Cloud-based security providers commonly use DNS redirection to protect customers' websites: however, computer scientists from KU Leuven, Belgium, and digital research centre iMinds have found that the protected IP address can be retrieved in more than 70 percent of cases. This means that the DNS redirection security mechanism can easily be bypassed.
Nearly 18,000 websites, protected by five different providers, were subjected to the research team's DNS redirection vulnerability tests. To assist the testing, the researchers built a tool called CLOUDPIERCER, which automatically tries to retrieve a website’s original IP address based on eight different methods.
"Previous studies had already described a number of strategies that can be used to retrieve a website's original IP address. We came up with a number of additional methods. We were also the first to measure and verify the exact impact of these strategies on a larger scale," says Thomas Vissers. "The results were pretty convincing: in more than 70 percent of the cases, CLOUDPIERCER was able to effectively retrieve the website's original IP address, thereby providing the exact info that is needed to launch a successful cyberattack. This clearly shows that the DNS redirection strategy still has some serious shortcomings."
The researchers have already shared their results with the cloud-based security providers who were tested, allowing them to respond properly to the risk that their customers are still running. However, the researchers also want to inform other businesses and website owners about the shortcomings of the popular DNS redirection strategy. To help with this CLOUDPIERCER has been made available free of charge.
"With CLOUDPIERCER, people can test their own website against the eight methods that we have used in our research. CLOUDPIERCER scans the website, and indicates to which IP detection method it is most vulnerable," says Thomas Vissers.
When websites use DNS redirection as a defence mechanism against cyberattacks, two simple measures can be taken to prevent the original IP address from being retrieved. One option is adjusting the website's firewall settings to only allow web traffic from the cloud-based security provider. Alternatively, the IP address of the website can be changed once the contract with the cloud-based security provider is initiated.