An origin server DDoS attack (sometimes referred to as direct-to-origin attack) is a technique used to bypass cloud-based DDoS protections – such as CDNs and WAFs – by targeting the origin server environment directly. Because the malicious traffic avoids the protective proxy layer, it hits the origin server unfiltered, potentially overwhelming systems that are not designed to handle large-scale attack volumes.
These attacks may use volumetric and protocol attack vectors, such as UDP and ICMP floods, as well as application-layer vectors, like HTTP floods or slow-rate attacks. As a result, even organizations with robust cloud-based defenses can suffer outages if their origin server IPs are exposed.
How do attackers expose origin server IP addresses
To obtain the IP address of an origin server that is proxied by a cloud CDN & WAF solution, attackers use several techniques, such as:
- Subdomain Enumeration – scanning DNS records to find subdomains that resolve directly to backend infrastructure.
- Historical and current DNS records – mining DNS archives or misconfigured records that reveal old or overlooked IP mappings.
- CIDR Scanning – probing IP ranges owned by the organization (e.g., from WHOIS or RIR data) for exposed HTTP/HTTPS services.
Preventing origin IP exposure
Organizations that do not own IP blocks (e.g., hosted entirely in public cloud) can fully mask their backend. But even those with their own Autonomous System (AS) or IP ranges can significantly reduce exposure using these methods:
- Changing the Origin IP. Once the service is protected behind a CDN or WAF, change the backend IP to render previous DNS records obsolete.
- Restricting Direct Access to Known Gateways. Configure firewall rules to allow origin servers to accept traffic only from trusted proxy IP addresses (e.g., CDN PoPs or organizational gateways) and block all other public access.
Red Button’s Asset Discovery Service
Red Button Asset Discovery Service provides a proactive approach to discovering and securing exposed infrastructure. This includes:
- Exposed IP identification – Detect internet-facing origin servers, whether cloud-based or on-prem.
- DDoS exposure assessment – Prioritize assets based on how easily they can be linked to your organization and their vulnerability to direct attack.
- Actionable remediation – Receive tailored mitigation steps, such as traffic filtering, IP rotation, and origin hardening, to neutralize exposure risks.
By closing visibility gaps, organizations can stay ahead of attackers and ensure that only filtered traffic ever reaches the origin.
*** This is a Security Bloggers Network syndicated blog from Red Button authored by Noam Katav. Read the original post at: https://www.red-button.net/protecting-against-origin-server-ddos-attacks/
