top of page

Researchers Discover New Cloudflare Firewall and DDoS Bypass Methods

Cloudflare's firewall and distributed denial-of-service (DDoS) attack protection can be gotten around by taking advantage of holes in cross-tenant security controls, which goes against the whole point of these defences.

According to a report released last week by Certitude researcher Stefan Proksch, attackers can use their own Cloudflare accounts to take advantage of the built-in trust relationship between Cloudflare and customers' websites. This makes the protection system useless.

The Austrian consulting firm says the issue is caused by Cloudflare's shared infrastructure, which all tenants can use, whether they are legitimate or not. This makes it easy for bad actors to take advantage of the service's implicit trust and get around the barriers.

The first problem happens because the customer chose to use a common Cloudflare certificate to verify HTTP(S) requests between the service's reverse proxies and the customer's origin server. This is part of a feature called Authenticated Origin Pulls.

Authenticated Origin Pulls, as the name suggests, makes sure that requests to the origin server to get material that isn't in the cache come from Cloudflare and not from a threat actor.

Because of this, an attacker with a Cloudflare account can use the platform to send their malicious payload because all connections coming from Cloudflare are allowed, even if the renter making the connection is doing something bad.

"An attacker can use Cloudflare to set up a custom domain and point the DNS A record to the IP address of a victim," Proksch said.

"After that, the attacker turns off all security for that custom domain in their tenant and routes their attack(s) through Cloudflare." By using this method, attackers can get around the victim's defences.

Allowlisting Cloudflare IP addresses stops the origin server from getting traffic from individual visitor IP addresses and limits it to Cloudflare IP addresses. This is what the second problem is: people are abusing this feature to send malicious inputs and target other platform users.

After making the information public on March 16, 2023, Cloudflare agreed that it was useful and added a new warning to its documents.

Cloudflare has made it clear that the certificate it gives you to set up Authenticated Origin Pulls is not unique to your account. It only makes sure that the request is coming from the Cloudflare network.

"For tighter security, you should use your own certificate to set up Authenticated Origin Pulls and think about other ways to protect your origin."

"Allowlist Cloudflare IP addresses" should be seen as an extra layer of defence and not the only way to keep origin sites safe, Proksch said. "Custom certificates should be used instead of the Cloudflare certificate to set up the "Authenticated Origin Pulls" mechanism."

Certitude has also found that attackers can use "dangling" DNS records to take over subdomains that belong to more than 1,000 organisations, such as universities, political parties, governments, and media outlets. They will likely use these subdomains to spread malware, spread false information, and launch phishing attacks.

"Most of the time, cloud services could effectively stop subdomain hijacking by verifying domain ownership and not immediately releasing previously used identifiers for registration," said Florian Schweitzer, a security researcher.

Akamai recently said that attackers are using dynamically seeded domain generation algorithms (DGA) more and more to avoid being caught and make analysis more difficult. This makes command-and-control (C2) communication routes last longer.

"Knowing which DGA domains will go live tomorrow lets us put these domains on our blocklists ahead of time to protect end users from botnets," said Connor Faulkner and Stijn Tilborghs, two security experts.

"Unfortunately, that can't happen with seeds that are hard to predict, like Google Trends, temperatures, or exchange rates." The source code for the family doesn't help us guess right what DGA domain names will be made in the future.

In August, a group of researchers from the University of California, Irvine and Tsinghua University showed off MaginotDNS, a DNS poisoning attack that uses bugs in the checking methods to take over whole DNS zones, even top-level domains

"The inconsistent implementations between different DNS modes were key to the discovery of MaginotDNS," the researchers said. "The holes don't hurt regular forwarders because they don't do recursive domain resolutions, but they can have very bad effects on conditional DNS servers (CDNS)."

"CDNS is a common type of DNS server that hasn't been studied in depth yet." It can be set up to be both a recursive resolver and a forwarder at the same time, and all of these roles share the same global memory. Because of this, attackers can use the forwarder flaws to "cross the boundary" and attack recursive resolvers on the same server.

5 views0 comments


bottom of page