Approaches to Bypassing a CDN

There are many approaches online for bypassing a CDN, but many of them have issues. Below is a collection and summary of commonly used ideas. From a site owner’s perspective, not every site will always be behind a CDN. From a DNS provider’s perspective, historical DNS records may not be controlled by the CDN provider. From a CDN provider’s perspective, there are limitations on covered regions, and CDN traffic can also be limited.

DNS history

https://dnshistory.org/ http://whoisrequest.com/history/ https://completedns.com/dns-history/ http://dnstrails.com/ https://who.is/domain-history/ http://research.domaintools.com/research/hosting-history/ http://site.ip138.com/ http://viewdns.info/iphistory/

Enumerate via lots of DNS resolvers

Query DNS records via less popular DNS resolvers, or ping from multiple regions:

• http://ping.chinaz.com/
• http://ce.cloud.360.cn/
• http://www.webkaka.com/ping.aspx
• https://asm.ca.com/en/ping.php
• https://x.threatbook.cn/en

Start from the target server

Passive collection

Make the target server proactively connect to your server, then capture the source IP:

• SSRF
• Have the server send email, then obtain the request IP
• IP embedded in RSS

Server information

• Probe file
• Server log files
• Error messages

Same-IP hosting (neighbor sites)

• Find IPs corresponding to subdomains or parent domains
• Look for neighbor sites that are not subdomains
• Use search engines to find the same site on the public internet (dev environments, backup sites, etc.)
• MX / TXT records

Compare banners across the internet

Collect the target site’s banner and search for it with internet-wide search engines. You can also use AQUATONE and search for the same fingerprinted sites on Shodan. You can also use IP allocation data from regional internet registries to filter candidate IP ranges by region, then enumerate web service banners to compare against the CDN-fronted site’s banner and identify the origin IP.

• Asia: ftp://ftp.apnic.net/public/apnic/stats/apnic/delegated-apnic-latest
• Europe: http://ftp.ripe.net/pub/stats/ripencc/delegated-ripencc-latest
• North America: https://ftp.arin.net/pub/stats/arin/delegated-arin-extended-latest
• Africa: ftp://ftp.afrinic.net/pub/stats/afrinic/delegated-afrinic-latest
• Latin America: ftp://ftp.lacnic.net/pub/stats/lacnic/delegated-lacnic-extended-latest

This method can also be used to find the mapping between internal network server IPs and domain names:

import requests
import bs4
import lxml
from multiprocessing.dummy import Pool
requests.packages.urllib3.disable_warnings()
global c
def demo(ip_host):
    # 计数器
    global c
    headers = {'Host': ip_host[1],
               'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36'}
    try:
        r=requests.get(ip_host[0],headers=headers，verify=Fasle)
        if len(r.text) > 0:
            try:
                t = bs4.BeautifulSoup(r.text,'lxml').find("title").string
            except:
                t = "notitle"
            print(ip_host[0]," mkdd1211 ",ip_host[1]," mkdd1211 ",len(r.text)," mkdd1211 ",t)  # 打印出来放在exel，mkdd1211用来替换成分列符号
    except:
        pass
    c=c-1
    if c%1000==0:  # 这个1000表示每1000次打印一下当前剩余的请求，便于你知道还有多久跑完，可以根据总请求调整
        print(c)

def make_payload(ips,hosts):
    payload=[]
    for ip in ips:
        for host in hosts:
            payload.append(("https://"+ip,host))
            payload.append(("http://"+ip,host))
    return payload

def make_payload_c(ips_c,hosts):
    payload=[]
    u = []
    for i in range(256):
        for ip in ips_c:
            u.append(ip+"."+str(i))
    for ip in u:
        for host in hosts:
            payload.append(("https://"+ip,host))
            payload.append(("http://"+ip,host))
    return payload

# ips=["1.1.1.1","2.2.2.2"] 
# d=make_payload(ips,hosts) #可以先用ip跑一下，没有收获选择跑C段

ipc = ["1.1.1","2.2.2"]
hosts=["a.huoxian.cn","b.huoxian.cn","c.huoxian.cn"]
d=make_payload_c(ipc,hosts)

c=len(d)
print(len(d))
with Pool(200) as p:
    p.map(demo,d)

CDN provider

• Compromise the CDN provider
• Infer the origin IP based on CDN DNS behavior (e.g. www.crimeflare.com)
• Exhaust the CDN’s service bandwidth to expose the real IP

F5 LTM

F5 LTM decoding method: When a server uses F5 LTM for load balancing, you may be able to obtain the real IP by decoding the set-cookie value. For example: Set-Cookie: BIGipServerpool_8.29_8030=487098378.24095.0000. First take the decimal number in the first segment (487098378), convert it to hex (1d08880a), then from right to left take four hex digits at a time to get 0a.88.08.1d, and finally convert each part to decimal: 10.136.8.29, which is the real IP.