Some interesting paper I stumbled upon while doing some research. Thought I would share it in here since some may not be aware or heard about the "origin-exposing" attacks that could be used to circumvent cloud-based security.
Abstract:
Quote:The paper details eight so-called origin-exposing vectors, of which four are new. Those relate to temporary DNS exposure, SSL certificates, and sensitive files and outbound connection triggering which combined underpin the CloudPiercer tool.
The authors tested cloud security providers CloudFlare, Incapsula, Sucuri, Prolexic and DOSarrest and said they had been notified of the vulnerabilities prior to publication.
Unfortunately, I do not have time to read the white paper right now, but I watched a Black Hat USA video awhile back that discussed exposing origin addresses in CloudFlare. Check it out:
Nice share man! I've read a bit on similar topics but I was unaware of this paper. Will give it a in-depth read next week. Origin-exposing vectors for cloud systems are all very interesting. Imo the main reason why I didn't use cloudflare for GreySec was because of our father forum "Hacksociety" whom only relied on cloudflare for ddos protection.
That was a bad experience, whereas downtime became a daily occurance. Never again :/ But yeah I guess I can see the point in using cloudflare in on conjunction with other systems like HF does. Good for inspecting browser. But I'd rather avoid it after becoming more well-read on the risks for anonymity with cloudflare, like depending on JS and having a big proportion centralized under Cloudflare (See: Cloudbleed).
A few steps to protect yourself from this attack:
* Set your firewall to only allow packets from Cloudflare IPs (or whatever reverse proxy you use). All other traffic should be DROPPED or REJECTED.
* Where possible (Cloudflare offers this as TLS Authenticated Origin Pulls!) use SSL Client Key Verification. This verifies the traffic is coming from the proxy server. (I.e. if someone hijacked the IP Block for your DDoS Protection Service, they couldn't send spoofed traffic from it).
* NEVER-EVER-EVER have your IP Address leaked in DNS. The one second it changes, some IP History Service, somewhere, will see the change and record it for all time. Once it's leaked the only thing you can do is change it.
* If you need to send email, send using a relay server that doesn't expose the origin in headers.
* Use Full-Strict SSL (this more-so prevents MITM attacks but it's worth mentioning).
