A team of computer scientists from KU Leuven and independent research institute iMinds has found that DNS redirection security mechanisms, popularly used by cloud-based security providers, can be easily bypassed. DNS redirection shields a user’s IP address, ostensibly protecting the user from certain types of hacks including DDoS. But DNS redirection can be bypassed and the original IP address can be retrieved in more than 70% of test cases.
The researchers built a tool called Cloudpiercer, an automated origin-exposing tool, which they used to run DNS redirection vulnerability tests on approximately 18,000 websites. Cloudpiercer was created to automatically attempt to retrieve the websites’ original IP address using eight different methods, including accessing IP history, subdomains, DNS records, SSL certificates, PingBack and RefBack. It was successful 71.5% of the time, retrieving the website’s original IP address using a combination of origin-exposing vectors. They found that subdomains and IP history are the major vulnerabilities in DNS redirection, accounting for compromising the security standards in more than 40% of the cases.
DNS redirection is a popular security measure in cloud-based security, and is intended to protect against distributed denial of service (DDoS) attacks. DDoS attacks bombard a site with enormous numbers of communications from different computers until the site collapses. DDoS attacks hit a record high in 2015, with over 132% year-over-year growth from 2014. With the increasing prevalence of DDoS attacks, website owners have two choices to protect themselves: either by the purchase of expensive, dedicated hardware or outsourcing data protection to cloud security providers. “One strategy these providers commonly use to protect websites includes diverting incoming web traffic via their own infrastructure, which is sufficiently robust to detect and absorb cyberattacks. However the success of this strategy heavily depends on how well the website’s original IP address can be shielded. If that IP address can be retrieved, protection mechanisms can easily be bypassed,” said Thomas Vissers, PhD candidate at KU Leuven and co-author of the paper describing Cloudpiercer.
The researchers have shared the results with the security providers that they studied in their experiment, and have also made Cloudpiercer available for free. “With Cloudpiercer,” Vissers explains, “People can test their own website against the eight methods that we have used in our research. Cloudpiercer scans the website, and indicates to which IP detection method it is most vulnerable.” Cloudpiercer is available here.