Attempts to Bypass CDNs isc.sans.edu/diary/325…
Currently, in order to provide basic DDoS protection and filter aggressive bots, some form of Content Delivery Network (CDN) is usually the simplest and most cost-effective way to protect a web application. In a typical setup, DNS is used to point clients to the CDN, and the CDN will then forward the request to the actual web server. There are a number of companies offering services like this, and cloud providers will usually have solutions like this as well.
However, this setup comes with a significant weakness: If an attacker can identify the IP address of the actual web server, they are often able to bypass the CDN and reach the web server directly. There are a few ways to prevent this. An[other] option is to add custom headers. Some CDNs offer special custom headers with randomized values to identify requests that passed through the CDN. A less secure (lazier?) option is to look for any header that identifies the CDN. This last option should be avoided, as attackers can easily include this header.
In recent days, our honeypots detected an uptick of requests that included these CDN-related headers, indicating that attackers may attempt to bypass this protection.
