Trace Hackers' IP Behind Cloudflare with The New Trusted Proxy Module
Eniko Toth

Trace Hackers' IP Behind Cloudflare with The New Trusted Proxy Module

In the previous quarter, we announced a new beta module, the Trusted Proxy, which became some of our users’ favorite module:

“The new Trusted Proxy feature simply blows the competition out of the water especially when you consider the price point at which are offering BitNinja. We couldn’t be happier with how things are proceeding. :)” – Christopher McGill, Lead System Administrator at GekkoFyre Networks

In that article, we promised to create a separate menu for managing it, so here it is! :)

About proxies

A proxy server will reroute online requests, so the real IP of the visitor will be masked for the website she/he wants to access. There are many free and paid proxies available in the market.

Image source

But why do people use proxies? Because they can:

  • Access content that is restricted in the visitor’s country
  • Fasten site load speed -> Content Delivery Networks (CDN, like Cloudflare)
  • Stay anonymous

Of course, staying anonymous for hackers is essential, so there’s no doubt that they often use this as an easy way to hide themselves.

(Side note: However, they forget about the fact that a proxy won’t hide them completely. To be honest, there are ways to track the real IP behind a proxy. That’s why a skilled hacker will use VPNs instead of proxies.)

Background

As mentioned before, some hackers try to hide their information with a proxy. We’ve seen it with our own eyes. Our tech ninjas detected more and more unblocked attacks and when they dug deeper, they realized that these malicious requests came via Cloudflare.

As Cloudflare is the most popular CDN, their backend IPs are globally whitelisted by BitNinja. Therefore, these attacks couldn’t be detected because BitNinja doesn’t filter the requests coming from whitelisted IPs.

This issue became more and more serious and we couldn’t rest. We had to do something to keep our ninja friends’ servers safe against these attacks.

And there was another problem. Of course, we couldn’t whitelist all the proxies worldwide, so when BitNinja detected an attack from a less popular proxy, the IP became blocked. By greylisting an exit node’s IP only because one person behind it sent a malicious request, it meant that all the other (even thousands) users were blocked too. While this issue was much rarer than the increasing number of cyberattacks via Cloudflare, it was still very painful for the people who were affected.

That’s how the idea of the Trusted Proxy was born.

BitNinja Trusted Proxy

Thanks to this new beta module, hackers can’t hide behind proxies anymore. BitNinja will track those attacks too, which are coming through proxies, load balancers or edge proxies.

The technology behind Trusted Proxy requires the same settings as the WAF 2.0. So, if you have already set up the X-Forwarded-For header , then you have the green light to use the Trusted Proxy too. ;)

You’ll access the Trusted Proxy settings from the left-side menu:

The Cloudflare IPs are added to the list by default, but of course, you can manage this list by yourself. You can add custom proxy addresses by typing single IP/bulk IPs/IP ranges and add a comment so you’ll recognize the IPs later too.

However, your user-level whitelist comes first when BitNinja is filtering IPs, which means that if you whitelisted a proxy range before, it is time now to remove it, so the trusted proxies feature can work properly.

You can find more technical details about the BitNinja Trusted Proxy on our documentation site .

API endpoint

Do you prefer using API to manage your Trusted Proxy list? No problem. :) As we mentioned a few weeks ago, we are continuously developing the BitNinja Rest API . So, you can use these endpoints if you wish to customize the trusted proxies:

You can learn more about these functions on the BitNinja API documentation site .

Stop the attacks coming through proxies

Attacks via Cloudflare? Nah. Those times are over! With the BitNinja Trusted Proxy, you can forget about these struggles forever. It’s time to detect IPs hidden behind load balancers and edge proxies too.

Enable the Trusted Proxy now and if you or your customers are using a proxy, add it to your Trusted Proxy list.

And do not forget that we are always happy to help you, so feel free to contact us at info@bitninja.io or on the Dashboard chat if you have any questions about the Trusted Proxy or need assistance.

Stay safe and happy hacker-hunting!

Share your ideas with us about this article

Previous posts

Case study - 2000 Website Owners Protected by BitNinja at Beebyte Hosting
Hacked websites? Outdated WordPress versions? Complaining customers? These painful problems cause daily headaches for many web hosting companies out there. We've heard a lot of bad stories from our partners about these memories. We are happy to say that we can welcome a new member to our Ninja Community who can forget about the above-mentioned hassles. Now, I would like to introduce Beebyte(https://www.beebyte.io/ and https://www.beebyte.se/) to you , as they had similar tough times before joining us. However, BitNinja changed their life for the better. We asked their Marketing...
5 Steps to Creating an Effective Cyber Security Policy for Employees
Technology is always evolving, and there are continuous new developments that change the spectrum of what is possible and what companies can do with technology. Because of this, cyberattacks, and therefore cybersecurity, are constantly adapting and reviewing their methods to stay on top of things. This is difficult for cybersecurity teams because technology moves so fast that staying ahead of the curve is harder than it seems. Without even noticing them, vulnerabilities can occur and often the most corrective measures in cybersecurity are taken after a massive breach or failure. Tha...