Cloudflare's Firewall and DDoS Protection

Firewall and distributed denial-of-service (DDoS) attack prevention mechanisms in Cloudflare can be circumvented by exploiting gaps in cross-tenant security controls, defeating the very purpose of these safeguards, it has emerged.

"Attackers can utilize their own Cloudflare accounts to abuse the per-design trust-relationship between Cloudflare and the customers' websites, rendering the protection mechanism ineffective," Certitude researcher Stefan Proksch said in a report published last week.

The problem, per the Austrian consulting firm, is the result of shared infrastructure available to all tenants within Cloudflare, regardless of whether they are legitimate or otherwise, thereby making it easy for malicious actors to abuse the implicit trust associated with the service and defeat the guardrails.

The first issue stems from opting for a shared Cloudflare certificate to authenticate HTTP(S) requests between the service's reverse proxies and the customer's origin server as part of a feature called Authenticated Origin Pulls.

As the name implies, Authenticated Origin Pulls ensures requests sent to the origin server to fetch content when it's not available in the cache originate from Cloudflare and not from a threat actor.

Cybersecurity

A consequence of such a setup is that an attacker with a Cloudflare account can send their malicious payload via the platform by taking advantage of the fact that all connections originating from Cloudflare are permitted, even if the tenant that's initiating the connection is nefarious.

"An attacker can set up a custom domain with Cloudflare and point the DNS A record to [a] victim's IP address," Proksch explained.

"The attacker then disables all protection features for that custom domain in their tenant and tunnel their attack(s) through the Cloudflare infrastructure. This approach allows attackers to bypass the protection features by the victim."

The second problem entails the abuse of allowlisting Cloudflare IP addresses – which stops the origin server from receiving traffic from individual visitor IP addresses and limits it to Cloudflare IP addresses – to transmit rogue inputs and target other users on the platform.

Following responsible disclosure on March 16, 2023, Cloudflare acknowledged the findings as informative, adding a new warning in its documentation.

"Note that the certificate Cloudflare provides for you to set up Authenticated Origin Pulls is not exclusive to your account, only guaranteeing that a request is coming from the Cloudflare network," Cloudflare now explicitly states.

"For more strict security, you should set up Authenticated Origin Pulls with your own certificate and consider other security measures for your origin."

"The 'Allowlist Cloudflare IP addresses' mechanism should be regarded as defense-in-depth, and not be the sole mechanism to protect origin servers," Proksch said. "The 'Authenticated Origin Pulls' mechanism should be configured with custom certificates rather than the Cloudflare certificate."

Certitude previously also uncovered that it's possible for attackers to leverage "dangling" DNS records to hijack subdomains belonging to over 1,000 organizations spanning governments, media outlets, political parties, and universities, and likely use them for malware distribution, disinformation campaigns, and phishing attacks.

"In most cases, the hijacking of subdomains could be effectively prevented by cloud services through domain ownership verification and not immediately releasing previously used identifiers for registration," security researcher Florian Schweitzer noted.

The disclosures arrive as Akamai revealed that adversaries are increasingly leveraging dynamically seeded domain generation algorithms (DGA) to avoid detection and complicate analysis, effectively extending the lifespan of command-and-control (C2) communication channels.

Cybersecurity

"Knowing which DGA domains will activate tomorrow allows us to proactively put these domains on our blocklists to protect end users from botnets," security researchers Connor Faulkner and Stijn Tilborghs said.

"Unfortunately, that scenario isn't possible with unpredictable seeds, such as Google Trends, temperatures, or foreign exchange rates. Even if we have the source code of the family, we are not able to correctly predict future-generated DGA domain names."

Back in August, a group of academics from the University of California, Irvine and Tsinghua University demonstrated a DNS poisoning attack called MaginotDNS that exploits flaws in the bailiwick checking algorithms to take over entire DNS zones, even including top-level domains such as .com and .net.

"The key to the discovery of MaginotDNS is the inconsistent bailiwick implementations between different DNS modes," the researchers pointed out. "The vulnerabilities do not harm the regular forwarders as they do not perform recursive domain resolutions, but for conditional DNS servers (CDNS), severe consequences can be caused."

"CDNS is a prevalent type of DNS server but not yet systematically studied. It is configured to act as recursive resolver and forwarder simultaneously, and the different server modes share the same global cache. As a result, attackers can exploit the forwarder vulnerabilities and 'cross the boundary' – attack recursive resolvers on the same server."


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.