CloudPiercer: Bypassing Cloud-based Security Providers (by Thomas Vissers, iMinds-DistriNet-KU Leuven)
The goal of the presentation was to show how the CBSP (Cloud Based Security Providers) are protecting the applications and how this protections can be circumvented.
The most common attacks on the web applications are the DDOS.
2 types of DDOS attacks:
- volumetric attacks – no more network bandwidth
application level attacks – servers are targeted
How the CBSP are protecting the web application ?
CBSP reroute and filter the customer traffic through their cloud (see the following picture).
The secrecy of the origin server IP address is crucial because, (if discovered) the server can be hit directly and the CBSP protection is useless.
Vulnerabilities, or how the origin server IP can be found
- subdomains – administrators can create a specific subdomain, such as origin.example.com, that directly resolves to the origin’s IP address; they need it in order to easily connect to the server for non http services (SSH, FTP)
- dns records – other DNS records might still reveal your origin.; ex TXT records, MX records
- SSL certificates – it concerns the https connection between CBSP and origin server. If an attacker is able to scan all IP addresses and retrieve all SSL certificates, he can find the IP addresses of hosts with certificates that are associated with the domain he is trying to expose.
- IP history – companies constantly track DNS changes
- sensitive files on the (target) web application; error messages, files containing IP information
- outbound connections – force the origin to connect to you.
Defenses/what can i do to protect ?
- request a new ip address when activating the CBSP.
- block all non-CBSP requests with your firewall
- choose a CBSB that assignes a dedicated IP address to you
- use cloudpiercer.org to scan your website
If interested you can read Bypassing Cloud-based Security Providers – DistriNet – KU Leuven
Hackers! Do we shoot or do we hug? (by Edwin van Andel, Zerocopter)
For me the presentation was a (very) funny pleading for an ethical hacking.