Abstract:
With users and companies alike relying on online solutions for global commercial exchange, attacks against internet services have become an ever more serious topic. Cloud Based Security Providers (CBSPs) are a common solution to prevent such attacks, with the advantage of intercepting malicious traffic before it reaches the website’s origin server. The CBSP, however, does not prevent the origin server from being reachable through its IP address. Therefore, an attacker that acquires such an Origin-IP could attack the website directly and circumvent the CBSP’s protection. This thesis reviews the problem, addresses mitigations and further analyses clients of the CBSP Imperva Incapsula through the extension of an origin discovery tool. In addition, the applicability of large scale scans for web proxy detection and origin discovery is analysed. With 19.19% of Incapsulas clients exposing their Origin-IP(s), the exposure strongly decreased in comparison to previous studies. The proxy detection resulted in 67,195 detected web proxies or similar services and showed that indirect requests are triggered through large-scale scans for origin discovery. The origin discovery scans considered the indirect requests but could not accurately verify the actual origins of two scanned clients and indicate that further research on this topic is necessary.