CloudPiercer tool discloses DDoS defence providers

Real IP addresses of 70 percent of websites that are defended by DDoS protection providers can be revealed by using a web tool built on recently uncovered flaws.

According to a recent paper, “Maneuvering Around Clouds: Bypassing Cloud-based Security Providers”, real IP addresses of 70 percent of websites that are defended by distributed-denial-of-service (DDoS) protection providers such as CloudFlare, Prolexic and Incapsula can be revealed by using a web tool built on recently uncovered flaws.

Cloud security providers adjust the DNS settings of a domain name to reroute DDoS traffic through their infrastructure and bypass all security mechanisms present in the CBSP's network. Many potential vulnerabilities exist that may expose a CBSP-protected website's inception. Covering up a server's real IP address helps the process by making it more difficult to attack machines hosting a site.

The new work is based by “origin-exposing” attacks that have been worked into the CloudPiercer web-scanning tool. Police intent on investigating hacking sites can use the tool. The team of researchers says cloud-based security is used by nine percent of the world's 10,000 most popular sites.

“Our results show that the problem is severe: 71.5 percent of the 17,877 CBSP-protected websites that we tested, expose their real IP address through at least one of the evaluated vectors. We believe this is really problematic because tens of thousands of sites are currently using CloudFlare and friends thinking that this makes them safe against DDoS attacks,” said Nick Nikiforakis, assistant professor of New York's Stony Brook University, co-author of the paper.