Published on 04/08/2018
Threat Manager is an Intrusion Detection System created by Alert Logic. Alert Logic likes to partner up with hosting companies who are responsible for installation and maintenance of these appliances.
I was reviewing Threat Manager's incident logs and I stumbled across a couple of logs where attackers were bypassing Threat Manager's IP blacklisting.
I gathered the payloads, analysed them and tested this bypass to confirm if it works - and it did. My IP address wasn't blacklisted by the IDS, which means I was able to continue attacking the target. To my knowledge the IDS was fully up to date and there were no pending updates.
To avoid getting yourself blacklisted by the Threat Manager, you need to pass two extra HTTP headers with your request, X-Real-IP and X-Forwarded-For, and set both of them to any IP address you like. Presence of these two HTTP headers will trick the IDS to treating you like a proxy server, so instead of blacklisting your IP address, it will blacklist an IP address that you supply in these two HTTP headers!
Note: this is Threat Manager's default behaviour!
This is how the IP addresses will appear on the incident log:
ID: <incident ID here>
Source: x.x.x.x (IP address from X-Real-IP and X-Forwarded-For headers)
Destination: x.x.x.x (the target's private IP address, e.g. a web server)
Proxy: x.x.x.x (attacker's public IP address)You can fix this behaviour by changing Threat Manager's settings to ignore the HTTP headers and blacklist attacker's public IP address. I was told by the hosting company's Network Security Engineer that "there is a chance of blocking all requests that may be using a legitimate proxy, such as CDN. Most customers block based on the HTTP header, but you will have to decide what works best for your environment".
I'd be interested to know how other IDS providers, commercial or open source, behave when X-Real-IP and X-Forwarded-For headers are passed through with a request. If you know, please let me know via Twitter.