Icarus1
By:
Icarus1

Preventing DDoS attacks without Cloudflare?

March 19, 2017 1.4k views
Security Ubuntu 16.04

Hello all!

I plan on also using cloudflare, but it's not difficult to resolve the internal/host IP and then attack that directly. Any way to protect myself as most as possible in addition to the frontend cloud flare service?

Thanks!

4 Answers

How is it possible to resolve host IP, when you're using CloudFlare?
That's the major use-case for using the service, is to hide host IP address.
Of course, you can choose to use their DNS-only service, which will work like any other regular DNS service - meaning it'll show host IP address.

  • Many methods to get the host IP, just google CloudFlare resolver.

    Example, here is a site using Cloudflare: fiverr.com
    Host IP: 192.33.31.72
    Cloudflare IP: 104.16.53.215

    Cloudflare offers little IP protection from actual hackers (people who know what they're doing).

    Unfortunately I don't have the resources to do load balancing or anything like that.

    • That's just doing brute force on DNS, so if you don't have anything linking to your host (only through CloudFlare), you won't find anything through these "resolvers" (from looking at the top 5 on Google).

      If you only have two A-records @ and www pointing to your host, but going through CloudFlare service. How can you find the host IP?

      Do you expect DDoS attacks on your site?
      With all the different servers I run, I see quite a lot of various attacks, but almost nothing is going to protect you against a proper DDoS - unless you pay a very high service fee, but again, those services work just like CloudFlare.

      • That's one of the methods also, yes. SSL also leaks IP information which I'll be using. Regardless I want any security that's possible.

        As for the expectations for a DDoS attack, I've been DDoS'd in the past. Just trying to do anything I can for security. I'll be launching a fairly large project for a game that has some interesting types of people - just trying to do anything I can.

        • Use the builtin CloudFlare SSL - that won't leak, as far as I can see in the documentation.

          But you say that you don't have the resources to do load balancing or similar, which would probably be your best fail-over solution in case of DDoS.

          Doing real, proper protection against DDoS will cost vast amount. There's providers like CloudFlare and Akamai. And even Google Shield, which is free, but only focused on free-speech.

          • You're probably right, I didn't know about the CloudFlare SSL. I'll check that out, hopefully it works with Let's Encrypt. If not I guess it's not a big deal. Thanks for your input! I guess it isn't viable to have any major protection for something I am doing right now.

I used the following setup:
Let's Encrypt on my server.
Strict SSL on Cloudflare
Cloudflare-set SSL (Https) for all requests.

So…as the OP says, your origin IP is still unprotected. To offer some protection, I set up Cloudflare Authenticated Origin pull: https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls

It still doesn't shield you from DDoS, but it helps a bit.

Here's a discussion I had on the Cloudflare blog:
https://blog.cloudflare.com/ddos-ransom-an-offer-you-can-refuse/

  • Don't use Let's Encrypt, since your IP might be leaked (the requesting server). They're not publishing currently, but it might change in the future. It's a protective step to combat misuse of the service.

    If you setup CloudFlare correctly, then it won't leak your IP - otherwise, what's the purpose of the service?
    If no-one knows what your origin IP is, does it matter if it's unprotected?
    You will always have some attack surface if you have something on the internet.

@Icarus1

When it comes to DDoS, load balancing would be the best means to potentially mitigate or absorb the attack by means of distributing traffic over numerous servers (on your end, beyond CF). With a load balanced setup, the worst-case would be that the IP of the LB is exposed as internally, the LB should be routing traffic over private network IP's that aren't public, thus reducing exposure.

The public IP's of the endpoints would then be access limited to only specific IP's or IP ranges.

Much of what goes in to preventing a DDoS attack depends on you and how you have things setup as much as it does who you're working with in an effort to prevent and mitigate the attack.

CloudFlare provides a much needed service, though it's not a all-in-one solution. You can sign up for CloudFlare and run a poorly configured stack and downtime can still result in seconds after an attack begins. CloudFlare isn't a magical mask by far, but it can be helpful.

That being said, I'm sure you've heard the saying give someone an inch and they'll take a mile -- it applies to DDoS. Give someone means to launch a successful attack on you at any given moment and they will. Whether it succeeds depends on how prepare you at for it. I've seem many providers and servers handle decent sized various-vector attacks with ease, while others suffer.

Attacks could come in various forms -- NTP, UDP, DNS, TCP SYN+FIN+ACK, HTTP GET, etc. -- it's hard to prevent every single possible scenario, or predict which one someone is going to target. This falls back to where CloudFlare can help, but may not be able to prevent the entire effect.

As @hansen said, and it's very true, You will always have some attack surface if you have something on the internet.

cloudflare only allows you to use custom ssl (like let's encrypt) on the $200/month business plan, or make you pay monthly for dedicated cloudflare certificates when free ssl providers like let's encrypt generate them for free.

another waf service that is free and gives let's encrypt ssl is cloudbric (waf+ssl+cdn). from what i know it returns your original host IP, or if you change your A records, it'll be masked by cloudbric's IP.

ddos attacks aren't always aiming to overwhelm and take your site offline but are often launched in combination with malware/trojan, so simply absorbing traffic is probably just going to give you a false sense of security. ddos is also conducted as multi-vector attacks, meaning that while load balancing deals well against layer 3 & 4 volumetric attacks, layer 7-focused attacks that are vastly harder to detect and consume low bandwidth likely go undetected by a service like cloudflare that's more a cdn than a waf/security service.

  • @krow

    I don't like CloudFlare (CF) in general, but saying that CF is mainly a CDN, that's completely false.

    The entire service was started to protect businesses from DDoS, but having that part is easily extended to serving as a CDN and many other things, like a WAF (web application firewall), since all traffic is directed through CF.

    There is nothing that will protect you against DDoS for free, since it requires massive amount of bandwidth and CPU power to withstand such an attack. Google is the only one doing it for free, but only to protect freedom of speech.

    In general, don't trust or use any service. Do everything yourself. That's the best advice I can give to people who know what they're doing - everyone else, use a service you trust the most.

  • @krow

    CloudFlare's SSL service is exactly that, a service, which is why you'll pay $5 or $10/month for a SSL Certificate -- they're managing it for you, thus ensuring it's automatically renewed.

    From a business perspective, $10/month to manage my SSL across up to 51 hostnames and/or wilcards is cheap considering I don't have to worry about it on my end. That means I can put my time to better use elsewhere instead of worrying about whether or not every single domain has a valid SSL Certificate, when they expire, etc.

    Like everything else, I could always manage it on my own, but there comes a time when it's best to simply offload certain repetitive tasks. CloudFlare, in this case, makes that easy to do.

    ...

    As for CloudFlare in general, they're definitely more than just a CDN. They do provide a service that is much needed and part of that is security, something that's above and beyond a CDN.

    That said, like the SSL service, it's not something someone couldn't spend time to setup on their own, but at what cost? To achieve a similar concept of design and implementation, you'd really need access to the network -- something that DigitalOcean and most cloud providers simply do not provide.

    The best thing you can setup on most cloud providers is a software firewall, such as ufw or go direct and use iptables. Hardware firewalls would be a much better option, but they simply do not exist with most cloud providers.

    I remember working with SoftLayer and their "cloud". They offered pretty much anything and everything you could image, but behind the scenes, everything was setup by hand, including the dedicated servers and hardware firewalls (VPS's were the only "cloud"-like offering). Generally, this took 1-4 hours, but that's too long when you need something online now.

    ...

    As for attack vectors, that's why I mentioned various vectors in my previous comment. Of course not all attacks are going to be web-based, though many are. On the other side of the spectrum, many are also generalized and target whatever happens to be the easiest to access with the least amount of work.

    To prepare yourself to handle potential DDoS attacks, in my opinion, you have to overlook them and focus on what's in front of you. For instance, cloud hosting has given anyone with access to the internet the ability to deploy a server (VPS or Dedicated) with relative ease.

    Unfortunately, most are not sysadmins and they rely exclusively on tutorials and guides to get them by. If not tutorials and guides, one-click images (such as what DigitalOcean and many other providers provide) are used and it's assumed that they are forever secure when the exact opposite is the case.

    Images designed to get you setup quickly as just that, nothing more, nothing less. Unfortunately, most don't see it that way and go on running with whatever the image sets up for them.

Have another answer? Share your knowledge.