Recently to help friends check the server load anomaly, a check found that the source IP was missed, the attack traffic directly bypassed the high-defense CDN hit through the server. These days, even the CDN have to “defense teammates” - you think the set of CDN on everything is fine? Leakage of the source IP minutes to teach you to be a person.
I've seen too many teams blindly trusting CDN providers and not doing secondary verification at all. The actual test found that more than 60% of the source station exposure event is not CDN was broken, but the configuration omission or edge cases. Don't believe in the “default security” nonsense, security must always rely on their own layers of locks.
Why is hiding the source IP so deadly? Once the attacker gets the real IP, what high defense, what WAF has become a pose. Directly hit the source station is like demolishing the city walls to fight, traffic flood instantly overwhelmed the server. What's more disgusting is that some hackers will specifically scan the entire network of CDN nodes, reverse derivation of the source IP - this set of industry chain has even been instrumentalized.
The common pitfalls of leakage of source IP are more than imagined: historical DNS records are crawlers digging graves, mail servers directly connecting to the source site, Websocket service did not pass the CDN, and even SSL certificate information leakage ...... I audited an e-commerce project last year, just because the development in the test environment to call the production API, the source IP was Third-party statistical tools included.
Step 1: Complete isolation at the DNS level
Stop using A records to resolve directly to the source site! All public domains must CNAME to a protected domain provided by the CDN vendor. But that's not enough - you have to make sure that the source domain is completely isolated from the business domain. I used to register the source site with a completely different domain name like internal-domain.com to completely eliminate mis-resolutions.
The real test recommends this set of configurations: business domain name cdn.example.com CNAME to the protection node of CDN07, the source site exclusively a cold domain name origin-xxx.example.net, and this domain name never appears in any public DNS records. Premium CDNs like CDN5 even support dedicated back-to-source domains, automatically encrypting the resolution process.
Critical operation: source site firewall only releases CDN node IPs. Never allow 0.0.0.0/0! In the case of Cloudflare, for example, the official node list is updated regularly, and it is best to synchronize dynamically with the API:
Domestic vendors such as CDN07 have a much larger range of node IPs, and it is recommended that iptables scripts be generated directly in their consoles.08Host's Enterprise Edition even provides Agent to automatically maintain a whitelist, which is suitable for dynamic IP scenarios.
Step 2: Application Layer Anti-Leakage Sous-Operation
Many leaks occur in unexpected places: website error pages return to the server IP, API response header with X-Backend-Server, and even image upload function did not go CDN acceleration. Last year, a social platform vulnerability is because the mobile app directly connected to the source IP to transfer video files.
Force all traffic to go CDN: Deny non-CDN traffic in the source Nginx configuration, validate requests based on the return IP segment:
Bonus tip: Filter server information globally in your code. remember to turn off expose_php for PHP projects and remove the Server response header for Java projects. I have used the following rules to plug Apache vulnerabilities:
Step 3: Higher-order concealment strategies
When you really encounter a high-level persistent threat, you have to offer up a tougher trick.port obfuscation: Change the source HTTP port to a non-standard port, such as 8080 or 8443, and specify the port when the CDN goes back to the source. In this way, even if the attacker gets the IP, the default scanning will not find the service.
dynamic IP technology: 08Host's enterprise program supports hourly rotation of source IPs and dynamic updating of CDN back to source address via API. Although the cost is high, it is worth investing in for financial projects.
false source station trap: Deploy multiple pseudo-source stations and monitor access logs to trigger alerts as soon as there is a non-CDN traffic hit. The honeypot system I designed for an exchange has caught 3 targeted attacks and successfully delayed the hacker's infiltration progress.
Finally, I must say: some vendors use shared IP pools to save money, which is equivalent to sharing a mask with strangers. Be sure to use a CDN service with a separate return IP! CDN5's exclusive return line is expensive but reliable, while CDN07 is cheap but you have to double check whether their IP segments are pure.
Hiding the source IP is not a one-time action, it has to be monitored continuously. Regularly use tools to scan public assets for compromised IPs, such as Shodan to search for domains and check SSL certificate information. Last year we even bumped into an engineer submitting server IPs to Google Search Console, which is a no-brainer.
A truly secure architecture assumes by default that all links will fail. A high-defense CDN is just one piece of the puzzle, combined with WAF, port stealth, and traffic obfuscation to build a defense in depth. Don't forget, hackers are always looking for the weakest point - and the exposed source site is that one point that breaks the whole fatal wound.
