4

What are the security implications of a web app firewall/load balancer revealing internal IPs of the web sites behind it to the outside world?

A specific example is with F5 products: They use a cookie that can be decoded to show the internal IPs of the sites they are serving up. Google for BigIP cookie decoder if you want to learn more. (Note: you CAN enable encryption of the cookies if you want to hide the internal IPs.)

I get that learning the internal IPs would be part of information gathering but the scenarios where it would be useful seems limited. An attacker could use it with social engineering to target specific machines. Besides that, what attack surface or attack vectors are opened by leaking the internal IPs of websites?

nyxgeek
  • 1,297
  • 10
  • 22
  • Please re-phrase, as your question is confusing. Not all the internal IPs behind a router would be web sites. Local networks are usually organized as sub-networks with their own IP addressing space that is distinct from that used in the Internet. A router is what separates a sub-net from the internet, and any kind of computer can be on a subnet. – Brent Kirkpatrick Apr 13 '16 at 13:13
  • F5 load balancers use a cookie that can be decoded to show the internal IP addresses that it is serving up. I thought I was clear when I wrote "web app firewall". – nyxgeek Apr 13 '16 at 13:40

3 Answers3

2

What are the security implications of a web app firewall/load balancer revealing internal IPs of the web sites behind it to the outside world?

If when you say, "internal IPs" you mean the web server's LAN address (i.e. same datacenter, private networking, etc.), then you have a scenario similar to WebRTC revealing your computer's private IP address.

The greater risk is if when you say, "internal IPs," you mean remotely-accessible (i.e public facing) IP addresses that we just don't talk about and rely on security by obscurity for to conceal and protect. In this case, the attack surface here is your entire web server as it is directly accessible from the Internet, and simply learning its IP address would allow an attacker to completely bypass your web application firewall and any blocking & logging it might have.

For defense in-depth, you might consider the following access controls:

  • Creating firewall rules on the web server to only allow inbound traffic FROM your load balancer, precluding direct access from any other network/IP, even if it was leaked.
  • Removing the server's public IP, and only use private networking

Of course, this implies a balance in security vs. maintainability. I would imagine you will still need a way to remote-in (i.e. VPN, SSH, or possibly via infrastructure management software like Chef, Puppet, continuous integration process, etc.) but the point is that you would do so under tighter access control that would render knowledge of your server's IP mostly useless.

Matt Borja
  • 267
  • 1
  • 10
0

If an attacker finds a method to execute code on one of your hosts it's easier to attack other hosts behind your firewall or load balancer even with a limited back channel (For example if it's a blind code injection or to keep the footprint of the attack as small as possible).

Noir
  • 2,523
  • 13
  • 23
0

Internal IP disclosures are generally considered information disclosure vulnerabilities. While this would aid a would be attacker's network footprinting process, it is not inherently worse than other information disclosures.

Weighing the risks of not having the WAF vs giving an attacker one additional piece of information, seems like a simple decision to me.

In all likelihood (a majority of the time) an attacker is going to get in via social engineering one of your employees into downloading a Trojan. At that point, it is almost trivial to start scanning the network from the inside.

Allison Wilson
  • 429
  • 2
  • 9