There was an interesting paper released recently that details how easy it is to bypass a CDN/WAF and get to the customer origin. https://cloudpiercer.org/paper/CloudPiercer.pdf
They even have a tool for you to scan your own website: https://cloudpiercer.org/
Methods they use:
- IP History
If you previously had your www domain pointing at your origin before you setup your CDN. It's trivial to use a service like domaintools.com to look up old records.
Looking for domains like origin.example.com, direct.example.com, ftp.example.com. As only the HTTP protocol can traverse a CDN there has to be a way for site owners to communicate directly with their origin for SSH, FTP etc.
- DNS records
Looking for MX records that might point to the same subnet as your origin, SPF entries in TXT records that expose outbound mail sending IP addresses. If a CDN only supports IPv4, but your site has a AAAA record.
- Temporary exposure
If the CDN is turned off for a short period of time for maintenance or debugging.
- SSL Certificates
If your origin is listed in the cert (e.g. SAN)
- Sensitive files
Leaving an ip address or origin domain in files when setting up a server, exposing information in error messages/log files etc.
- Origin in content
Leaving an ip address in HTML when developing/debugging
- Outbound connections
Using methods like pingback, link back, url upload to identify the origin
In the report they don't test any Akamai protected websites because they were focusing on CDNs that have security enabled by default (Kona is additional on Akamai). There are a couple of additional tricks that they could have used if they were targeting Akamai sites:
- If the site is not using FastDNS then it's possible that the root domain is pointing to the origin (e.g. example.com). This can be mitigated by using FastDNS or by using an external server for your root domain to 301 to your www site (e.g. AWS or another cloud provider).
- Using the pragma debug headers Akamai will expose the cache key used. Most of the time this includes the origin domain e.g. /D/1234/xxxxxxx/000/origin.example.com/. This can be mitigated by blocking unauthorized use of the pragma headers on your site or by using Site Shield.
With the increasing ways of exposing an origin server the only sure fire way to mitigate against a direct attack is to use Site Shield and block all traffic from outside of the Akamai network. Obfuscating/hiding your origin may work for a while, but a determined attacker will find a way.