Recently, I helped a game company to troubleshoot the problem and found that their server was penetrated by DDoS again. When I logged into the console, the traffic curve went up to 200Gbps, and the whole business was paralyzed. The boss was so anxious: “Didn't we buy a high defense CDN? How come the IP of the source station is still messed up?” I sighed - this is already the third case this month that “the CDN carried the attack, but the source site was copied”.
The problem lies in the link “Hide Real IP”. Many people think that as long as the set of CDN will not worry, in fact, hide the source IP is a systematic project. I have seen too many teams in the CDN configuration left a backdoor, the attacker casually a reverse probe can be the source IP feel out.
Why is it so hard to hide your real IP?First of all, you have to understand the attacker's thinking. They simply do not and you hard just CDN, but with a variety of tawdry tricks around the way to steal home: such as checking the history of DNS records, sweeping the entire network IP segment to measure the response latency, and even from your mail server logs to dig clues. Last year, a popular game was planted on the customer service system - the header of the email that sends the verification code actually carries the IP of the source station!
The real test found that the source IP leakage of 90% all originated from these three pits:Undiscarded old DNS resolution records, unisolated third-party services, and faulty back-to-source policiesThe following is an example of how to completely block these vulnerabilities. Below I will use real-world experience to dismantle how to completely seal these vulnerabilities.
Step 1: DNS level blocking
Never use the same DNS provider to manage all resolution records! Attackers will batch export historical A records under your domain name. I recommend using CDN5's private resolution service + 08Host's DNS firewall combination: CDN5 is responsible for handling public CNAME resolution, and 08Host sets up a whitelisting mechanism to allow only CDN node IPs to query the source domain name.
Configuration example (DNS firewall rule):
Step 2: Return Source Link Isolation
The deadliest is the back source strategy to expose the IP. many teams try to save time and directly let the CDN back source to the default port, which leaves the opportunity for port scanning. The correct approach is:
Sample middle tier configuration (Nginx):
Step 3: Third-party service traps
The game site's favorite customer service system, email push, forum plug-ins are IP leakage disaster areas. There was a case: a game official website's WordPress plugin automatically inserted the server's intranet IP in the Header when sending password reset emails.The solution is:
Step 4: Convergence of the attack surface
Hide the management interface with Port Knocking technology. Only triggering the preset ports in a specific order will temporarily open SSH access. Here's the script I've tested in action:
High Defense CDN Selection Points
Don't blindly pursue brands! Tests have found that CDN07 has the best cleaning effect on game mini-packet attacks, while CDN5 has exclusive algorithms on anti-CC attacks.08Host is cost-effective, but the small number of nodes is suitable for the middle tier. It is recommended to use a hybrid architecture:
A final reminder of a counterintuitive maneuver:Never enable the “Real Client IP Back” feature of the CDN! This feature will allow the X-Forwarded-For header to carry the player's real IP directly to the source site, and the attacker will be able to fish for the source IP by tricking the player into clicking on a specific link. it would be better to use the GeoIP database in the middle layer to do traffic analysis.
The essence of hiding IP is to create a “digital black hole” - so that all the detection of traffic have no return. After the above configuration, even if the attacker hit the CDN to full defense, can not feel the pulse of your source station. Now I take the project are required to source station IP survival time of not more than 72 hours, weekly automatic migration of a VPC, which is the real “moving target defense”.
There is no silver bullet for security, but one more layer of protection is one more point of victory. After all, these days, even the CDN have to “defense teammates” - maybe which teammates will post the server IP in the forum signature?
