KALYPTO (IN)SECURITY

Research, demonstrations, and popcorn

How Not To Use CloudFlare

For those that don’t know what CloudFlare is, please review their home page.  The basic idea behind CloudFlare is a reverse proxy that allows CloudFlare to protect websites from Denial of Service attacks, cross-site scripting, and a variety of other attacks.

The important thing you have to realize though, is any information about a sites true host can still result in the compromise of a website.  A common set of subdomains that can give away a real hosts IP address are:

  • ftp.domain.com
  • mail.domain.com
  • ssh.domain.com
  • irc.domain.com

While it is true that subdomains may not be hosted on the actual server the hidden site is on, it generally gives you a good idea of where to look.  Servers are usually in the same C block if they are from the same hosting provider.

Lets look at a random example. How about… lizardpatrol.org?  Looking at the nslookup, we can see that it is protected by CloudFlare.

DNS_lizardpatrol

So, let us look at subdomains to see if they are protected.  I always start with the list above.  After trying them all, the only one that returns is irc.lizardpatrol.com.

dns_irc_lizardpatrol

So… what does 198.100.144.122 point at?  dk.0x1337b33f.com.  Which, even though it is a subdomain, is hosted from the parent domain of 0x1337b33f.com.

Next step:  Find out of lizardportal.com is actually hosted by the same server as 0x1337b33f.com.  To do that, we execute the following raw HTTP GET request:

Code

And what to our wandering eyes does appear?

Response

So, as you can see… The server is hosting lizardpatrol.com.  A simple direct query of a server will tell you every time if the site is hosted there.

While I do think that CloudFlare is a great tool to have, never assume it makes your site invulnerable.  All it takes is some research into the site to figure out where it really resides.  Once you know where the site sits, you can circumvent all the protection of CloudFlare and hit the site directly.

Remember to ALWAY remove any non-protected subdomains from the NS records.  If you need to connect to your server, you should be connecting to it by IP instead of by URL.  That way your websites can stay secured and you will not leak information.

cloudflarednslizardprotectionsquad

Kalypto • December 26, 2014


Previous Post

Next Post