Reduce your risk from CloudPiercer and other discovery tools

 

Companies build out public-facing web presences for a variety of reasons, but most often their goal is to boost brand awareness or provide a transaction point for the exchange of services, information, money, etc. These websites are, by nature, publicly accessible, which means that organizations must build defenses to protect them from various threats. One of the most dangerous threats in today’s security ecosystem is that of Distributed Denial of Service (DDoS) attacks.

Organizations face many challenges when attempting to protect themselves against the increasing volume and sophistication of DDoS attacks. In addition to traditional, on-premises solutions, many enterprises have adopted cloud-based DDoS protection services. The benefits of these on-demand services include increased and scalable bandwidth to protect against massive attacks, 24/7 monitoring and response from security experts, and a constantly updated knowledge base designed to protect against all attack vectors. F5 Silverline DDoS Protection and other cloud-based DDoS protection services help keep enterprise websites up and running—even in the face of volumetric attacks that would otherwise flood the organization’s network.

However, the comprehensive set of tools provided by cloud-based DDoS protection services is only effective when set up and configured correctly. One method of protecting a website from DDoS attack is to use a technique called DNS Redirection, where web traffic is steered through a DDoS scrubbing center by modifying the IP address for the site. This strategy often works, but a recent study has identified a possible vulnerability for organizations that have not correctly configured their cloud-based DDoS protection.

The study’s researchers found that the actual IP address for an organization’s website is not truly invisible from the prying eyes of the Internet. Using a tool called CloudPiercer, organizations can determine whether they are unwittingly exposing the hidden IP addresses of their public-facing sites.

So, if the address of your site is not as invisible as you’d like it to be, what’s the next step? Simple: Just follow the instructions.

F5 Silverline DDoS Protection customers who want to use DNS Redirection to foil would-be attackers should take two steps to ensure the security of their sites. First, contact the F5 Silverline team to set up and configure the DNS Redirection solution for your account.

The second half of the solution—and the key to protecting your site—is to ensure that you deploy firewall rules to ONLY allow traffic coming from the Silverline DDoS Protection Service. This establishes a clean path from the Internet to the cloud-based DDoS protection service through to your site. Any other attempt at accessing the site from the Internet should be blocked. To do this, you should configure rules on your local firewall and work with your ISP to put in place rules that will only allow web traffic from the Silverline service to your site.

There will always be malicious—or simply curious—people who will use all the available tools to discover things on the Internet that organizations would prefer to keep private. So, rather than trying to hide the information (a time-consuming and ultimately counter-productive undertaking), protect your site—and your business—by making sure your DDoS protection tools are set correctly to prevent unauthorized requests from compromising your site. That way, while everyone may still be able to find the address of your house, you still control who gets to knock on the door.