Cloud-Based DDoS Protection Is Easily Bypassed, Says Researcher


Some cloud-based services that provide monthly denial of service protection for their clients may be easily bypassed by a hacker determined to disrupt a specific website, according to a penetration tester that has found a way to easily exploit a common configuration weakness in the way many services are set up.

The cloud-based DDoS protection bypass can be used against services that require DNS-based DDoS mitigation to reroute and scrub traffic of unwanted packets, said Allison Nixon, a penetration tester and incident response handler at Bloomfield, Conn.-based managed security service provider Integralis. At the Black Hat security conference Wednesday, Nixon provided details about the configuration weakness and released a tool to automate the process of exploiting the flawed setup. Black Hat is owned and operated by UBM, CRN's parent.

"Bypassing these services is extremely easy; at this point I can bypass DDoS protection in almost every situation," Nixon said.

[Related: 5 Reasons DDoS Attacks Are Gaining Strength]

Nixon's tool can unmask a protected website in minutes. The method will not work on cloud-based services that support Border Gateway Protocol (BGP) routing or firms that install a physical anti-DDoS appliance in line with the network, Nixon said.

"If your service is an easy, convenient setup and only requires you to change DNS records, then you've got a problem," Nixon said. "If you switch to any BGP-based or inline filtering, it's all going through the filter anyway and you don't have to play hide and seek with your infrastructure."

A surge in denial of service attacks being carried out by activist groups against the financial industry and other businesses has prompted many firms to consider installing an appliance in the data center to reduce the risk that systems could be disrupted or rely on a cloud-based service for defense. DDoS attacks have become a growing problem because automated tools have improved and botnets of computers can be easily rented, putting the attack in the hands of less sophisticated attackers, say security experts.

Bypassing cloud-based DDoS protection is simple and requires no tools, but the tool created by Nixon automates the process. It locates DDoS-protected websites and unmasks them, making them susceptible to DDoS. The technology initially was developed to unmask criminal websites. The technique relies on uncovering the origin IP address of the target site.

The manual technique to carry out the attack relies on unmasking the website by trying to make outbound connections to get a site component to divulge its public IP address. Sites with more functionality are easier to unmask than sites with fewer features, Nixon said. For example, application-specific features, such as being able to upload an avatar on a forum, could reveal the origin IP address. Some hackers have sent fake DMCA requests to service providers -- an illegal practice -- in an effort to get the provider to divulge the origin IP of a customer site.

Nixon urged companies to find out how DDoS protection is being applied in their organization to determine if they are susceptible to the attack technique. Businesses that use cloud-based DDoS services that rely on DNS routing cannot fix the issue with a patch. Manual workarounds can help mitigate the issue, but they also can create complexity problems that cause more harm than good, Nixon said.

"If you have to stick with a DNS-based service you can change the configuration to make it less likely for the origin IP to be found," Nixon said. "You need to implement non-standard configurations, which can backfire on you. You also need to find and plug all sources of IP leakage."

Firms that sell cloud-based DDoS protection as part of a monthly service package have acknowledged the issue. Matthew Prince, founder and CEO of CloudFlare, which provides cloud-based DDoS protection services to its customers, said his firm offers support for BGP routing, shielding them from the attack technique. The firm also can use a configuration that further masks the origin IP address, making it difficult for an attacker to uncover it.

PUBLISHED AUG. 1, 2013