When it comes to web security there are many services and technologies providing protection against known vulnerabilities, anti-automation, and DDoS.
Many of these services provide protection against Distributed Denial of Service (DDoS) attacks. DDoS attacks occur when multiple systems (in most cases compromised machines/bots) flooding a web site or web service with large enough volume of requests causing it to become overloaded and unavailable for legitimate users.
Using a security service, in most cases, means your origin IP address will be masked by one of the security service anycast IP addresses (DNS queries will return an IP address from the security service you’re using), hiding it from attackers who can generate a DDoS attack targeting your origin server.
So, all I need to do is use a web application protection service?
Using a security service IP address (and therefore hiding your origin IP address from DNS queries) is not enough, there are many ways and tools an attacker can use to detect your origin IP address and use it to attack your origin server directly, bypassing the security service you are using.
Understanding some of the tools an attacker can use to discover your origin IP address
1. Historical DNS data
There are many tools available online that store historical DNS data:
Attackers will scan and search for subdomains sharing the same IP address as the origin server.
3. Sending an email
One of the most simple and clever ways to figure out an origin IP address is by having the origin server send you an email which will contain the IP address of the server. This will not always work as some of the websites will use a third-party service for sending emails.
Registering an account, using the forgot password or simply using the contact form will result in a confirmation email that will be sent to the email address you specify during this process. In this example you can see that the origin IP of the server is included in the message:
** Show full message option in most of the known email clients will provide you with the details above
Using a cloud security service is not enough for protecting your origin server. There are several steps you can make in order to ensure your server is protected:
- Changing your origin server IP just before starting to use a security service.
- DNS record review, none of the DNS records should include any details about the origin IP address
- Don’t host mail or any other service on your web server
- Go over the subdomains you have and make sure none of them is pointing to your origin server
- Only allow traffic from the IP ranges the security service is using (all other traffic should get blocked)
Attackers only need to find a single flow and there are lots of possible ways to do so.
Make sure you have a checklist and check each topic carefully to ensure your origin IP address is private.