Cloudflare Fails to Block Iranian Attack

Just saw this story in the news.

In response to President Trump’s killing of the Iranian military leader, Iran attacked the website of the Federal Depository Library Program today.

So, I looked up the site (never heard of it before), found it on Google, clicked into it and found the Cloudflare error page saying the “Web server is down”.

I thought this was exactly the kind of attack Cloudflare was supposed to protect us from?

:wave: @jonathancousar,

If you are the website owner you should contact Cloudflare’s support. The website could be down for a variety of reasons. Perhaps the government failed to pay their web hosting bill…

– OG

The preponderance of the evidence points to Cloudflare not protecting their site. It was attacked by Iranian hackers today. There is very little chance they didn’t pay this bill - and you certainly have no evidence to show they didn’t. I don’t think anyone should accept suggestions that are mere speculation and have absolutely no evidence to back them up.

The evidence we do have shows that they used Cloudflare and that they were successfully hacked today by Iranian hackers.

Lots of issues cause a 521 error, Community Tip - Fixing Error 521: Web server is down, I don’t know why the origin server is not responding.

Well, just one question. Is Cloudflare supposed to protect from hack attempts? I know nothing can stop everything… but isn’t that the main purpose of using Cloudflare?

People with websites use cloudflare to make their sites faster and protect against certain types of of attacks, like DDOS & malicious traffic, you’re right, you can’t do everying! It’s really difficult to say how a given site was attacked before you dig into the logs to understand what happened.

Sometimes it’s social engineering to get root access to a server, sometimes malware on an infected piece of network equipment, sometimes it’s attacks directly against the origin that bypass cloudflare. Or, it’s something else entirely that we don’t protect against.

Personally, I’d minimally suggest using a password manager, scan everything that plugs into the net for malware, frequently, and limit access to your server to Cloudflare IPs only.

1 Like

:wave: @jonathancousar,

Cloudflare’s provides a number of security related services. If you are the website owner you should contact your account team directly to discuss. Otherwise you are asking random pugs on the internet to speculate on how or why a government website (designed by a low cost bidder website) generated a random error you have a screenshot of.

— OG

CloudFlare’s primary purpose is to protect against DDoS attacks, as a side effect that also typically means that the server is hidden and that helps prevent a good chunk of other types of hacks. But a quick glance at the DNS records for the site shows that they have an origin server exposed through their MX. I am not going to see if it is in fact the server that hosts their site or not but even if it doesn’t mail servers tend to hold a lot of nice secrets such as where the actual origin server is and how to access it thanks to control panel emails.

That doesn’t mean that its not a DDoS attack, cloudflare only offers certain protection levels depending on your plan. If they tried to block a 500gb/s ddos attack for every free customer, nobody would have service.

According to the linked article, this page was defaced, not DDoS’ed. This could have been done with several methods. I’d shutdown my webserver too after such an attack (which will cause a 521) and keep it offline to

  • take a snapshot / backup for forensics
  • destroy the machine / OS and install it from scratch
  • do forensics on the atttacked server on OS, application and network level, check for security holes, bad users and so on
  • bring the page back online as soon as i am 100% sure that there’s no vulnerability.
4 Likes

If the upstream server is insecure or misconfigured, Cloudflare isn’t going to help–it’s like locking your windows but leaving the front door open. It sounds as though that was the issue here.

There’s no one-stop-shop for security, and Cloudflare is no exception. Cloudflare helps protect against very specific kinds of attacks that are otherwise very costly to stop–but that’s not the kind of attack that happened here, and even if it were, it only works if the website follows best practices.