Back
Notes

Prevent Origin IP Leak

Preface

When you browse a HTTPS website, the website will send you a certificate, the Subject Alternative Name field in the certificate contains the domain name.

You can use the command curl -v -k https://1.1.1.1 (assume your IP is 1.1.1.1) to get your hostname.

That’s the problem.

https://search.censys.io/

It’s a tool that can easily find out your origin IP under CDN.

Simply put, it scans all IPv4 on Internet regularly and collect information about host, websites and certificates.

It uses ZMap and ZGrab to do the scanning job.

ZMap

ZMap is a network-layer scanner that performs a stateless scan, which means it sends out packets to target IP addresses and waits for responses.

  • Configuring Scan Parameters: ZMap first configures the scan parameters, which include the scan type (e.g., SYN scan), the target IP address range, and the target port.
  • Sending Packets: ZMap generates and sends out packets (e.g., SYN packets) to the target port of the target IP addresses. Only one packet is sent to each IP address to maximize the scanning speed.
  • Collecting Responses: ZMap collects all responses coming back from the target IP addresses. For example, if a target IP address returns a SYN-ACK packet, it means the corresponding port of this IP address is open.

ZGrab

After ZMap finishes its scanning, ZGrab starts to perform the application-layer scanning. ZGrab is an application-layer scanner that collects detailed information about specific services (e.g., HTTP, HTTPS, SSH).

  • Establishing Connection: ZGrab first tries to establish a TCP connection to the target IP address. If the connection is successful, ZGrab proceeds to the next step.
  • Protocol Handshake: ZGrab attempts to perform a handshake with the target IP address following a specific protocol. For example, if the target service is HTTPS, ZGrab will perform an SSL/TLS handshake. If the handshake is successful, ZGrab proceeds to the next step.
  • Collecting Data: ZGrab collects detailed information about the target service through the protocol handshake. For example, if the target service is HTTPS, ZGrab will collect the SSL/TLS certificate. All collected data are stored for later use.

In summary, Censys’s scanning principle involves using ZMap to perform network-layer scanning to discover online hosts and open ports, then using ZGrab to perform application-layer scanning to collect detailed information about the open services. Finally, the collected data are processed, stored, and analyzed, and made available for users to query and use.

Solution

Enable ssl_reject_handshake in Nginx configuration

The ssl_reject_handshake is a configuration option that can be used in various network tools and applications. When this option is set to true, the tool or application will reject SSL/TLS handshakes.

To enable ssl_reject_handshake requires Nginx version 1.19.4 and above. You can check it here.

We just need to add a server block in Nginx configuration.

1
2
3
4
5

server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
    ssl_reject_handshake on;
}

We need to mark the block as default server and remove default_server option in other blocks.

The block doesn’t contains a correct domain, it will reject handshake requests without correct SNI.

Note that this solution works only you are using HTTPS, you shouldn’t set the HTTP server block or you can make the HTTP server block return 444.

IP Whitelist

This is the safest solution described in this article. Because if someone has determined a certain domain, then he can traverse all IPs with the handshake information of the domain, and find the correct handshake.

If your CDN service provides a list of all IPs, you can set a IP whitelist to allow the IPs fetch your resources and block other requests.

For example, Cloudflare provides their IP ranges on their website, we can find it on https://www.cloudflare.com/ips/.

We can use iptables to perform the whitelist.

Allow incoming HTTP and HTTPS traffic from all IPv4 ranges used by Cloudflare

1
2
3

for i in `curl https://www.cloudflare.com/ips-v4`;
    do iptables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT;
done

Allow incoming HTTP and HTTPS traffic from all IPv6 ranges used by Cloudflare

1
2
3

for i in `curl https://www.cloudflare.com/ips-v6`;
    do ip6tables -I INPUT -p tcp -m multiport --dports http,https -s $i -j ACCEPT;
done

Drop all incoming TCP and UDP connections that are trying to reach the HTTP or HTTPS ports

1
2
3
4

iptables -A INPUT -p tcp -m multiport --dports http,https -j DROP
iptables -A INPUT -p udp -m multiport --dports http,https -j DROP
ip6tables -A INPUT -p tcp -m multiport --dports http,https -j DROP
ip6tables -A INPUT -p udp -m multiport --dports http,https -j DROP

Use IPv6 Only

Generally speaking, no one will traverse IPv6 to trace the origin, so we can make the CDN pull the origin only over IPv6. Of course, the premise is that the CDN supports pulling the origin over IPv6.

So we just need to set a DNS AAAA record or disable IPv4 on server.

Licensed under CC BY-NC-SA 4.0