New Magento WAF Rule – RCE Vulnerability Protection

Today the Magento Security Team created a new ModSecurity rule and added it to our WAF rules to mitigate an important RCE (remote code execution) vulnerability in the Magento web e-commerce platform. Any customer using the WAF needs to click the ON button next to the “CloudFlare Magento” Group in the WAF Settings to enable protection immediately.

Both Magento version 1.9.1.0 CE and 1.14.1.0 EE are compromised by this vulnerability. CloudFlare WAF protection can help mitigate vulnerabilities like this, but it is vital that Magento users patch Magento immediately. Select and download the patch for SUPEE-5344.

Of Phishing Attacks and WordPress 0days

Proxying around 5% of the Internet’s requests gives us an interesting vantage point from which to observe malicious behavior. It also make us a target. Aside from the many, varied denial of service attacks that break against our defenses we also see huge number of phishing campaigns. In this blog post I will dissect a recent phishing attack that we detected and neutralized with the help of our friends at Bluehost.

An attack that is particularly interesting as it appears to be using a brand new WordPress 0day.

A Day Out Phishing

The first sign we typically see that shows a new phishing campaign is underway are the phishing emails themselves. There's general a constant background noise of a few of these emails targeting individual customers every day. However when a larger campaign starts up, typically that trickle turns into a flood of very similar messages.

Messages like this one:
Note — We will never send you an email like this. If you see one, its fake and should be reported to our abuse team by forwarding it to [email protected].

In terms of the phishing campaign timeline, these emails aren’t the first event. Much like a spider looking to Continue reading

Contributing back to the security community

This Friday at the RSA Conference in San Francisco, along with Marc Rogers, Principal Security Researcher at CloudFlare, I'm speaking about a version of The Grugq's PORTAL, an open source network security device designed to make life easier and safer for anyone traveling, especially internationally, with phones, tablets, laptops, and other network-connected devices.

Portal uses open-source software and services to take inexpensive, commodity travel routers and turn them into powerful security devices. Since this is pretty far from CloudFlare's core business, it warrants a brief digression into why we support projects like this.

Computer security was for a very long time only of interest to hobbyists, academics, and obscure government agencies. Cryptography was an interesting offshoot of number theory, a foundational but very abstract part of mathematics, and many of the early infrastructure components of the Internet didn't include security at all -- there was an assumption that anyone who could gain access would be responsible and well-intentioned, a consequence of the academic origins; after all, why would they want to break or steal things which were freely available.

Before the "cambrian explosion" of commercial computer security, there was still a lot of great security research -- it Continue reading

Oceania Redundancy: Auckland and Melbourne data centers now online

The genesis of our 33rd and 34th data centers in Auckland and Melbourne started a short hop away in nearby Sydney. Prior to these deployments traffic from all of New Zealand and Australia's collective 23 million Internet users was routed through CloudFlare's Sydney data center. Even for those in faraway Perth, the time necessary to reach our Sydney PoP was a mere 55ms of round trip time (RTT). By comparison, the blink of an eye takes 300-400ms. In other words, latency wasn't exactly the pressing concern. The real concern was a failure scenario in our Sydney data center.

Fortunately, our entire architecture starts with an assumption: failure is going to happen. As a result, we plan for failure at every level and have designed a system to gracefully handle it when it occurs. Even though we now maintain multiple layers of redundancy—from power supplies and power circuits to line cards, routing engines and network providers—our ultimate level of redundancy is in the ability to fail out an entire data center in favor of another. In the past we've even written about how this might even play out in the case of a global thermonuclear war. In this instance, the challenge Continue reading

Protection against critical Windows vulnerability (CVE-2015-1635)

A few hours ago, more details surfaced about the MS15-034 vulnerability. Simple PoC code has been widely published that will hang a Windows web server if sent a request with an HTTP Range header containing large byte offsets.

We have rolled out a WAF rule that blocks these requests.

Customers on a paid plan and who have the WAF enabled are automatically protected against this problem. It is highly recommended that you upgrade your IIS and your Windows servers as soon as possible; in the meantime any requests coming into CloudFlare that try and exploit this DoS/RCE will be blocked.

CloudFlare is now a Google Cloud Platform Technology Partner

We’re excited to announce that CloudFlare has just been named a Google Cloud Platform Technology Partner. So what does this mean? Now, Google Cloud Platform customers can experience the best of both worlds—the power and protection of the CloudFlare community along with the flexibility and scalability of Google’s infrastructure.

We share many mutual customers with Google, and this collaboration makes it even easier for Google Cloud Platform customers to get started with CloudFlare.

How does it work?

When CloudFlare is enabled, Google Cloud Platform customers have their infrastructure extended directly to the network edge, giving them faster content delivery as well as heightened optimization and security.

Benefits Include:

• 2x Web Performance Speed - CloudFlare uses advanced caching and the SPDY protocol to double web content transfer speeds, making web content transfer times significantly faster.

• Datacenters at Your Customer’s Doorstep - CloudFlare’s global edge network caches static files close to their destination, meaning that content always loads fast no matter where customers are located. Also, CloudFlare peers with Google in strategic locations globally, improving response times for Google Cloud Platform services.

• Protection Against DDoS and SQL Injection Attacks - Because CloudFlare sits on the edge, customers are protected from malicious traffic Continue reading

The oldest trick in the ASCII book

If you're old enough (or interested enough) to have spent a lot of time messing around with the ASCII table then you might have run into a strange fact: it's possible to uppercase ASCII text using just bitwise AND.

And it turns out that in some situations this isn't just a curiosity, but actually useful. Here are the ASCII characters 0x20 (space) to 0x7E (tilde).

     0123456789ABCDEF0123456789ABCDEF
    +--------------------------------
0x20| !"#$%&'()*+,-./0123456789:;<=>?
0x40|@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_
0x60|`abcdefghijklmnopqrstuvwxyz{|}~

It's immediately obvious that each lowercase letter has an ASCII code 0x20 more than the corresponding uppercase letter. For example, lowercase m is 0x6D and uppercase M is 0x4D. And since 0x20 is a single bit then it's possible to uppercase an ASCII letter by taking its code and applying AND 0xDF (masking out the 0x20 bit).

Performing AND 0xDF has no effect on the first two rows above: they, including the uppercase letters, are unchanged. Only the third row is affected. There the lowercase letters get uppercased but there's some collateral damage: ` { | } ~ change to @ [ ] ^.

But if you know that a string has a limited character set then this trick can come in handy. Lots of old protocols Continue reading

Scaling out PostgreSQL for CloudFlare Analytics using CitusDB

When I joined CloudFlare about 18 months ago, we had just started to build out our new Data Platform. At that point, the log processing and analytics pipeline built in the early days of the company had reached its limits. This was due to the rapidly increasing log volume from our Edge Platform where we’ve had to deal with traffic growth in excess of 400% annually.

Our log processing pipeline started out like most everybody else’s: compressed log files shipped to a central location for aggregation by a motley collection of Perl scripts and C++ programs with a single PostgreSQL instance to store the aggregated data. Since then, CloudFlare has grown to serve millions of requests per second for millions of sites. Apart from the hundreds of terabytes of log data that has to be aggregated every day, we also face some unique challenges in providing detailed analytics for each of the millions of sites on CloudFlare.

For the next iteration of our Customer Analytics application, we wanted to get something up and running quickly, try out Kafka, write the aggregation application in Go, and see what could be done to scale out our trusty go-to database, PostgreSQL, from a Continue reading

CloudFlare’s Buenos Aires data center now online

Che, ya estamos en Argentina! It is con placer that we announce our 32nd data center in Buenos Aires, Argentina. Our Buenos Aires data center is our 5th in Latin America following deployments in Santiago, São Paulo, Medellin, and Lima. As of this moment, CloudFlare is now mere milliseconds away from nearly all of Latin America's 300 million Internet users.

Argentina may be better known as the land of bife and malbec, but it is also home to a thriving tech community, including several well known start-up accelerators such as Startup Buenos Aires, Wayra and NXTP Labs (a CloudFlare customer!). At CloudFlare, we know a thing or two about the challenges of building a technology company, and we're proud to support the fast delivery of Internet applications for users in Argentina, as well as those who create them.

Don't cry for me Argentina

Although not commonly known, the title of the famous song from the musical Evita originates from an epitaph on a plaque honoring Evita Peron, and roughly translates as: "Don't cry for me Argentina, I remain quite near to you." Unfortunately, when it comes to the Internet, there is plenty of Continue reading

Improving compression with a preset DEFLATE dictionary

A few years ago Google made a proposal for a new HTTP compression method, called SDCH (SanDwiCH). The idea behind the method is to create a dictionary of long strings that appear throughout many pages of the same domain (or popular search results). The compression is then simply searching for the appearance of the long strings in a dictionary and replacing them with references to the aforementioned dictionary. Afterwards the output is further compressed with DEFLATE.

CC BY SA 2.0 image by Quinn Dombrowski

With the right dictionary for the right page the savings can be spectacular, even 70% smaller than gzip alone. In theory, a whole file can be replaced by a single token.

The drawbacks of the method are twofold: first - the dictionary that is created is fairly large and must be distributed as a separate file, in fact the dictionary is often larger than the individual pages it compresses; second - the dictionary is usually absolutely useless for another set of pages.

For large domains that are visited repeatedly the advantage is huge: at a cost of single dictionary download, all the following page views can be compressed with much higher efficiency. Currently we aware Continue reading

A Go Gotcha: When Closures and Goroutines Collide

Here's a small Go gotcha that it's easy to fall into when using goroutines and closures. Here's a simple program that prints out the numbers 0 to 9:

(You can play with this in the Go Playground here)

package main

import "fmt"

func main() {  
    for i := 0; i < 10; i++ {
        fmt.Printf("%d ", i)
    }
}

It's output is easy to predict:

0 1 2 3 4 5 6 7 8 9  

If you decided that it would be nice to run those fmt.Printfs concurrently using goroutines you might be surprised by the result. Here's a version of the code that runs each fmt.Printf in its own goroutine and uses a sync.WaitGroup to wait for the goroutines to terminate.

package main

import (  
    "fmt"
    "runtime"
    "sync"
)

func main() {  
    runtime.GOMAXPROCS(runtime.NumCPU())

    var wg sync.WaitGroup
    for i := 0; i < 10; i++ {
        wg.Add(1)
        go func() {
            fmt.Printf("%d ", i)
            wg.Done()
        }()
    }

    wg.Wait()
}

(This code is in the Go Playground here). If you're thinking concurrently then you'll likely predict that the output will be the numbers 0 to 9 in some Continue reading

Integrating our Integrations: Getting WHMCS and cPanel Talking

CloudFlare provides integrations for several of the most popular hosting control panels and billing systems such as WHMCS, cPanel, and Plesk. Each of these integrations provide a simple interface for our partners’ customers to sign-up for CloudFlare and start adding domains almost immediately.

But what about partners that use more than one system? The best experience occurs when we can get our integrations talking to each other, as our recently updated WHMCS and cPanel plugins do.

Integration Basics

All of our hosting integrations speak directly to CloudFlare through our host API. With just a single click, the integration passes the necessary information for CloudFlare to create an account and provision the domain. We respond when the provisioning completes, and the integration finishes the setup by making the necessary changes locally (adding and adjusting several DNS records) to route traffic to the domain through CloudFlare.

This makes signing up through a hosting partner integration even easier than signing up directly with CloudFlare. These proven systems make DNS changes accurately in order to save a lot of headaches.

Where do I integrate CloudFlare?

Many hosting companies expose two different applications to their customers: a billing system and a hosting control panel. The Continue reading

OpenSSL Security Advisory of 19 March 2015

Today there were multiple vulnerabilities released in OpenSSL, a cryptographic library used by CloudFlare (and most sites on the Internet). There has been advance notice that an announcement would be forthcoming, although the contents of the vulnerabilities were kept closely controlled and shared only with major operating system vendors until this notice.

Based on our analysis of the vulnerabilities and how CloudFlare uses the OpenSSL library, this batch of vulnerabilties primarily affects CloudFlare as a "Denial of Service" possibility (it can cause CloudFlare's proxy servers to crash), rather than as an information disclosure vulnerability. Customer traffic and customer SSL keys continue to be protected.

As is good security practice, we have quickly tested the patched version and begun a push to our production environment, to be completed within the hour. We encourage all customers to upgrade to the latest patched versions of OpenSSL on their own servers, particularly if they are using the 1.0.2 branch of the OpenSSL library.

The individual vulnerabilities included in this announcement are:

• OpenSSL 1.0.2 ClientHello sigalgs DoS (CVE-2015-0291)
• Reclassified: RSA silently downgrades to EXPORT_RSA [Client] (CVE-2015-0204)
• Multiblock corrupted pointer (CVE-2015-0290)
• Segmentation fault in DTLSv1_listen (CVE-2015-0207)
• Segmentation fault in ASN1TYPE Continue reading

Analysis: CloudFlare Keyless SSL Scales Down Internet Connections

Providing a web application on the Internet can be a risky business. DDOS attacks are commonly exceeding 40 Gigabits per second of data, crackers are web crawling the Internet looking for vulnerabilities and much more. As a result, the data centre Internet connection is scaled for a worst case scenario and not for customer need. […]

The post Analysis: CloudFlare Keyless SSL Scales Down Internet Connections appeared first on EtherealMind.

Announcing Virtual DNS: DDoS Mitigation and Global Distribution for DNS Traffic

It’s 9am and CloudFlare has already mitigated three billion malicious requests for our customers today. Six out of every one hundred requests we see is malicious, and increasingly, more of that is targeting DNS nameservers.

DNS is the phone book of the Internet and fundamental to the usability of the web, but is also a serious weak link in Internet security. One of the ways CloudFlare is trying to make DNS more secure is by implementing DNSSEC, cryptographic authentication for DNS responses. Another way is Virtual DNS, the authoritative DNS proxy service we are introducing today.

Virtual DNS provides CloudFlare’s DDoS mitigation and global distribution to DNS nameservers. DNS operators need performant, resilient infrastructure, and we are offering ours, the fastest of any providers, to any organization’s DNS servers.

Many organizations have legacy DNS infrastructure that is difficult to change. The hosting industry is a key example of this. A host may have given thousands of clients a set of nameservers but now realize that they don't have the performance or defensibility that their clients need.

Virtual DNS means that the host can get the benefits of a global, modern DNS infrastructure without having to contact every customer Continue reading

Deprecating the DNS ANY meta-query type

DNS, one of the oldest technologies running the Internet, keeps evolving. There is a constant stream of new developments, from DNSSEC, through DNS-over-TLS, to a plentiful supply of fresh EDNS extensions.

New DNS Resource Records types are being added all the time. As the Internet evolves, new RR’s gain traction while the usage of some old record types decreases. Did you know you can use DNS to express the location of your server on the planet's surface?

Today, we are announcing that we are deprecating the DNS ANY meta-query. In a few weeks we'll be responding to those queries with rcode 4 / Not Implemented.

“ANY” is one of the special “magic” types in DNS. Instead of being a query for a single type like A , AAAA or MX, ANY retrieves all the available types for a given name. Over the years there have been many arguments over the semantics of ANY with some people arguing it really means ALL. Answers to ANY queries are among the biggest that DNS servers give out. The original reason for adding the ANY to DNS was to aid in debugging and testing Continue reading

Unser neuer 31er Datacenter: Düsseldorf

Hallo Düsseldorf. Nestled in the center of the Lower Rhine basin lies the bustling city of Düsseldorf, capital of Germany’s most populous state, Northern Rhine-Westphalia. Provided its status as an international business and telecommunications hub, and serving a population larger than the Netherlands, our data center in Düsseldorf is an important addition to our European network. This means not only better performance in Germany and Northern Europe, but additional redundancy for our 10 other data centers throughout Europe, including our first German data center in Frankfurt.

For the local audience: Liebe Freunde in Düsseldorf, euer Internetanschluss ist schneller geworden und ihr könnt jetzt sicher surfen. Viel Spaß.

Not just any data center

Our Düsseldorf data center holds a special place in the heart of our legal counsel Ken Carter. When he’s not helping to build a better Internet, he is likely to be found regaling the office with tales of his adventures in the quaint medieval town of Bad Honnef am Rhein, just south of our new data center. Ban Honnef, most famously known as the world-wide headquarters for Birkenstock, can now add one more tale of note. Equidistant between Frankfurt and Dusseldorf, it is Continue reading

No upgrade needed: CloudFlare sites already protected from FREAK

The newly announced FREAK vulnerability is not a concern for CloudFlare's SSL customers. We do not support 'export grade' cryptography (which, by its nature, is weak) and we upgraded to the non-vulnerable version of OpenSSL the day it was released in early January.

CC BY 2.0 image by Stuart Heath

Our OpenSSL configuration is freely available on our Github account here as are our patches to OpenSSL 1.0.2.

We strive to stay on top of vulnerabilities as they are announced; in this case no action was necessary as we were already protected by decisions to eliminate cipher suites and upgrade software.

We are also pro-active about disabling protocols and ciphers that are outdated (such as SSLv3, RC4) and keep up to date with the latest and most secure ciphers (such as ChaCha-Poly, forward secrecy and elliptic curves).

Protecting web origins with Authenticated Origin Pulls

As we have been discussing this week, securing the connection between CloudFlare and the origin server is arguably just as important as securing the connection between end users and CloudFlare. The origin certificate authority we announced this week will help CloudFlare verify that it is talking to the correct origin server. But what about verification in the opposite direction? How can the origin verify that the client talking to it is actually CloudFlare?

TLS Client Authentication

TLS (the modern version of SSL) allows a client to verify the identity of the server it is talking to. Normally, a TLS handshake is one-way, that is, the client is able to verify the server's identity, but the server is not able to verify the client's identity. What about when both sides need to verify each other's identity?

Enter TLS Client Authentication. In a client authenticated TLS handshake both sides provide a certificate to be verified. If the origin server is configured to only accept requests which use a valid client certificate from CloudFlare, requests which have not passed through CloudFlare will be dropped (as they will not have our certificate). This means that attackers cannot circumvent CloudFlare features such as our WAF Continue reading

Thoughts on Network Neutrality, the FCC, and the Future of Internet Governance

Today the United States Federal Communications Commission (FCC) voted to extend the rules that previously regulated the telephone industry to now regulate Internet Service Providers (ISPs). The Commission did this in order to preserve the principle of network neutrality. Broadly stated, this principle is that networks should not discriminate against content that passes through them.

At CloudFlare, we are strong proponents of network neutrality. My co-founder, Michelle Zatlyn, sat on the FCC's Open Internet Advisory Committee. The work of that committee played a role in guiding today's vote. So there is a large part of us that is celebrating today.

At the same time, I have deep concerns that proponents of a free and open Internet may look back on today not as a great victory, but as the first step in what may turn out to be a devastating loss. The Internet has largely been governed from the bottom up by technologists seeking rough consensus and running code. Today's action by the FCC may mark the beginning of a new era where the Internet is regulated by lawyers from the top down. As a technologist and recovering lawyer, that worries me.

The Threat to the Network

If you think Continue reading