Cloudflare is one of the most important cybersecurity tools nowadays. Among other functions, it offers a firewall and protection against a DDoS attacks to keep your web pages safe. However, there’s a Cloudflare flaw that may put your website at risk according to several experts. It’s a bypass that attackers may exploit to avoid security controls. Cloudflare clients are exposed to this problem both in personal and business accounts.
We explore what hackers do to bypass Cloudflare’s DDoS protection and how to secure your data. The flaw at Cloudflare system allows hackers to use the system to circumvent protection and carry out the attacks from the Cloudflare platform.
The Cloudflare flaw
In order to exploit the Cloudflare security flaw the attacker needs to know the IP address of the target web server. They take advantage of that vulnerability and launch a DDoS series of attacks to disrupt the proper functioning of a website. They can even render it unavailable.
Stefan Proksch is the security researcher that found the problem. He is part of Certitude and explores different systems in search of flaws. The issue lies in Cloudflare’s strategy for accepting new connections. There are at least two vulnerabilities in the system: authenticated original pulls and IP addresses allowed by Cloudfare itself.
Authenticated Origin Pulls
This is a security feature provided by Cloudflare to ensure that HTTP requests are genuinely from Cloudflare and not from another service trying a DDoS attack. It uses a certificate to authenticate HTTP requests and thus prevent unauthorized requests.
But the problem lies in the certificate itself. The security researcher discovered that Cloudflare uses the same certificate for all its clients, rather than a specific one for each. So, this allows all connections originating from Cloudflare, bypassing the victim’s protection settings.
In a few words, the attacker only needs a Cloudflare account and then redirect malicious traffic to other Cloudflare clients. This is the door to allow DDoS attacks against a company’s infrastructure.
IP Addresses problem
The issue affecting the list of IP addresses that Cloudflare allows is also significant. This measures only allows traffic reaching clients’ origin servers to be generated within a range of Cloudflare possible addresses. Although, once again, the attacker can configure a domain using this service and then affect the victim.
How to avoid the Cloudflare flaw
In order to prevent these problems Stefan Proksch states that the only solution is using custom certificates. This would prevent the use of that shared Cloudflare certificate, which is one of the options an attacker uses when launching these threats.
Another recommendation is defining a more specific range of outbound IP addresses dedicated to each client. It’s another measure to limit possible attacks that can undermine a website’s protection. The entire Certitude report details the problem and potential solutions for those who are interested.
Finally, as you can see, while Cloudflare serves to protect your website, it can also be used to launch DDoS attacks. It’s a problem that can put your website operation at risk. Given the numerous daily cyberattacks, it’s crucial to take measures and prevent it.