Protecting Your Origin Server

By January 16, 2019 Blog, JS Devs Zone

Today’s post is by Yaniv Parasol, Director of Product at StackPath as part of our JS Devs Zone blog series, which highlights technical tutorials and thought leadership on JS Foundation technologies and the greater JavaScript ecosystem written by outstanding members of the JavaScript community.

When it comes to web security there are many services and technologies providing protection against known vulnerabilities, anti-automation, and DDoS.

Many of these services provide protection against Distributed Denial of Service (DDoS) attacks. DDoS attacks occur when multiple systems (in most cases compromised machines/bots) flooding a web site or web service with large enough volume of requests causing it to become overloaded and unavailable for legitimate users.

Using a security service, in most cases, means your origin IP address will be masked by one of the security service anycast IP addresses (DNS queries will return an IP address from the security service you’re using), hiding it from attackers who can generate a DDoS attack targeting your origin server.

So, all I need to do is use a web application protection service?

Using a security service IP address (and therefore hiding your origin IP address from DNS queries) is not enough, there are many ways and tools an attacker can use to detect your origin IP address and use it to attack your origin server directly, bypassing the security service you are using. 

Understanding some of the tools an attacker can use to discover your origin IP address

1. Historical DNS data

There are many tools available online that store historical DNS data:

2. Subdomains

Attackers will scan and search for subdomains sharing the same IP address as the origin server.

3. Sending an email

One of the most simple and clever ways to figure out an origin IP address is by having the origin server send you an email which will contain the IP address of the server. This will not always work as some of the websites will use a third-party service for sending emails.

Registering an account, using the forgot password or simply using the contact form will result in a confirmation email that will be sent to the email address you specify during this process. In this example you can see that the origin IP of the server is included in the message:

** Show full message option in most of the known email clients will provide you with the details above

Summary

Using a cloud security service is not enough for protecting your origin server. There are several steps you can make in order to ensure your server is protected:

  • Changing your origin server IP just before starting to use a security service.
  • DNS record review, none of the DNS records should include any details about the origin IP address
  • Don’t host mail or any other service on your web server
  • Go over the subdomains you have and make sure none of them is pointing to your origin server
  • Only allow traffic from the IP ranges the security service is using (all other traffic should get blocked)

Attackers only need to find a single flow and there are lots of possible ways to do so.

Make sure you have a checklist and check each topic carefully to ensure your origin IP address is private.

Kaitlyn Barnard

Author Kaitlyn Barnard

More posts by Kaitlyn Barnard