Although Cloudflare provides resilient DDoS protection, a researcher devised a strategy to bypass the security measures using Cloudflare itself. The process involves exploiting logic flaws in the firewall that allow an adversary to perform DDoS attacks on the target device.
Cloudflare DDoS Protection Bypass Discovered
In a recent blog post, security researcher Stefan Proksch from the ICT consulting firm Certitude explained how an adversary can bypass Cloudflare DDoS protections using the service itself.
Specifically, the researcher spotted two vulnerabilities in the Cloudflare firewall and DDoS protection measures that existed due to how the service works. The issue lies with Cloudflare’s “Authenticated Origin Pulls” and “Allowlist Cloudflare IP Addresses.”
These two mechanisms protect an origin server from malicious traffic by assigning a “trusted” status to the HTTPS requests from Cloudflare. The service then validates the traffic via an SSL/TLS certificate that customers can easily generate.
While this sounds reliable, the researcher explained that this generic trusted status to Cloudflare traffic empowers an adversary to use its own Cloudflare account for targeting a specific server. The attacker merely needs to know the victim server’s IP address to wage the DDoS attack. As stated in the post,
An attacker can setup a custom domain with Cloudflare and point the DNS A record to victims IP address. The attacker then disables all protection features for that custom domain in their tenant and tunnel their attack(s) through the Cloudflare infrastructure.
The researcher has shared the technical details about this issue in his post and a proof of concept.
Official Patch Yet To Arrive
Upon discovering the matter, the researcher responsible disclosed the vulnerability to Cloudflare via its HackerOne bug bounty program. However, after Cloudflare simply considered the report “informative,” the researcher decided on public disclosure.
While the service hasn’t released an official patch to address the flaws yet, the researcher has suggested mitigations for the users.
First, Proksch advises generating custom certificates with the “Authenticated Origin Pulls” mechanism, ditching the Cloudflare certificates to prevent unauthorized requests. Next, he advises users to consider the “Allowlist Cloudflare IP addresses” mechanism as a defense-in-depth strategy only, not the sole server protection mechanism.
Let us know your thoughts in the comments.