Research: two thirds of PBNs on CloudFlare leak real IPs

Share on Facebook362Tweet about this on TwitterShare on Google+0Email this to someone

 
LAST UPDATE: August 2017

A few weeks ago we added CloudFlare SSL support for blogs hosted on EBN. While in the process of integrating CloudFlare we did a thorough research on potential leaks and footprints. Here are our findings.

Is CloudFlare successfully masking my server’s real IP?

nocfIn essence, if you know exactly what you are doing and are very careful, then using CloudFlare to mask your PBN’s IPs is OK. But in reality, a lot of people have misconfigured PBNs and it is rather easy to get the real IPs they are using.

If you still want to use a single (or a small number of) server for your entire PBN and mask it with CloudFlare, you need to be careful with the following:

1. Cloudflare nameservers footprint

Problem: Cloudflare has over 100 nameservers, but when you sign up with Cloudflare your account is assigned only two of them. If you put your entire PBN on these two nameservers, you created a footprint, since only a small fraction of sites have exactly your combination of nameservers (out of a total of over 1500 combinations).

Solution: For every blog, create a separate CloudFlare account.

Only 41 sites use this combination of CF nameservers

Only 41 sites use this combination of CF nameservers

2. Misconfigured zonefile

Problem: By default Cloudflare adds a “direct connect“ subdomain to the zonefile when you add a site. This allows you to access your site directly in case something goes wrong with CloudFlare configuration. The problem is that this also reveals the real IP of your site

Solution: Login to Cloudflare and remove any “direct connect” subdomains.

Direct-connect leaks real IP

Direct-connect leaks real IP

3. MX records

Problem: In our previous post we showed that it is important to have MX records set on the majority of your PBNs. However, CloudFlare does not support shadowing emails so your MX records point to the real IP of your site.

Solution: Use a third-party email provider, such as Rackspace Email.

MX record leaks real IP

MX record leaks real IP

4. Crimeflare

Problem: CrimeFlare is a website that tracks all sites that are using CloudFlare and their IPs. If your site is on IP 1.2.3.4 and then you switch on CloudFlare, maliciuous people can use CrimeFlare to see what IP you used before switching on CloudFlare. See http://www.crimeflare.com/cfs.html#box for more info.

Solution: Only use Cloudflare on freshly deployed sites. If you need to use on existing sites, you need to move the site to a new server.

History of real IPs for a domain

History of real IPs for a domain

5. cPanel leaks

Problem: cPanel, by default, uses cPanelID authentication scheme. This leaks the server’s IP as it redirects you to the server’s subdomain to perform the authentication. It is easy to get the server’s IP from its subdomain and your PBN is revealed.

Solution: Do not use hosts with cPanel.

cPanelID authentication shows server's subdomain which leaks real IP

cPanelID authentication shows server’s subdomain which leaks real IP

6. WordPress Pingbacks

Problem: By default WordPress supports pingbacks. Under the hood, pingbacks tell your blog to send a pingback confirmation request to the blog that sent the pingback. This means a malicious person can deploy a blog on his or her server, then pingback your blog and your blog will send a request to the malicios persons blog. Looking at Apache logs it is easy to see you blog’s real IP.

This applies to other similar techniques, such as using embed in comments, etc. Whatever outbound traffic your blog sends out, does not go through CloudFlare and will leak your real IP.

Solution: Disable pingbacks and comments, be *very* careful what plugins you install. To be safe also disable registration and do not send any emails out from your blog.

Pingback requet leaks real IP

Pingback request leaks real IP

7. Server default page

Problem: By default, some hosting providers will configure your server to serve one of your blogs as default. This means that if you enter your server’s IP in the browser, you will see one of your blogs. This is a huge problem, since there are crawlers such as censys.io and shodan.io that crawl all IPs and save what they get. Then it is easy to use their search engines to search for domains returned by IPs and your default blog is in their results!

Solution: Make sure your server does not serve any relevant content as the default page.

Serving a blog as default page for IP makes the blog discoverable in censys.io

Serving a blog as default page for IP makes the blog discoverable in censys.io

8. The hardest problem: getting everything above right!

Problem: If you have a 20-blog PBN, with 19 blogs configured perfectly and *just one misconfigured* blog, your entire PBN is in danger. Using some commandline magic, it is easy to check whether a list of domains are hosted on a certain IP, which reveals your entire PBN that is hosted on the same server as the misconfigured blog.

Solution: Use many small servers with few deployed blogs instead of one big one. In case one blog leaks its IP, the damage will be limited. Or use EBN to deploy each of your blogs on a different server :).

Research Results

In our research, various people sent us over 60 sites hidden behind CloudFlare. After searching for leaks described above only one third of blogs did not leak their IPs. In other words: two thirds of PBNs hidden behind Cloudflare that people actually use to rank their money sites are leaking their IPs! Are you absolutely sure you are among the minority that has everything configured perfectly?

Most people have their CloudFlare-powered PBNs misconfigured and are leaking IPs

Resources:

P.S.: Special thanks to all the folks who helped us with the research by sending us their domains and then confirming when we got their real IP. We could not have done it without you!

Share on Facebook362Tweet about this on TwitterShare on Google+0Email this to someone

2 thoughts on “Research: two thirds of PBNs on CloudFlare leak real IPs

  1. Richard

    Amazing work. Between this and the hosting article you wrote, its pretty obvious using EBN is the way to go. Thanks for writing this one up.

    Reply
  2. Mike Haydon

    I vaguely knew most of these, but hadn’t considered them all together. Makes it very difficult to use a CDN for anonymity. The “don’t use cpanel” one knocks out most hosts lol.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *