The cloud-based DDoS protection bypass can be used against services that require DNS-based DDoS mitigation to reroute and scrub traffic of unwanted packets, said Allison Nixon, a penetration tester and incident response handler at Bloomfield, Conn.-based managed security service provider Integralis. At the Black Hat security conference Wednesday, Nixon provided details about the configuration weakness and released a tool to automate the process of exploiting the flawed setup. Black Hat is owned and operated by UBM, CRN's parent.
"Bypassing these services is extremely easy; at this point I can bypass DDoS protection in almost every situation," Nixon said.
[Related: 5 Reasons DDoS Attacks Are Gaining Strength ]
Nixon's tool can unmask a protected website in minutes. The method will not work on cloud-based services that support Border Gateway Protocol (BGP) routing or firms that install a physical anti-DDoS appliance in line with the network, Nixon said.
"If your service is an easy, convenient setup and only requires you to change DNS records, then you've got a problem," Nixon said. "If you switch to any BGP-based or inline filtering, it's all going through the filter anyway and you don't have to play hide and seek with your infrastructure."
A surge in denial of service attacks being carried out by activist groups against the financial industry and other businesses has prompted many firms to consider installing an appliance in the data center to reduce the risk that systems could be disrupted or rely on a cloud-based service for defense. DDoS attacks have become a growing problem because automated tools have improved and botnets of computers can be easily rented, putting the attack in the hands of less sophisticated attackers, say security experts.
Bypassing cloud-based DDoS protection is simple and requires no tools, but the tool created by Nixon automates the process. It locates DDoS-protected websites and unmasks them, making them susceptible to DDoS. The technology initially was developed to unmask criminal websites. The technique relies on uncovering the origin IP address of the target site.
The manual technique to carry out the attack relies on unmasking the website by trying to make outbound connections to get a site component to divulge its public IP address. Sites with more functionality are easier to unmask than sites with fewer features, Nixon said. For example, application-specific features, such as being able to upload an avatar on a forum, could reveal the origin IP address. Some hackers have sent fake DMCA requests to service providers -- an illegal practice -- in an effort to get the provider to divulge the origin IP of a customer site.
Nixon urged companies to find out how DDoS protection is being applied in their organization to determine if they are susceptible to the attack technique. Businesses that use cloud-based DDoS services that rely on DNS routing cannot fix the issue with a patch. Manual workarounds can help mitigate the issue, but they also can create complexity problems that cause more harm than good, Nixon said.
"If you have to stick with a DNS-based service you can change the configuration to make it less likely for the origin IP to be found," Nixon said. "You need to implement non-standard configurations, which can backfire on you. You also need to find and plug all sources of IP leakage."
Firms that sell cloud-based DDoS protection as part of a monthly service package have acknowledged the issue. Matthew Prince, founder and CEO of CloudFlare, which provides cloud-based DDoS protection services to its customers, said his firm offers support for BGP routing, shielding them from the attack technique. The firm also can use a configuration that further masks the origin IP address, making it difficult for an attacker to uncover it.
PUBLISHED AUG. 1, 2013
related stories
Video
trending stories
sponsored resources

Cysurance
Cyber Insurance 360

Tenable
Cyber Risk 360

Application Integration 360

Carbonite
Cloud Storage 360

NPD
Industry Trends 360

Veeam
Veeam

Comcast Business
Comcast Business Learning Center

Cato Networks
SASE & SD-WAN 360

CyberPower
CyberPower

Channel Chief Showcase

CRN Showcase

APC by Schneider Electric
Digital Services for Edge Learning Center

Dell Technologies
Dell Technologies Cloud Learning Center

Dell Technologies
Dell Technologies Server Learning Center

Dell Technologies
Dell Technologies Storage Learning Center

BlackBerry
BlackBerry Learning Center

Fujifilm
Fujifilm

Acer
Remote Workforce 360

Webroot
Webroot Learning Center

Cyber Protection 360

Cradlepoint
5g for Business 360

Smart 3rd Party
3rd Party Maintenance 360

Trend Micro
Trend Micro Learning Center

HubStor
Cloud Backup 360

iboss
Cloud SASE Platform 360

Sherweb
Sherweb

Vonage
Vonage

Vertiv
Edge Computing Learning Center

Comm100
Collaboration & Communications 360

VMware

EPOS
EPOS

Sophos
Sophos Cybersecurity Learning Center

Partner Program Guide Showcase

Dell Technologies
Microsoft HCI Solutions from Dell Technologies Learning Center

Wasabi
Wasabi

Hitachi Vantara
Hitachi Vantara

Terranova Security
Cybersecurity 360
