Score:-2

How can my users discover my upstream server IP though they only connect through load balancers?

tc flag

I am managing a game server prone to DDoS. I have kept the upstream IP secret and only published the addresses of 100 load balancers forwarding traffic via iptables:

echo 'net.ipv4.ip_forward=1' >> /etc/sysctl.conf
sysctl -p
iptables -t nat -A PREROUTING -p tcp --dport 1010 -j DNAT --to-destination MAIN_GAME_SERVER_IP6:1010
iptables -t nat -A PREROUTING -p udp --dport 1010 -j DNAT --to-destination MAIN_GAME_SERVER_IP:1010
iptables -t nat -A PREROUTING -p udp --dport 1011 -j DNAT --to-destination MAIN_GAME_SERVER_IP:1011
iptables -t nat -A POSTROUTING -j MASQUERADE

Yet, my upstream IP address has been discovered.

What about my setup could have allowed this to happen?

  • None of the load balancing addresses received DoS traffic.
  • The upstream server is configured to only respond to traffic from the load balancers.
  • My load balancers are reachable through addresses x.x.x.20 through x.x.x.60, with the upstream server sitting at x.x.x.61.
anx avatar
fr flag
anx
Is this one of those *"DDoS protections"* where your users connect via x.x.x.20 through x.x.x.60 while the machine at x.x.x.61 hosts your super secret sauce? (other than suggesting some simple mistakes, this question can not be answered conclusively with the few details provided)
Manya Singh avatar
tc flag
Yes this is the one.
Manya Singh avatar
tc flag
@anx Yes you are right. Basically, multiple public servers and one secret server.
djdomi avatar
za flag
sorry your question is currently such low quality and since this is offtopic ask please on superuser.com
anx avatar
fr flag
anx
In the context of mitigating DoS by proxying traffic, the upstream server is often referred to as [*the origin*](https://blog.cloudflare.com/ddos-prevention-protecting-the-origin/)
Paul avatar
cn flag
Also inspect mail headers of any emails originating at the origin server.
Score:1
fr flag
anx

You kind of solved the mystery in your reply to my comment: If your IP addresses can be guessed, then they can also be guessed by your less welcome users.

Public sources like certificates, previous network-scan results or simply whois entries allow one to guess which (more so if consecutively numbered) IP address blocks are managed by the same party.

As long as the service you provide remains vulnerable to whatever attack you observed, the guess can then be quickly confirmed by watching your service become unresponsive.

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.