Hello and welcome to the Tuesday, March 17, 2006 edition of the Sands Internet Stormsters, Stormcast. My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

And this episode is brought to you by the sands.edu graduate certificate program in

cloud security. In diaries today, I wrote up some attacks that I observed this weekend against

our honeypots that hit a URL starting with slash proxy slash. Now, this URL prefix is

off news as the name implies for proxies. And that's how

the attacker is attempting to use the URL. They're essentially attempting to use your web

server as a proxy to reach internal IP addresses. Now, the particular IP address they're

looking for here is 169-254-169-254.

This is an IPV-4-link-only address, typically sort of not seen in a normal network, but it is

used by cloud providers for metadata services.

So each virtual host that you're setting up

can reach an API at that IP address

that then provides the host with specific configuration option,

including credentials, and that's exactly what they're looking for here. So kind of a server-side request

for jury attack, but of course if they find an actual full proxy at that URL, then these

attacks are a lot simpler. There are also some interesting sort of obfuscation techniques. For

example, they're using these IPV-4 mapped IPV6 addresses that are starting

with all zeros FFF, and then the last 32 bits are just the IPV4 address. They're reaching,

which here, because it's an hexadecimal, is then A9FE, A9FE.

So what should you do here?

Well, definitely make sure if you are running proxies on a web server or if you have anything like the old sort of course proxies or so set up for cross-origin requests, make sure

you properly secure them.

...