Recently I ran across an interesting challenge. Some friends had problems with their service. Providing brand new service and having someone on the other side executing DDoS this service is not a very promising beginning for some startups. Therefore, I decided to tackle this challenge and in the end, it was not very hard to find leakage.
CloudFlare provides services to protect and accelerate web sites. Using their services also protect against DoS in DDoS attacks. I know a large number of clients that are using these services. By using this service the real IP address of the website is hidden and so there is a better chance to survive the DDoS attack. Just googling you can find some sites that can reveal the real IP address such as http://www.crimeflare.com/cfs.html.
Going back to the challenge, I checked different pages and googled even more. I found a page where CloudFlare suggests what to do in such cases. This page can be found at this address: https://support.cloudflare.com/hc/en-us/articles/200170196-I-am-under-DDoS-attack-what-do-I-do-.
After registering at the attacked page, I tried to see if there is some leakage in their web page, but there was nothing to find. After looking a little bit more, I went another way. Since the webpage was sending out emails when registering or doing some other changes, I noticed, that there was some IP address that belongs to some hosting provider. This IP address was found in the email headers of sent emails. I verified with my friends and after just a couple of minutes, they confirmed that this is the real IP address that is under attack. They were checking a lot of things, but they didn’t expect that leakage would be coming from email headers.
So what can we learn from such an issue? We need to check all kinds of sources that can reveal the real IP address behind CloudFlare services. Webpage is just one of the things we need to check and next time be sure to check also email headers.
After they changed the IP address and fixed IP leakage from email headers, DDoS attacks stopped, and also website is no longer under the attack.
Here are some interesting links I found during my Google search: