. For example, here's more information on how to change a DNS server's MX record.
4. Pausing DDoS mitigation services: This can cause a temporary exposure of the origin IP address. If an enterprise must pause the service for a short time, the best course of action is to change the origin IP address after pausing the CSP service.
5. SSL certificates: Mistakes in SSL certificate configuration can lead to the IP address being exposed. With that in mind, enterprises should allow the CSP to organize the SSL certificate for the domain.
6. Sensitive files: On occasion, files containing origin IP address information are left on the Web server and can be obtained by potential attackers. Therefore, it's imperative for security teams to check through the source code of all files on the Web server.
7. Content links: An IP address can be used as a link to content instead of a domain name. So a developer could reveal the real IP address in source code when using the address as a substitute for the actual domain name. Enterprise security teams, therefore, should check through all files and content to make sure the origin IP address hasn't slipped through the cracks.
8. Outbound connections: Unlike any incoming connections to the Web server, which are routed through the CSP, any outgoing connections from the Web server to another server would expose the real IP address. Prevention of this exposure type is simple: Ensure no one clicks on any links from the Web server itself, which eliminates the possibility of outgoing connections exposing the Web server address.

Overall, the authors of the CloudPiercer tool found that more than 70% of websites using CSPs expose their origin IP address by one or more methods. The effectiveness of the CSP and its DDoS mitigation service is entirely dependent on keeping this address secret, so if your organization is using this service, be sure to confirm the points above have been addressed.