Nick Le Mouton

Protecting your origin

Discussion created by Nick Le Mouton Champion on Oct 11, 2015
Latest reply on Oct 14, 2015 by Danny Wasserman

There was an interesting paper released recently that details how easy it is to bypass a CDN/WAF and get to the customer origin.


They even have a tool for you to scan your own website:


Methods they use:


- IP History

If you previously had your www domain pointing at your origin before you setup your CDN. It's trivial to use a service like to look up old records.


- Subdomains

Looking for domains like,, As only the HTTP protocol can traverse a CDN there has to be a way for site owners to communicate directly with their origin for SSH, FTP etc.


- DNS records

Looking for MX records that might point to the same subnet as your origin, SPF entries in TXT records that expose outbound mail sending IP addresses. If a CDN only supports IPv4, but your site has a AAAA record.


- Temporary exposure

If the CDN is turned off for a short period of time for maintenance or debugging.


- SSL Certificates

If your origin is listed in the cert (e.g. SAN)


- Sensitive files

Leaving an ip address or origin domain in files when setting up a server, exposing information in error messages/log files etc.


- Origin in content

Leaving an ip address in HTML when developing/debugging


- Outbound connections

Using methods like pingback, link back, url upload to identify the origin


In the report they don't test any Akamai protected websites because they were focusing on CDNs that have security enabled by default (Kona is additional on Akamai). There are a couple of additional tricks that they could have used if they were targeting Akamai sites:


- If the site is not using FastDNS then it's possible that the root domain is pointing to the origin (e.g. This can be mitigated by using FastDNS or by using an external server for your root domain to 301 to your www site (e.g. AWS or another cloud provider).


- Using the pragma debug headers Akamai will expose the cache key used. Most of the time this includes the origin domain e.g. /D/1234/xxxxxxx/000/ This can be mitigated by blocking unauthorized use of the pragma headers on your site or by using Site Shield.


With the increasing ways of exposing an origin server the only sure fire way to mitigate against a direct attack is to use Site Shield and block all traffic from outside of the Akamai network. Obfuscating/hiding your origin may work for a while, but a determined attacker will find a way.