from Hacker News

Curryfinger – Find the Server Behind the CDN

by tbiehn on 9/14/19, 6:09 AM with 40 comments

  • by judge2020 on 9/14/19, 2:17 PM

    From helping on the Cloudflare Community forum for a while, this seems to be a fairly common issue[0] - users set up Cloudflare and then continue to get attacked since the firewall isn't properly set up to only allow connections from Cloudflare IPs.

    Something I don't like is how Cloudflare themselves don't really suggest you firewall off connections that aren't from CF ips, as there's only a support article on whitelisting and not blocking[1]. This is an area I hope CF can improve since any competent, targeted DDOS attacker will know the IP the server had before the owner went to CF, and/or can use a tool like curryfinger to figure it out.

    0: https://community.cloudflare.com/search?q=firewall%20cloudfl...

    1: https://support.cloudflare.com/hc/en-us/articles/201897700-W...

  • by rdl on 9/14/19, 3:13 PM

    I haven’t set this up in a while but I think you can set up a “fake” cert on the origin to Cloudflare portion and then also pin that cert into Cloudflare, so you get protection against MITM on top of protection from scanning (and from accidentally serving directly from your host). They should probably support “secret name” http headers instead of the normal host, too. So e.g. your site is set to serve for fjeiiejdndjs.dhdjdj.com and publishes via Cloudflare as www.riskysite.com

    Cloudflare also has (had? I haven’t kept up) some special accelerated serving products which would de facto protect from this. Doesn’t help if you just have https vs a full vps though.

    It would be awesome to have some standardized containers/ami/etc which were set up for “concealed hosting” via cf, ipfs, tor, etc.

  • by tgtweak on 9/14/19, 12:35 PM

    Am I right to see that if a domain doesn't have records in censys or shodan that this tool will need some aggressive scanning?

  • by benchess on 9/14/19, 5:12 PM

    Utilize SNI and serve up a fake cert when someone scans you without a matching hostname. Censys is scraping you by IP, so it'll just see the fake cert.

    You can do this in nginx by making the fake cert the first server block.

  • by dalbotex on 9/14/19, 10:08 AM

    To me it looks like this tool (and cloudflair.py) can only ever find servers which are configured in a very specific way:

    * The traffic between server and CDN is encrypted using a valid certificate

    * The server's firewall is not properly configured

    Apparently there are indeed servers with this configuration, but I just find it odd how someone would go through the trouble of setting up HTTPS (instead of terminating it at the CDN) and then not bother to block traffic from anywhere but the CDN.

  • by simonw on 9/14/19, 2:24 PM

    "One; Python has its uses, but writing highly performant multi-threaded scanners is not one of them"

    Is that still true given Python 3 asyncio? My understanding is that it's really well suited to writing things like network scanners, without needing to run them in multiple threads.

  • by ma2rten on 9/14/19, 4:45 PM

    The post doesn't explain what shodan and censys are. Would anyone mind explaining it?

  • by Avamander on 9/14/19, 2:03 PM

    Easy solution for hiding yourself from most scanners (Shodan, Censys) - only allow requests with proper SNI, don't serve your server's cert by-default. Firewall is also nice, but you could make a mistake at some point.