CloudPiercer finds gaps in cyber security


Researchers from KU Leuven and Stony Brook University in New York have developed a digital tool to identify how vulnerable websites are to cyber-attacks

Common measures flawed

A common way of protecting websites from cyber-attack is not as reliable as previously thought, according to researchers from KU Leuven and Stony Brook University in New York. Now the digital tool they designed to identify the security flaw is available to the public.

Hardware to protect websites against online attacks can be expensive and complicated to install, so a popular alternative is to route requests to view a site through the servers of a security company. This cloud security can detect and block attempted cyber-attacks, as long as the actual location of the site being protected – its IP address – cannot be identified.

“The success of this strategy heavily depends on how well the website’s original IP address can be shielded,” explains Thomas Vissers, of KU Leuven’s computer science department. “If that IP address can be retrieved, protection mechanisms can easily be bypassed.”

Available to all

So Vissers and Nick Nikiforakis, assistant professor in the computer science department of Stony Brook University, built CloudPiercer. The tool uses eight different methods for locating IP addresses, such as seeking out historical data or the use of unprotected sub-domains.

“Previous studies had already described a number of strategies that can be used to retrieve a website’s original IP address,” Vissers continues. “We came up with a number of additional methods, and we were the first ones to measure and verify the exact impact of these strategies on a larger scale.”

In more than 70% of cases, CloudPiercer was able to effectively retrieve the website’s original IP address

- Thomas Vissers

They tested CloudPiercer on 18,000 websites, protected by five different cloud security services. “In more than 70% of cases, CloudPiercer was able to effectively retrieve the website’s original IP address, thereby providing the exact info that is needed to launch a successful cyber-attack,” says Vissers.

While the focus was on individual websites, the results clearly have implications for the security companies involved. “In order to ensure unbiased and accurate measurements, we did not send out notifications beforehand,” he says,” but the results of the study were shared with the companies prior to publication of the results.”

Meanwhile CloudPiercer has been made available for anyone to use. “It has attracted thousands of visitors and has been used to scan hundreds of websites already,” says Vissers.

If weaknesses are found, tightening up security can be simple. For example, firewalls can be changed to accept viewing requests only from the security site, or the IP address can be changed after the cloud security is in place.