Chinese 
English 
Dutch 
Russian 
Portuguese 
🎯 Purpose of Finding Real IPs
Now most of the platforms have access to high-defence CDN, the user sees the IP is the node IP of the CDN, the platform through the set of CDN in addition to acceleration, more protection purposes, through the CDN to achieve high-defence and hide their real IP. and we bypass the CDN to find the real IP of the purpose of the different, some is to test the security holes, some are to launch directional attacks, and some are to carry out the
Information collection. Regardless of that purpose, today we are going to popularise several ways to bypass CDNs to find real IPs by means of technical implementations.
(💡statement denying or limiting responsibility: Please use this knowledge ethically. (Unauthorised hacking is illegal).
🕵️♂️ I: Detection
Use network detection tools to push the target for detection, such as Ping.pe and IPIP.NET global node detection tools, some platforms are different nodes return IP is not the same, for example, some in Asia to return the node IP of the cdn, but in other regions, such as Europe and the United States to return is the real IP.
It can also be analysed by DNS resolution characteristics:
DNS resolution characterisation
Bash
dig +short example.com @8.8.8.8nslookup -querytype=NS example.comKey metrics: multiple CNAME records, Anycast IP segments, DNS response time differences
🗃️ II: Historical information mining
Historical information mining method is actually very simple, because a lot of platforms just started online, he did not do any security measures, then his parsing records or SSL certificates, etc. is directly exposed, we can mine his historical information to see his previous IP, many times the probability of success is very high, the main method is as follows:
DNS Time Machine Technology:
1.MicroStep Online X Platform: MicroStep was founded in 2015, is a digital age network security technology innovation enterprise, it provides online X platform can be 2010 to the present day resolution records, we can use him to go through the history of records to find the legacy IP.
2.SSL certificate fingerprint tracking
Python
# certificate SHA1 fingerprint extraction openssl s_client -connect example.com:443| openssl x509 -noout -fingerprintSearching for servers with the same fingerprints through Censys had revealed that a CDN client source site shared a certificate with the test environment
🌐 III: Structural Breakthroughs
1. subdomain blasting: you can find the source by testing the full range of vulnerabilities of APP or website structure, for example, through tools, Subfinder (passive collection), Amass (active blasting), AltDNS (intelligent deformation) to achieve sub-domain blasting of the target, some sub-domains of some of the targets, the api may be very large loopholes are exploited. 2. Mail traceability:
It was found through SMTP header analysis:
Received: from mail.example.com (192.168.1.1)
X-Originating-IP: 10.0.0.1
🔧 IV: Advanced Techniques
CDN Node Vulnerabilities: Many CDN edge nodes have vulnerabilities, such as Cloudflare's specific error page that leaks back-end IPs, and Akamai's debugging interface that leaks critical information such as routing.
Global network mapping:
Bash
# FOFA syntax example title="Example Login" && country="CN"
Undocumented test servers found by feature search
File feature hash identification: The mmh3 hash (-150775716) of the website favicon.ico is calculated, and the FOFA search engine matches 3 servers with the same hash, 2 of which belong to the CDN node, and the third is the source IP.
Third-party service penetration: The file upload function of a cloud storage platform sources image processing requests back to oss-internal.example.com, and the CNAME record resolves to 183.136.225.66 without access to any protection system.
Protocol differences: If the site supports both http and https access, and the CDN is only configured with the https protocol, then access to http may obtain the real IP
The above are some common CDN bypass techniques. In practice, often need to combine a variety of methods to be effective. At the same time to remind everyone, unauthorised testing may be illegal, please proceed with caution.
If you need professional services, contact 51DDOS!
🛡️ How do you defend against being bypassed by a CDN to find the source?
Ensure that all subdomains have a CDN configured
No direct external service at the source station
Using a standalone mail server
Double-check your website code to avoid IP leakage.
Appropriate reinforcement of source stations
