Hide Real IP#
The main means of preventing DDoS attacks is to use high-defense measures and hide the real IP address of the website.
There are four main methods to hide the real IP address:
- Set up a reverse proxy server or use a CDN on the front end. By accessing the business host through a proxy server, not only is it more secure, but it can also accelerate user access. Additionally, it is easy to deploy, so it is highly recommended for websites of all sizes.
- Set up a firewall to only allow access to the real host from whitelisted IP addresses. Whether it is a self-built reverse proxy server or a CDN, you can generally obtain a list of IP addresses. Add these IP addresses to the whitelist and block direct access from other IP addresses, even if external tools like zmap or host scanning are used, they will not be able to detect the IP addresses.
- Avoid direct external connections from the real business host as much as possible. If you don't understand this, consider scenarios such as user registration activation, password recovery, etc., where business hosts need to send emails. If the business host directly sends emails using the SMTP method, in most cases, the real IP address will appear in the email header. If the user downloads images from URLs entered in a Markdown editor, if the business host downloads them directly, the real IP address can be easily obtained. There are many similar situations, so external requests should be handled with caution.
- Prevent subdomain leakage. If a website is using a CDN, and the admin panel or MX record for email parsing is not going through the CDN and resolves to the IP address of the business host, the real IP address is leaked in another form.
However, there are some details to note:
- If a CDN is only used domestically, the real IP address can be discovered by pinging from a foreign host.
- phpinfo and application vulnerabilities may leak the real IP address.
- After a compromise of the same internal network host/virtual host, the real IP address can be sniffed.
Since you don't want to expose the real IP address of the website, at least put a layer of proxy in front of the real server. Generally, the following reverse proxies are used on the front line:
- CDN: Content Delivery Network, provides services to users nearby, accelerating access.
- High Defense IP: High-defense IP is generally located on high-bandwidth backbone network nodes and is used to clean DDoS traffic.
- SLB: Load Balancer, used for high-traffic and busy websites. Common SLBs include LVS, F5, etc.
These three reverse proxies have different main functions, and with proper configuration, they can all hide the real IP address of the server. For ordinary websites, using a CDN or high defense is sufficient. SLBs are only used when there is a large amount of traffic.
Below, we will introduce the operations to hide the real IP address of a website when using a reverse proxy.
Firewall#
Using a firewall is the simplest method, which is to add the reverse proxy's origin IP address to the whitelist and block any requests from other IP addresses.
For example, using the free CDN service from CloudFlare, the origin IP address can be obtained from https://www.cloudflare.com/zh-cn/ips/. Then, add it to the whitelist and block other IP addresses:
# Put cf IP addresses in cf_ips.txt
# First, add cf's IP addresses to the whitelist
while read -r line
do
firewall-cmd --zone=trusted --add-source=$line
done < cf_ips.txt
# Then, remove access to http and https services from other IP addresses
firewall-cmd --remove-service=http
firewall-cmd --remove-service=https
After these settings, Cloudflare's IP addresses can access the website normally, while other IP addresses cannot directly access the website's real IP address. This effectively hides the real IP address.
This method is simple to set up and suitable for single-site hosting scenarios. When hosting multiple websites on a server and some sites need to be directly exposed to the public network, this method lacks flexibility and cannot be implemented.
The same effect can be achieved using the allow/deny directive in Nginx.
IPv6#
For users who are not familiar with firewalls and networks, hiding the real IP address of a website using IPv6 can be considered. The specific steps are as follows:
-
Find a server with an IPv6 address, preferably a NAT VPS with only IPv6. Currently, IPv6 addresses are becoming more popular, and many providers offer them for free, such as Alibaba Cloud, Vultr, Linode, CloudCone, and some even provide more than one IPv6 address.
-
Set the website to only listen on the IPv6 port. Taking Nginx as an example, the website configuration file looks like this:
server { listen [::]:80; server_name hostname; # Please change it to your own hostname return 301 https://hostname$request_uri; } server { listen [::]:443 ssl http2; server_name hostname; ssl_certificate certificate_path; ssl_certificate_key ssl_key_path; # Other settings
-
Use a CDN that supports only IPv6. For example, CloudFlare. Set up IPv6 resolution (search for specific instructions).
After these three steps, the real IP address is unlikely to be leaked for the following reasons:
- In most cases, people naturally look for IPv4 and would not think that your website does not exist on the IPv4 network.
- Compared to IPv4, the address space of IPv6 is extremely large. Even with tools like zmap that can scan the entire IPv4 address space in a few hours, or search engines like Shodan, it is difficult to find a single address from the massive address space.
If you are still not confident, you can also add a firewall, which will ensure complete security:
# First, add cf's IP addresses to the whitelist
while read -r line
do
firewall-cmd --zone=trusted --add-source=$line
done < cf_ips.txt
# Then, block access to IPv6 from other addresses
firewall-cmd --add-rich-rule="rule family='ipv6' source address='::0/0' drop"
This method is also simple to set up and is a clever solution. It allows hosting multiple websites on a single server, and other websites can be directly exposed without being affected.
CNAME#
Another common method to hide the real IP address is to use CNAME, which does not require setting up a firewall. The steps are as follows:
- Use the CNAME method for CDN origin when back to the source. For example, itlanyan.com back to the source as www.abcdexfd.com. It is important to note that the front-end domain and the source domain should preferably not be the same to prevent the real IP address from being leaked through subdomain brute-forcing.
- Set up a default site on the source server to prevent leakage through the host method. Since the default site is only used to prevent the leakage of the real IP address through the SNI method, a self-signed certificate is sufficient.
# Generate a key
openssl genrsa -out example.key 2048
# Generate a certificate, during which you need to provide some information
openssl req -new -x509 -days 3650 -key example.key -out example.pem
Then, taking Nginx as an example, set up the default site:
server {
listen 80 default_server;
server_name example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com default_server;
ssl_certificate example.pem;
ssl_certificate_key example.key;
}
Finally, restart Nginx.
This method does not require setting up a firewall and is relatively simple to set up, but it requires an additional domain.
Notes#
The above operations can only prevent others from directly accessing the real server in plain sight. However, please carefully read the recommendations in "Hiding Real IP" to prevent implicit IP exposure through actions such as sending emails or WordPress pingbacks.
What to Do in the Event of a DDoS Attack?#
If the domain has never been used before, using the methods mentioned above right from the start can basically ensure that the real IP address of the website is not leaked.
However, not leaking the real IP address does not mean that it will not be subjected to DDoS or CC attacks. In the event of a DDoS attack, there are several solutions:
- Invest in high-defense measures for security.
- Set the DNS resolution of the domain to 127.0.0.1 for security.
- Shut down the server for security.
Please take appropriate measures based on the actual situation and business requirements.