Thursday, December 05, 2013

BlackHat 2013 - Denying Service to DDoS Protection Services

Speaker :

Allison Nixon

Allison Nixon does penetration testing and incident response at Integralis, either assisting companies in post-compromise situation, or compromising them. She gained an interest in security by cheating at video games, but quickly learned that the only way to make real gold is to work for a real company. She is intensely interested in all facets of security and continues to perform security research spanning any and all topics. Allison is a regular host on the Pauldotcom podcast, has spoken at B-Sides Boston 2013, local OWASP meetings, and sits on the executive board of MalShare. She also designed the electronics and software for the laser maze at the 2012 Braintank conference.

Briefing :

In this age of cheap and easy DDOS attacks, DDOS protection services promise to go between your server and the Internet to protect you from attackers. Cloud based DDOS protection suffers from several fundamental flaws that will be demonstrated in this talk. This was originally discovered in the process of investigating malicious websites protected by Cloudflare- but the issue also affects a number of other cloud based services including other cloud based anti-DDOS and WAF providers. We have developed a tool – called No Cloud Allowed – that will exploit this new cloud security bypass method and unmask a properly configured DDOS protected website. This talk will also discuss other unmasking methods and provide you with an arsenal to audit your cloud based DDOS or WAF protection.

Archives :

Presentation & Paper

PoC :

After Thought :

Once the Cloudflare is bypassed and the origin IP address is obtained, you (attacker) can do anything on the origin as normal since the origin is not protected by the Cloudflare's WAF.

Reference :

HOWTO - NoCloudAllowed on Kali Linux

That’s all! See you.