Cloudflare + DDoS

Quick post here. If you’re using something like Cloudflare for the sole purpose of mitigating a distributed denial of service attack (DDoS), please be smart with your DNS records.

I have a lot of respect for Cloudflare as a service. They use a combination of anycast + cache header injection + using their own Content Delivery Network (CDN) for static files (JS, CSS, images, etc).

If you are using this service as a frontend to mitigate a DDoS please mind your DNS records. Putting your site behind cloudflare, and changing your actual origin server ip could very easily mitigate a DDoS and keep your site online. However, it does no good if someone knows your “real ip” / “origin ip”.

How would the attacker be able to figure this out? Well, if you want to stop a hacker, start thinking like one. The first thing I would do is query common subdomain records for your domain.

for sub in mail cpanel dev staging real direct web1 web2 web3 db1 db2 db3; do
dig +short "$sub".some-domain-behind-cloudflare.com
done

Oops! You may have forgotten to remove a DNS record that exposes the “real ip” / “origin ip”. So keep this in mind. Delete those records if you don’t use them. If you do need an A record that points directly to the server, consider handling this at the server level, or at least creating a less “guessable” subdomain, ie: oL7Vic67ZKvDDRMbHKRQ8Bk69HtchM4q.some-domain-behind-cloudflare.com that points to the real ip.

Security via obscurity is never the right solution, but it’s better than nothing sometimes.

Leave a Reply

Your email address will not be published. Required fields are marked *