Researchers have released details of a tool that allows users to discover origin servers. Researchers call it Cloudpiercer, which uses a number of techniques to locate origin servers' IP addresses.
The Cloudpiercer tool bundles several previously known methods with some stated new ones to simplify the reconnaissance against targets. It's a reconnaissance tool, not an attack tool. A potential attacker may use similar methods to search for a customer's datacenter IP addresses or netblock(s) but will have to use other services or technologies to perform an actual DDoS or web application attack.
Akamai's Security Intelligence Research Team (SIRT) has analyzed the methods used by the tool and offers the following observations.
Cloudpiercer requires verification of ownership of a site for it to be tested. This limits the ability to use the tool in malicious ways. However, the methods of discovery described in the paper are not difficult for an adversary to recreate without these verification steps put in place.
To date, we have been unable to confirm a large number of documented discovery cases using these types of techniques. The security community has been aware of these methods for several years.
Researchers specifically describe testing Prolexic's "always-on" Proxy service. The two main methods of discovery involve finding or knowing the origin IP address before it was cloaked and discovery of unprotected subdomains.
Other methods described in the paper are:
- Temporary DNS exposure-origin IP that can be exposed temporarily if maintenance or updates need to be done and the protections are removed. Additionally, domains might reveal their web server's IP address through MX, SPF and other DNS records.
- Exploitation of sensitive files: Sensitive files are sometimes left on the server and can reveal the origin IP. Additionally, SSL certificates on a site may also indicate origin IP information.
- Outbound connection triggering: Triggering the origin to make a connection directly to a client, revealing the IP. Using a pingback attack is an example of this.
- Origin IP in the content: A developer may hard code an origin IP address in a page, leaving it easy to be found by viewing the source of a web page.
Mitigating the risk
Akamai recommends a multi-layered approach to minimize information disclosure by utilizing a combination of technologies, which can include Routed, Kona Site Defender with properly configured SiteShield, and an outsourced authoritative DNS service such as FastDNS.
Proper Siteshield configuration should include setting ACLs to only take requests from Akamai servers. In addition, when the ACLs are put in place, the origin servers' IP address should be changed to a non-guessable IP address and non-guessable origin host names. This means changing to a different IP on the same /24 network may not be hidden well enough.
Other services like mail or ftp that are not behind a BGP-based networking DDoS mitigation service also should not be on the same network as the origin web servers. The Cloudpiercer researchers point out that tools exist to do a brute force lookup of these subdomains. If these subdomains are on the same network, this can lead to the origin web servers' IP being leaked as well. If changing IP addresses is not feasible, routed customers can choose to protect their entire subnet from direct to origin DDoS attacks.
Servers should not have sensitive files available that could leak information. One such example is a file that uses PHP's phpinfo() function. This is a common function used by developers to get an understanding of the server's environment. However, these also leak information to attackers as well.
Lastly, file uploads from users can also leak the critical server information. These should be properly locked down, so as to not be viewable by users.
Next Steps and Risk Evaluation
Customers who have questions regarding Cloudpiercer's capabilities or the level of risk from this tool can contact their account teams. Akamai has not encountered documented attacks using this tool as it is a reconnaissance tool, but we have the capability to defend against all types of Internet attacks.
Akamai can provide comprehensive evaluations of potential information disclosure and mitigation strategies, but many of the sources of information are publicly available and inherent to the architecture of the Internet.