Websites and online services increasingly have to deal with acts of cybercrime such as ‘distributed denial-of-service’ (DDoS) attacks: the site or service is deliberately bombarded with huge numbers of malicious communication requests from different computers and collapses.
"Website owners can protect themselves against such attacks by installing dedicated hardware. Yet, this is typically too expensive and too complex for most of them – which is why they often rely on the services offered by cloud-based security providers. One strategy they commonly use to protect websites includes diverting incoming web traffic via their own infrastructure; an infrastructure that is sufficiently robust to detect and absorb cyberattacks," explains Thomas Vissers (imec - KU Leuven). "However, the success of this strategy heavily depends on how well the website’s original IP address can be shielded. If that IP address can be retrieved, protection mechanisms can easily be bypassed.”
According to Thomas Vissers and Nick Nikiforakis, assistant professor in the Computer Science department of Stony Brook University in New York, this is the Achilles heel of cloud-based security. Hence, they set up the first large-scale research effort in this domain and actively explored vulnerabilities in the popular ‘DNS redirection' strategy that is used by many cloud-based security providers to intercept web traffic. After all, the more robust alternative – BGP redirection – is again too expensive and too complex for most organizations.
Nearly 18,000 websites, protected by five different providers, were subjected to the team’s DNS redirection vulnerability tests. To this end, the researchers built their CLOUDPIERCER tool which automatically tries to retrieve websites’ original IP address based on eight different methods (such as historical data about the web domain and IP address, or the use of unprotected subdomains).
"Previous studies had already described a number of strategies that can be used to retrieve a website’s original IP address. We came up with a number of additional methods, and were the first ones to measure and verify the exact impact of these strategies on a larger scale," says Thomas Vissers. "The results were pretty confronting: in more than 70% of the cases, CLOUDPIERCER was able to effectively retrieve the website’s original IP address, thereby providing the exact info that is needed to launch a successful cyberattack. This clearly shows that the DNS redirection strategy that is commonly used today still has some serious shortcomings.”
The research results have already been shared with the respective cloud-based security providers, so that they can properly respond to the risk that their customers are still running.
But the researchers also want to inform the general public – and more specifically website owners – about the shortcomings of the popular DNS redirection strategy. That is why they make their CLOUDPIERCER tool freely available.
"With CLOUDPIERCER, people can test their own website against the eight methods that we have used in our research. CLOUDPIERCER scans the website, and indicates to which IP detection method it is most vulnerable,” concludes Thomas Vissers.
When websites use DNS redirection as a defense mechanism against cyberattacks, two simple measures can be taken to prevent the original IP address from being retrieved
- On the one hand, the website’s firewall settings can be adjusted – so that only web traffic from the cloud-based security provider is allowed.
- Alternatively, the IP address of the website can be changed once the contract with the cloud-based security provider is initiated.