Origin ASN - yet another tool I made

Application Performance Load Balancing
, ,
1

A new tool you say… what does it do? :eyes:

With this tool you’ll be able to discover the origin ASN of most proxied domains on Cloudflare. The URL structure is simply https://origin-asn.asp.gg/<domain>?magic_word=kraken. Usually it won’t take more than a second, but in rare cases it might take up to a minute.

I intend for this to be used when helping people here in the community. Maybe it can help identify people using special setups such as SSL for SaaS - not too sure about that though. Otherwise it’s just a cool tool I wanted to share haha.

For example, www.cloudflare.com uses Google:

[albert@endeavouros ~]$ curl 'https://origin-asn.asp.gg/www.cloudflare.com?magic_word=kraken'
{
    "asn": 15169,
    "name": "GOOGLE",
    "description": "Google LLC"
}

I would recommend you don’t jump the gun if you see an ASN like Google, Amazon or Microsoft. There’s a good chance the hosting provider is not Google, Amazon or Microsoft but rather a reseller that doesn’t have its own ASN. However, this does not necessarily mean it’s a small provider. Shopify, for instance, uses Google infrastructure and querying a custom Shopify domain will therefore return Google’s ASN. But if you see something like “GoDaddy”, then there’s a pretty good chance it’s actually GoDaddy.

Do note there’s a few cases where this tool won’t work. For example when the origin is exposed with Cloudflare Tunnel, the domain points to a “discard” address such as 100:: or 192.168.2.1 or it is using Cloudflare Access.

I believe this goes without saying but please don’t abuse this tool or share it outside the Lounge. Also please think twice - and probably decide you shouldn’t - before using this to find the hosting provider of a site hosting illegal or copyrighted content. I am not looking to obsolete the Trust and Safety team :smile:

I won’t go into details on how exactly the tool works, sorry, but I will say it “exploits” an unintended bug to get the ASN. It is therefore possible - probably even likely after I post this here - that it will be fixed at any time. And don’t worry, the ASN is the only thing I’ve been able to disclose with this bug, even though I’ve been quite thorough in my testing - and I don’t really consider the ASN sensitive information. So that is why I am sharing it rather than reporting it.

Please don’t ban me, Cloudflare…

11 Likes
2

It does work…

Until T&S calls… :stuck_out_tongue:

3

Meerkats undercover, as always :sunglasses:

The domain does not seem to have an origin. There is a good chance the domain is running a Worker and the proxied record is pointing to 100:: or 192.168.2.1.

4

I’m fine with explaining how my tool works if they share their own legal-origin-finder as well :stuck_out_tongue:

Though I’m still kinda doubting they actually talk :eyes:

1 Like
5

Blocking sub-requests from workers, I see… smart move :wink:

1 Like
6

I have seen some write on Twitter. Never heard of any speech coming out of their mouths (Justin used to have a voice… but it’s been years) ahah

7

Are you only able to get the ASN? Is there anything I can do to block this?

I’m guessing you can get another few $ on Hacker One.

1 Like
8

Wow… time to make millions of requests… just kidding :stuck_out_tongue:

It worked for my domain using UpCloud,

I do get http 400 when trying https://origin-asn.asp.gg/authenticateme.cf/?magic_word=kraken even though it is indeed a valid domain

2 Likes
9

You need to remove the trailing slash from the path. I should probably implemented a line that strips slashes from the path instead of just discarding the first character. The tool is now removing all slashes from the path before validating the domain.

EDIT: Seems it’s unable to determine the ASN - let me investigate :thinking:

10

Oops silly me

11

Yes.

Short of completely blocking Workers from accessing your site, unfortunately not.

Yeah, I know. Though it’s low impact so I wouldn’t get more than $100, if anything. I decided it would be more interesting to create a tool instead and then share it here. Also, I feel like the security team, ahem, have enough on their hands already :crazy_face:

3 Likes
12

@soldier_21 it’s because it you’re blocking Workers too, just like Sandro :slightly_smiling_face: I have implemented a check for that so I can provide a better error.

13

Thanks, of course I have the best security in place :wink:

To be honest, I have no idea what you mean and I wouldn’t even know how to block Workers :smile:

14

There is an header you can check :slight_smile:

15

I don’t :smile:

16

meerkat-sniper

4 Likes
17

Ahh, my bad. I am not sending a User-Agent and the WAF must’ve picked up on that :sweat_smile:

2 Likes
18

Yep, I just noticed you ran into the firewall :slight_smile:

19

Alright, now that’s more like it :smile:

[albert@endeavouros ~]$ curl https://origin-asn.asp.gg/www.sitemeer.com?magic_word=kraken
{
    "asn": 0,
    "name": "REDACTED",
    "description": "REDACTED"
}
1 Like
20

And it’s actually accurate. Can you still redact it? :wink: