Commonly used strategy for website protection is not waterproof

April 12, 2016, KU Leuven
Credit: KU Leuven

Cloud-based security providers commonly use DNS redirection to protect customers' websites. The success of this strategy depends on shielding the website's original IP address. Computer scientists from KU Leuven, Belgium, and digital research centre iMinds have now revealed that the IP address can be retrieved in more than 70% of the cases. This means that the DNS redirection security mechanism can easily be bypassed.

Websites and online services increasingly have to deal with acts of cybercrime such as 'distributed denial-of-service' (DDoS) attacks: the site or service is deliberately bombarded with huge numbers of malicious communication requests from different computers so that it collapses.

"Website owners can protect themselves against cyberattacks by installing dedicated hardware," says Thomas Vissers from the KU Leuven Department of Computer Science and iMinds. "Yet, this is typically too expensive and too complex for most of them. That's why website owners often rely on the services offered by cloud-based security providers. One strategy these providers commonly use to protect websites includes diverting incoming web traffic via their own infrastructure, which is sufficiently robust to detect and absorb cyberattacks. However, the of this strategy heavily depends on how well the website's original IP address can be shielded. If that IP address can be retrieved, protection mechanisms can easily be bypassed."

According to the researchers, this is the Achilles heel of cloud-based security. Therefore, they set up the first large-scale research effort in this domain and actively explored vulnerabilities in the DNS redirection strategy that is used by many cloud-based security providers to intercept web traffic.

Nearly 18,000 websites, protected by five different providers, were subjected to the team's DNS redirection vulnerability tests. To this end, the researchers built a tool called CLOUDPIERCER, which automatically tries to retrieve websites' original IP address based on eight different methods, including the use of unprotected subdomains.

"Previous studies had already described a number of strategies that can be used to retrieve a website's original IP address. We came up with a number of additional methods. We were also the first to measure and verify the exact impact of these strategies on a larger scale," says Thomas Vissers.

"The results were pretty confronting: in more than 70% of the cases, CLOUDPIERCER was able to effectively retrieve the website's original IP address, thereby providing the exact info that is needed to launch a successful cyberattack. This clearly shows that the DNS redirection strategy still has some serious shortcomings."

The researchers have already shared their results with the cloud-based security providers under consideration, allowing them to respond properly to the risk that their customers are still running.

However, the researchers also want to inform the general public - and, more specifically, website owners - about the shortcomings of the popular DNS redirection strategy. That is why they've made CLOUDPIERCER available for free.

"With CLOUDPIERCER, people can test their own website against the eight methods that we have used in our research. CLOUDPIERCER scans the website, and indicates to which IP detection method it is most vulnerable," concludes Thomas Vissers.

When websites use DNS redirection as a defence mechanism against cyberattacks, two simple measures can be taken to prevent the original IP address from being retrieved. One option is adjusting the website's firewall settings to only allow web traffic from the cloud-based security provider. Alternatively, the IP address of the can be changed once the contract with the cloud-based security provider is initiated.

CLOUDPIERCER will be presented at iMinds - The Conference. The research paper is available here. 

Explore further: Study reveals impact of public DNS services; researchers develop tool to help

Related Stories

Microsoft No-IP takedown to strike malware draws protests

July 1, 2014

Microsoft on Monday staged a takedown of two malware families abusing no-IP services but, in the mission to take down the botnets, legitimate servers depending on dynamic domain name services from No-IP were, as Dan Goodin ...

What metadata does the government want about you?

August 28, 2014

With the leaking of a discussion paper on telecommunications data retention, we are at last starting to get some clarity as to just what metadata the Abbott government is likely to ask telecommunications companies, internet ...

Internet doomsday virus appears to fizzle

July 9, 2012

The so-called Internet doomsday virus with the potential to black out tens of thousands of computers worldwide appeared to pose no major problems Monday after a temporary fix expired.

Explainer: What is geoblocking?

April 19, 2013

So you sit down in front of your computer to catch the latest episode of Doctor Who directly from BBC's iPlayer, and you are greeted by an error message informing you that the program will play only in the UK. So why are ...

Recommended for you

Coffee-based colloids for direct solar absorption

March 22, 2019

Solar energy is one of the most promising resources to help reduce fossil fuel consumption and mitigate greenhouse gas emissions to power a sustainable future. Devices presently in use to convert solar energy into thermal ...

Paleontologists report world's biggest Tyrannosaurus rex

March 22, 2019

University of Alberta paleontologists have just reported the world's biggest Tyrannosaurus rex and the largest dinosaur skeleton ever found in Canada. The 13-metre-long T. rex, nicknamed "Scotty," lived in prehistoric Saskatchewan ...

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.