IPS Leaking backend IP's

[OctoDev]

9 hours ago, Lindy said:

"Hiding" your IP address is not an acceptable security practice and largely only acts as a mild deterrent for gamers attacking each other - it's not a security solution. Your goal should be to make your origin IP useless to others, not just hidden. You can obtain an IP for one of our origins here, but it's not going to do you any good... and that is how it should be. 

I'm not sure it's appropriate to employ rudimentary "security" practices and then come here and state we have a "vulnerability." External calls, embeds, etc. are certainly not limited to IPS software.

I can empathize to a large degree as DDoS attacks have plagued us all at one point. Nonetheless, this just isn't an application layer issue to solve and we're not particularly interested in re-engineering to "anonymize" the software to account for security by obscurity. 

Can you tell me then why CloudFlare is even a service? Even if I bought their $200/m service - IPS would make it completely useless as it shows the origin IP Address.

As i said earlier, i have yet to see a forum software - or software at all that does this many http outgoing requests based on what the user submits. And not even a option to disable it.

https://blog.cloudflare.com/ddos-prevention-protecting-the-origin/

That blog input is interesting, maybe something you'd want to read. "Never initiate an outbound connection based on user action".

So yes, application layer has also something to do in this case. When it's making big services like CloudFlare - USELESS!

[Charles]

If you bought CloudFlare's $200/month service and did not bother to make sure your server only responds to CloudFlare's IP-range then you're right I am not sure why you would do that  

[OctoDev]

4 minutes ago, Charles said:

If you bought CloudFlare's $200/month service and did not bother to make sure your server only responds to CloudFlare's IP-range then you're right I am not sure why you would do that  

I think you should do some research when it comes to DDoS Attacks. Layer-4 and Layer-7 has a difference.

CloudFlare, and blocking all IP's except CloudFlare network would only protect against Layer-7. However if the attacker don't have the IP Address, then he can't initate any Layer-4 attacks... Voila, proxy made useful. Again, read https://blog.cloudflare.com/ddos-prevention-protecting-the-origin/

I've talked with people who imitate those attacks, even on IPS sites. This is the method they use, if the victim use CloudFlare. It doesn't even need much effort, other than registering on the forum.. On 3.4, it was impossible pretty much - since we had option to disable certain stuff.

Blocking ports, or whatever to only CloudFlare network will not stop any attacks. They still have your IP Address, which means they can initate Layer-4 attacks (SYN , TCP & UDP +++)

The blog contains basic steps to make CloudFlare working properly. But with IPS on your server, you are guaranteed to be taken down due the many outgoing connections based on users conditions. 

 

Never initiate an outbound connection based on user action

If the attacker can get your web server to connect to an arbitrary address, they will reveal your origin IP. Features like "upload from URL" that allow the user to upload a photo from a given URL should be configured so that the server doing the download is not the website origin server. This is important because if an attacker can choose the URL entered, they can set up a web site specifically to monitor who connects to it, or use a public service that monitors the IPs that contact unique URLs.

[Charles]

You might also want to do some research on CloudFlare. They are really not the magic you make them out to be. In fact, on their lower plans, they even have a flood limit and will just stop protecting you and redirect all traffic directly to origin. As many have said in this topic: you are bouncing around security through obscurity here.

[OctoDev]

31 minutes ago, Charles said:

You might also want to do some research on CloudFlare. They are really not the magic you make them out to be. In fact, on their lower plans, they even have a flood limit and will just stop protecting you and redirect all traffic directly to origin. As many have said in this topic: you are bouncing around security through obscurity here.

That happens when you reach a 'insane' amount of requests per second. When it comes to Layer-4 wise they have 'unlimited' amount of protection since it's shared among all of their network.

For $20.00/m, you have nearly unlimited amount of r/s, which is extremely hard to drop for any attacker.

Please read that blog, i don't know how the IPS staff can talk against CloudFlare.. 

There is no way to make origin IP Address useless, unless you run with expensive DDoS Protected Providers. Even with that, theres a limit as I've explained (OVH, Voxility, Staminus). CloudFlare has a limit as well, but that limit is way higher than any other - https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/

Now the discussion is about how IPS, are making CloudFlare and other services COMPLETELY USELESS! Once they have your origin IP Address, there isn't much you can do other than depending on very expensive hardware and a massive network.

 

On top of that, nobody here are depending on CloudFlare to secure your server. It's a example, let's say there is a 0day exploit going around to root all linux servers - i have cloudflare in front, and they can't manage to find my origin IP Address. What would they do?

Well, now they can just grab it by posting a fake image in the posts, avatar or signature.

 

What if they can't attack you through Layer-7 (Application Layer) attacks, and you are using CloudFlare? Nothing. Wait, I am using IPS, so they can just post any image anywhere to grab my server origin IP Address.. But what if that didn't work, they would have no choice than to stop attempting.

[Marcher Technologies]

..... You tout that blog entry, Yet you didn't even read it fully. :/

Quote

DNS records are public domain and there are many places where historical records are archived. These historical DNS records will contain your original IP from before signing up with CloudFlare. If you are a target, the attacker probably already has your previous DNS record.

Again, for the.... 10th(?) time, security through obscurity here is meaningless. Make having the IP worthless, there will always be a way to get your server's IP.

[Colonel_mortis]

2 minutes ago, Marcher Technologies said:

..... You tout that blog, Yet you didn't read it fully. :/

Again, for the.... 10th(?) time, security through obscurity here is meaningless.

If you change your server's IP address after switching to cloudflare, that attack stops working.

[Marcher Technologies]

Ok, I'll humor you, just to point out how utterly unusable the result would be. A large portion of the current web's functionality involves making an outbound connection at a user's behest. It is not feasible to simply remove that functionality, users are heavily dependent on it.

OEmbed is used for media embeds, outbound connection at user behest. You are basically telling your users they cannot embed any video.

Login through facebook, google and such services, is again, making an outbound connection at user behest. No logging in through social networks either.

[Ryan H.]

4 minutes ago, Marcher Technologies said:

Ok, I'll humor you, just to point out how utterly unusable the result would be. A large portion of the current web's functionality involves making an outbound connection at a user's behest. It is not feasible to simply remove that functionality, users are heavily dependent on it.

OEmbed is used for media embeds, outbound connection at user behest. You are basically telling your users they cannot embed any video.

Login through facebook, google and such services, is again, making an outbound connection at user behest. No logging in through social networks either.

Arguing against things nobody is suggesting is not very fair.

From what I understand, they are not advocating that functionality involving outgoing requests (oembed, etc.) be removed entirely, just that it be offloaded to the client browser prior to submit. That would decrease server load and processing time to boot.

Login from established sources is irrelevant, that can't be used to trigger an outgoing connection to an arbitrary destination as with content embedding or URL upload. It's only present if explicitly enabled, and it's only talking to Facebook or Google or whoever. Pretty sure they're not going to be firing off a DDOS.

[Marcher Technologies]

Ryan.. You should know as well as I do that's not actually feasible. Possible? Yes, with an unholy amount of work. Worthwhile? No. The gain is far too small for the massive amount of effort one would need to exert, especially when it's something that should be handled at the server level, not the application level.
I would submit that cloudflare's requests are unreasonable. It is basically saying we can't make any outbound connections at user behest for any reason in php, and *must* ferry everything to JS. That is purely unreasonable. For a standard php script, you would then need to push it to display for the js, then have an ajax controller to handle the things you need to happen *after* the connection has been resolved. It would produce highly convoluted code to actually make this a practice.

[Ryan H.]

5 minutes ago, Marcher Technologies said:

Ryan.. You should know as well as I do that's not actually feasible. Possible? Yes, with an unholy amount of work. Worthwhile? No. The gain is far too small for the massive amount of effort one would need to exert, especially when it's something that should be handled at the server level, not the application level.
I would submit that cloudflare's requests are unreasonable. It is basically saying we can't make any outbound connections for any reason in php, and *must* ferry everything to JS. That is purely unreasonable.

I disagree that it would be "an unholy amount of work", but either way that's not for you to determine. Don't shut down legitimate customer feedback just because you think it would be too hard.

The complaint is reasonable. The IPS application makes outgoing requests that expose the direct server address, there is no way to turn it off, and there are legitimate reasons why people might not want that to be the case. I've lived through DDOS attacks. It's not fun. This behavior negates a possible way to mitigate them.

[Marcher Technologies]

Not shutting it down because I think it would be too hard - if there is a will, there is always a way. Read the rest of my post, and consider your own scripts. That is indeed an unreasonable demand cloudflare is flying - a script that merely makes a outbound connection, then saves some data to the database, then redirects would be a convoluted process making the request in JS. They are outright banning the use of PHP functionality widely used.

[Marcher Technologies]

Also, consider that there must always be a backup for javascript disabled. what then? The user just can't post at all because their external image or embed cannot be processed on the server side because it's all client side? They can post due to backup server-side code and they get the IP anyway? It would be rather pointless to make the effort if merely disabling javascript in your browser sidesteps the protection. Conversely, not allowing them to post because for some reason javascript is not available is not acceptable either. It's a no-win scenario unfortunately. Cloudflare's demand on this point is Indeed unreasonable - the only place to offload such a request to the client is not a guaranteed thing. Javascript is optional, able to be disabled. PHP is the only backup system to process that data available.

[Ryan H.]

Okay, well, let's see what the alternatives are...

1. An option to disable outgoing request functionality. This would involve no JS and no big changes except turning certain things (URL avatar, post embeds) off.
    
2. An option to route outgoing requests through some proxy server or script. This would involve no JS and no big architectural changes.
    
3. Using JS on the page the customer is already viewing (IE, part of the editor for embeds), not some convoluted redirect process, and falling back to nothing. If they have JS disabled (??), there's no embed, or they can't load avatar from URL. CSRF limitations could be problematic, but that's not my problem to solve.

1 and 2 were brought up in the very first post.

Your opinion of how feasible a request happens to be is totally irrelevant. Again, it's not your decision. If you don't agree or don't see the point, just say so and move on.

[Marcher Technologies]

25 minutes ago, Ryan H. said:

Your opinion of how feasible a request happens to be is totally irrelevant. Again, it's not your decision. If you don't agree or don't see the point, just say so and move on.

You are correct, it is not my decision. I fail to see how any opinion is irrelevant under any circumstances, however. This topic is mostly opinions. The only reason I am even posting here is because the single worst thing one can do for the security of their site is depend on obscurity, and cloudflare recommending they do, and this request being made of the script as a result, is an indication someone must actually believe such a thing is a good idea. Such is a notion that should be dispelled in a hurry, and without mercy.

[OctoDev]

2 hours ago, Marcher Technologies said:

..... You tout that blog entry, Yet you didn't even read it fully. :/

Again, for the.... 10th(?) time, security through obscurity here is meaningless. Make having the IP worthless, there will always be a way to get your server's IP.

Very wrong, in my cases I usually never have any 'historical dns records' as i have a brand new domain and the first thing i do? add it to cloudflare

[Kevin Carwile]

Arguing against obscurity is like arguing that hiding valuables in a locked car is a bad idea.

My wife disagrees with you.

 

[OctoDev]

The ones that are disagreeing here is the ones that:

• Have no idea what I am trying to explain
• Can afford a expensive high end hosting to protect you.

[RevengeFNF]

Well, if you pay 200€/month for cloudflare, plus your server costs, you can instead invest the 200€ in the server and it will be a really capable one. Free cloudflare is sh*t in every way. 

Ps: With that kind of money invested every month, paying a dev for a custom plugin to remove ips functionality in order to hide the IP, is peanuts. 

[Lindy]

We know what you are trying to say. You'd honestly have been better off simply saying "I'd like to disable remote images." We can certainly consider that. 

Please... stop arguing your case by spreading FUD and ridiculous implications that there's a "leak" or "vulnerability" or inherent flaw in the software because you can't properly secure your server and instead rely on obscurity. 

[Charles]

With our permission, Jimmy just tried to DoS the IP he discovered. It of course didn't work because we have this amazing new piece of technology called a firewall.

If you do not know how to properly secure your setup: learn or do not self-host.

If your web host does not know how to properly secure your setup: get a new host.

We can go back and forth on "what if" but in the end what a PHP program running on your server does or does not do should not cause you worry. A properly configured setup is what you need and something like CloudFlare (which is simply a proxy) is just another layer not the end all solution.

[OctoDev]

9 minutes ago, Lindy said:

We know what you are trying to say. You'd honestly have been better off simply saying "I'd like to disable remote images." We can certainly consider that. 

Please... stop arguing your case by spreading FUD and ridiculous implications that there's a "leak" or "vulnerability" or inherent flaw in the software because you can't properly secure your server and instead rely on obscurity. 

Correct.

I want a option to disable _all_ outgoing connections, based on what url the user inputs.

 

This happens:

• In posts, when you post URL.
• In Signature, to check the image size.
• In Avatar Upload by URL

 

What could you do to 'help' us that actually use CloudFlare to hide our origin server for reasons? There could be two options:

1. Use a remote API File (php, simple CURL host it on a remote server).
2. Use a HTTPS/HTTP proxy to check the files.

 

And @Charles congratulations, i didn't manage to take down Amazon's network.. No shock, i can't take down Google/YouTube either!  

IPS Is still my favorite forum software, even if it leaks my origin IP Address. On 3.4, i did template edits to prevent such but on 4.1 its way more complicated.

[aaabe4d31bb]

@Charles you are in the lucky position to be able to block the DDoS/DoS at AWS router level using their firewall. Many providers do not have a firewall, so instead you will have to block using iptables, which makes the whole thing useless as the packet already arrived at your server...

As a large forum owner myself, being forced to go through the Spaghetti code to find one of the many IP leaks was the hard thing I had to learn.

[Charles]

Just now, aaabe4d31bb said:

@Charles you are at the lucky position to be able to block at AWS router level using their firewall. Many providers do not have a firewall, so instead you will have to block using iptables, which makes the whole thing useless as the packet already arrived at your server...

As a large forum owner myself, being forced to go through the Spaghetti code to find one of the many IP leaks was the hard thing I had to learn.

I would not sleep at night being at a provider that did not have a firewall.

[OctoDev]

1 minute ago, Charles said:

I would not sleep at night being at a provider that did not have a firewall.

Most providers don't, they resell and are not able to configure it. You can't expect everyone to host from Amazon  

I actually rent from 'soyoustart.com' which is OVH.. No firewall to block/open/whatever at network/router level.