back to article DDoS defences spiked by CloudPiercer tool - paper

The real IP addresses of some 70 per cent of websites protected by popular distributed denial of service attack protection providers like CloudFlare, Prolexic and Incapsula can be revealed using a simple web tool built on newly uncovered flaws, according to a recent paper. Sensitive websites admins wishing to protect against …

DDoS FTL

DDoS attacks are probably the most difficult threat to mitigate, full stop. Although hiding origin server's IP address(es) seems like a reasonable counter measure, the vulnerability appears to be inherent in the mechanism rather than a dodgy line of code. My money is on that the fix is going to be quite difficult to implement.

1
0
Silver badge

Re: DDoS FTL

The irony is they're really easy to *prevent* by good procedure on the part of the carriers and exchanges - but there's significant moral hazard preventing any of them doing anything about it.

0
0
Silver badge

Re: DDoS FTL

Just in case anybody gets the wrong end of the stick - the moral hazard is they make more money if you're getting DDoSed because you're using more traffic - it doesn't hurt them in any way - and it's easy for them to fix by only pushing traffic that is coming from IPs that actually belong to their customers or contractually requiring BCP38 and similar and punishing customers who flout the ingrained insecurities for gain.

The problem tends to be confined to what you'd politely describe as "non-western" datacenters but most of the traffic is pushed by companies with major US/European operations.

0
0

A problem solved with a simple firewall rule?

Since the majority of origin sites are hosted in the cloud anyway these days, incoming bandwidth is unlikely to be a problem. A simple firewall rule allowing access only from the Cloudfare or whatever entry point servers should solve any issues.

I would have thought most competent sysadmins would have put that in place at the time they switched over to Cloudflare/whatever anyway.

1
0

Re: A problem solved with a simple firewall rule?

The firewall will only drop the packets when they hit, so pipe saturation is the point rather than the processing of such traffic. Getting your egress point hammered by taffic that exceeds your bandwidth capacity isn't pleasant.

3
0

Yet another example of 'researchers' who don't have real jobs publishing information that will damage those that do have real jobs.

And yes, 'security through obscurity' is a valid concept, some 'baddies' may know it but now everyone does!

1
6
Anonymous Coward

wait 'til you read the comment below

see above.

0
1
Anonymous Coward

not quite accurate

"Cloud security providers alter the DNS settings of a domain name to reroute distributed denial of service attack traffic through their infrastructure"

At least for the Incapsula service you have to make your own DNS changes. And as you can guess, this means all traffic for those DNS names passes through their infrastructure.

One way to find out who Incapsula's clients are is to examine the certificate you get. All of their clients' domains are listed in the subjectAltName field.

0
0

Perhaps when we all go to IPV6, if it ever happens, and IPV4 is turned off, everyone will get their own permanent IP address. Perhaps largely killing the anonymity required for ddos?

0
0
Silver badge

IP address spoofing works for IPv6 too.

0
0

I read the PDF paper and looked at the terms of service on their cloudpiercer.org site. In my opinion, they forgot something important. They should state in these terms that their service does not welcome, nor will it protect, any domain owner whose domain promotes criminal activity. CloudFlare, for example, is full of such domains -- domains that recruit for ISIS, domains that sell stolen credit-card information, and domains that accept payment for launching denial-of-service attacks. They gave my site crimeflare.com a footnote in that PDF, so they are already aware of this situation.

0
0
Silver badge

Criminal where? Lots of countries, lots of laws. Nice idea in theory; but it'd get messy real quick if you tried to actually implement it.

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018