IP revealed, firewall set at network/router level to CloudFlare only, what happened?

Curious as this attack is peaking. How does CloudFlare stop/prevent this? Recently there was a leak of IPs proxied by CloudFlare to their origin sites. This was in October the last update via https://bgp.tools/.

I am curious what all this means, what are they exactly doing to BGP to get this information and why is CloudFlare not stopping it if my server only responds to ingress of CloudFlare.

I worry with these leaks I may actually be allowing MITM. What are the thoughts, how did they obtain IP with ingress locked to cloudflare addresses, is it possible you guys messed up and I shouldn’t worry it’s solved now?

May I ask for the source?

Furthermore, is your IP publicly visible somewhere? (MX/SRV records, or searchable via ssl-tools.net website and similar?)

Nevertheless, networks and server/hosting providers get scanned on a daily basis.

You cannot 100% hide from Shodan and/or Censys service if the device is connected to the Internet, if concerned about that? (I doubt it was locked only to Cloudflare from the first second you got it, is that correct?)

Implementing MANRS would be the one way, at least.

Check at the below link for your ISP and/or Cloudflare too :wink:

From the blog:

I am not from Cloudflare Team, neither employee, but if above could help a bit, or please patiently wait for some other reply.

1 Like

https://bgp.tools/

is the source,

I never made the IP available to anyone outside my firewall rules only allowing CloudFlare.So not sure how it got picked up. I don’t install anything to the machine till it’s locked down so it’d not expose service.

I’ll double check on MANRS, wasn’t finding much searches online to help.

My provider filters peers only, not sure what that means!? Digital Ocean is who I use.

I’ll give things a read and see but it doesn’t seem like we can apply an easy fix… Just curious with such exploit if we’re subject to man in the middle attacks.

Was the assigned IP to your device in someone else’s possession before it was assigned to you as a customer?

For sure, as any IP could had been but the IP was linked to the right domain is all so a matter of reversal some way. 100% site did not go online till it was secured/protected from other connections so if seen even online or owned previous owner this would not had revealed my domain.

I know you’ve had this issue before. Security through obscurity isn’t a good strategy. That’s why you received responses here:

2 Likes

You are confusing a number of different things here.

In order to be reachable on the Internet your ISP advertises ranges of IP addresses to other networks. Those networks might advertise those prefixes onwards to other networks, and so on. (This the “inter” in Internet!).

The bgp.tools website you are looking at is gathering route visibility information. This has nothing to do with reachability, or if you had appropriate firewall rules in place. In fact, if your address did not appear on that website it would likely indicate that your origin server was unreachable by anybody else on the Internet.

A route leak is when an unauthorised network advertises a prefix as being available through them. MANRS publishes a set of measures that network operators can take to limit the impact of route leaks and other routing issues on the Internet. If you are just a DO customer, there is probably nothing you can do that relates to MANRS or DigitalOceans routing policy.

3 Likes

I am well aware, originally I was allowing direct connections to take place that would return my domain name, easy enough if someone just knew the IP and it turns out many bots do. This was supposedly corrected by blocking all IPs but the ones provided by cloudflare as a networking rule ahead of time.

I am lost as I can’t search the IP at all without it coming from CloudFlare currently and unsure how it would had leaked otherwise. As far as I know in that regards it’s null-routed if it’s not CloudFlare unless DO is to blame.

I can’t be too sure but I thought I’d ask.


But as far as BGP prevention, I leave that in the hands of the provider?

If you block connections within the server itself, then a DDoS attack can still overwhelm your network and thus cause a null routing in some hosting providers. Not much you can do to prevent that if your CMS/Setup leaks the IP.

ACL rules are the key to stopping that, however, this is not usual on low/mid end hosting providers.

1 Like

That’s the thing jnperamo; I thought I had set those correctly with DO.

They provide network level firewall and inbound is all set to CloudFlare’s allow list, anything else is null-routed or at least unable to get a response “in theory”. This was what was suggested originally and I followed by blocking any other IP but those you guys provided for allowance.

Initial setup of my servers they’re spun up and given this rule immediately, I continue with installing files over SSH/SFTP; no where in the process would the IP be seen as hosting a domain; I only granted CloudFlare IPs from the start and the site was not written to expose the IP ever so seems odd.


Assuming the ACL/Firewall rules were set correctly and setup is stealthy to go unseen by crawlers; how could this happen. I don’t want to point the finger at anyone and perhaps I could just be missing a step in securing. No one seems to suspect BGP at all but still won’t keep that off the table in case.

Are you saying that you think BGP is leaking your hostname?

I don’t know sdayman, but I am not under the impression my firewall is; it’s done at a network level my firewall handling. I only know BGP exploitation can discover like this, but not convinced entirely it’d not be easy at all atleast I wasn’t able to fire it up against my domain.

I will mention that the list I saw, had DO’s entire ASes. So not sure what I’m exactly saying just yet, just don’t think I leaked via firewall?

Here’s a good place to start:
https://www.cloudflare.com/learning/security/glossary/what-is-bgp/

I understand BGP routing, I just don’t practice exploiting it. I was just curious why I’d leak and if this were BGP exploit would love to know.

Seems obscured but I did the right steps I feel, if there’s a means to test all/any suspicions I’ll consider but any site/program I use to test my security comes up with your IPs.


My solution is resetting server IP and seeing if it leaks again, but if it does I’m back to this; I believe I am doing all steps right but need more insight. If this topic needs re-naming go for it.

I don’t think that Digital Ocean has a firewall per se, their available cloud firewall is based on services like UFW and IPTables.

You can’t know that. An attacker might know a way to obtain your backend IP address even if you have it isolated. Some CMS leak the backend IP and there is nothing you can do about it.

It’s been a while since I used a host that does not give me access to a proper firewall, this is most of the time more expensive but worth it in the mid and long term.

My take is that if your CMS is leaking the IP due to its design then you will have to deal with this kind of issue for as long as you use DigitalOcean.

I can’t blame it on management system, the contents of the site don’t leak like that. So by the sounds of it, if their firewall leaks I should be contacting DO to see what they think. Unless there may be another suggestion. Appreciate any input as I feel I am setting up just fine (I’ll report my findings if determined).

Yes, they do. Many CMS in an effort to cache external assets, query them. This allows attackers to find the IP behind protected sites. This is particularly common in forums but applies to other systems as well.

IP through obscurity is not a good approach, never has been and never will be.

This doesn’t make much sense; I wouldn’t reach out to them for that.

By CMS you mean content management system, pertaining to my site-files? I don’t use a forum or wordpress; nothing open-source in that sense.

I don’t know what your backend is composed of; CMS refers to a Content management system that composes your site, Invision community for example is a forum CMS that suffers the issue you describe.

I thought so, and I wrote my back-end code line by line; every file. So not really suspecting that to be the problem sadly.

I avoid CMS (forums, word-press/etc) for exact reason if they were exploitable that’s a problem for me too. At least doing it myself I can ensure I know more about the design than a community of people.