{"id":15267,"date":"2025-12-05T01:06:22","date_gmt":"2025-12-05T01:06:22","guid":{"rendered":"https:\/\/newestek.com\/?p=15267"},"modified":"2025-12-05T01:06:22","modified_gmt":"2025-12-05T01:06:22","slug":"suspicious-traffic-could-be-testing-cdn-evasion-says-expert","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15267","title":{"rendered":"Suspicious traffic could be testing CDN evasion, says expert"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>An individual or group is doing new probing of content delivery networks (CDNs), an effort that CSOs, CIOs and network administrators should worry about if they use CDNs instead of web application firewalls to protect websites.<\/p>\n<p>That\u2019s the conclusion of <a href=\"https:\/\/www.sans.org\/profiles\/dr-johannes-ullrich\" target=\"_blank\" rel=\"noreferrer noopener\">Johannes Ullrich<\/a>, dean of research at the SANS Institute, <a href=\"https:\/\/isc.sans.edu\/diary\/32532\" target=\"_blank\" rel=\"noreferrer noopener\">who this week said<\/a>\u00a0 his organization\u2019s honeypots last month detected a curious amount of traffic with server requests that include CDN-related headers.<\/p>\n<p>Perhaps, he said, someone is testing a tactic to evade CDN defences for launching either a targeted attack or a widespread distributed denial of service (DDoS) attack on a site.<\/p>\n<p>For example, the honeypots have seen headers on traffic that include:<\/p>\n<ul class=\"wp-block-list\">\n<li>\u201cCf-Warp-Tag-Id,\u201d which is associated with Cloudflare\u2019s Warp VPN service;<\/li>\n<li>\u201cX-Fastly-Request-Id,\u201d, which is associated with the Fastly CDN;<\/li>\n<li>\u201cX-Akamai-Transformed,\u201d a header added by Akamai;<\/li>\n<li>and a puzzler: \u201cX-T0Ken-Inf0.\u201d Ullrich thinks it might contain a form of authentication token, but isn\u2019t sure.<\/li>\n<\/ul>\n<p>In an interview, he said one explanation is that a threat actor is trying to get around a CDN\u2019s filters by creating page requests that include a CDN-related header.<\/p>\n<p>Another possible explanation is that these requests are merely going through a CDN, but, Ullrich said, \u201cthe requests we\u2019re seeing don\u2019t quite look like that.\u201d<\/p>\n<p>Internet requests are messages sent from a client such as a web browser to a web server, requesting a web page. A wave of requests can be a DDoS attack, or mask a different kind of attack.<\/p>\n<p>These days, many organizations use CDNs or cloud providers for basic DDoS protection and bot filtering in addition to load balancing. In a typical setup, Ullrich said, DNS is used to point clients to the CDN, which then forwards the request to a customer\u2019s web server.<\/p>\n<p>However, there\u2019s a problem: If an attacker can identify the IP address of the actual web server, they are often able to bypass the CDN and reach the web server directly. There are a few ways for users to prevent this. For example, depending on the CDN selected, it may be possible to allow access only from the CDN\u2019s IP address space. However, for some of the larger providers, this list of addresses may be large and very dynamic. <\/p>\n<p>Another option is to add custom headers. Some CDNs offer special custom headers with randomized values to identify requests that have passed through the CDN. And a less secure option is to look for any header that identifies the CDN. However, Ullrich noted, merely looking for a header should be avoided, as attackers can easily include this header in their traffic. This appears to be the activity the SANS honeypot has been seeing since November.<\/p>\n<p>A spokesperson for CDN Cloudflare\u2019s PR agency said a comment couldn\u2019t be arranged by deadline.<\/p>\n<p><strong>Related content:<\/strong> <a href=\"https:\/\/www.networkworld.com\/article\/4092917\/how-a-bot-management-file-push-crippled-cloudflares-global-network.html\" target=\"_blank\">How a bot management file push crippled Cloudflare\u2019s global network<\/a><\/p>\n<p><a href=\"https:\/\/www.linkedin.com\/in\/kellman\/\" target=\"_blank\" rel=\"noreferrer noopener\">Kellman Meghu<\/a>, chief security architect at DeepCove Security, says the activity seen by the SANS Institute\u2019s honeypots isn\u2019t new. But, he added, it only becomes an issue when there is improper access control, or the controls fail.<\/p>\n<p>\u201cOrigin web servers should be deployed with access controls, be it security groups or firewall rules, to only ever allow communication with the CDN service,\u201d he said in an email. \u201cJust deploying your web application as accessible to the world, and then overlaying a CDN to act as the front end seems like a terrible waste of money and effort. In today\u2019s world of infrastructure-as-code, this can and should be easy to manage and mitigate as far as risk goes.\u201d<\/p>\n<p><a href=\"https:\/\/www.aryaka.com\/author\/adityaksood\/\" target=\"_blank\" rel=\"noreferrer noopener\">Aditya Sood<\/a>, VP of security engineering and AI strategy at Aryaka, said in an email that a surge in requests that include CDN-related headers \u201cis clear experimentation from threat actors, and the impersonation isn\u2019t just random noise, its reconnaissance. Attacks are probing to uncover the weak origin validation in organizations who are trusting the mere presence of a CDN-specific header instead of enforcing proper controls like IP allowlists, private network peering, or cryptographically validated tokens. When you see multiple CDN fingerprints being spoofed at roughly the same time, it usually means new tooling or automated scanners are being deployed in the wild.\u201d\u00a0<\/p>\n<p>Proper origin hardening that includes strict IP allowlists, validated tokens, or private connectivity is essential to protect websites, he said. \u201cRelying only on the presence of CDN-specific headers is no longer viable, and organizations that have not fully locked down their backend infrastructure may already be exposed.\u201d<\/p>\n<p>Ullrich added that CDNs and other traffic filtering services will issue a unique value to each customer as proof that traffic has gone through its service, so web administrators should configure their web servers or next generation firewalls to only accept requests with that unique value.<\/p>\n<p>The activity SANS has seen is \u201cdefinitely something that should be seen as a warning that something that could become more than it is now,\u201d he said. \u201cNow it\u2019s only a curiosity, but it could easily become more. You [admins] need to follow your content delivery network\u2019s guidance to protect your web server from attacks like this.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>An individual or group is doing new probing of content delivery networks (CDNs), an effort that CSOs, CIOs and network administrators should worry about if they use CDNs instead of web application firewalls to protect websites. That\u2019s the conclusion of Johannes Ullrich, dean of research at the SANS Institute, who this week said\u00a0 his organization\u2019s honeypots last month detected a curious amount of traffic with&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15267\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15267","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15267","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15267"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15267\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15267"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15267"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15267"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}