Name
Abstract | ||
|---|---|---|
The increase of Distributed Denial-of-Service (DDoS) attacks in volume, frequency, and complexity, combined with the constant required alertness for mitigating web application threats, has caused many website owners to turn to Cloud-based Security Providers (CBSPs) to protect their infrastructure. These solutions typically involve the rerouting of traffic from the original website through the CBSP's network, where malicious traffic can be detected and absorbed before it ever reaches the servers of the protected website. The most popular Cloud-based Security Providers do not require the purchase of dedicated traffic-rerouting hardware, but rely solely on changing the DNS settings of a domain name to reroute a website's traffic through their security infrastructure. Consequently, this rerouting mechanism can be completely circumvented by directly attacking the website's hosting IP address. Therefore, it is crucial for the security and availability of these websites that their real IP address remains hidden from potential attackers. In this paper, we discuss existing, as well as novel \"origin-exposing\" attack vectors which attackers can leverage to discover the IP address of the server where a website protected by a CBSP is hosted. To assess the impact of the discussed origin-exposing vectors on the security of CBSP-protected websites, we consolidate all vectors into CloudPiercer, an automated origin-exposing tool, which we then use to conduct the first large-scale analysis of the effectiveness of the origin-exposing vectors. Our results show that the problem is severe: 71.5% of the 17,877 CBSP-protected websites that we tested, expose their real IP address through at least one of the evaluated vectors. The results of our study categorically demonstrate that a comprehensive adoption of CBSPs is harder than just changing DNS records. Our findings can steer CBSPs and site administrators towards effective countermeasures, such as proactively scanning for origin exposure and using appropriate network configurations that can greatly reduce the threat. |
Year | DOI | Venue |
|---|---|---|
2015 | 10.1145/2810103.2813633 | ACM Conference on Computer and Communications Security |
Keywords | Field | DocType |
Cloud-based security, DDoS attacks, Web attacks | Countermeasure,Internet privacy,Ip address,Domain name,Denial-of-service attack,Computer science,Computer security,Server,Cloud computing security,Web application,Cloud computing | Conference |
Citations | PageRank | References |
15 | 0.78 | 15 |
Authors | ||
4 | ||
Name | Order | Citations | PageRank |
|---|---|---|---|
| Thomas Vissers | 1 | 23 | 2.01 |
| Tom van Goethem | 2 | 136 | 11.77 |
| Wouter Joosen | 3 | 2898 | 287.70 |
| Nick Nikiforakis | 4 | 865 | 53.35 |