Currently, in order to provide basic DDoS protection and filter aggressive bots, some form of Content Delivery Network (CDN) is usually the simplest and most cost-effective way to protect a web application. In a typical setup, DNS is used to point clients to the CDN, and the CDN will then forward the request to the actual web server. There are a number of companies offering services like this, and cloud providers will usually have solutions like this as well.

However, this setup comes with a significant weakness: If an attacker can identify the IP address of the actual web server, they are often able to bypass the CDN and reach the web server directly. There are a few ways to prevent this. Depending on the CDN selected, it may be possible to allow access only from the CDN's IP address space. However, for some of the larger providers, this list of addresses may be large and very dynamic. Another option is to add custom headers. Some CDNs offer special custom headers with randomized values to identify requests that passed through the CDN. A less secure (lazier?) option is to look for any header that identifies the CDN. This last option should be avoided, as attackers can easily include this header.

In recent days, our honeypots detected an uptick of requests that included these CDN-related headers, indicating that attackers may attempt to bypass this protection. For example:

Cf-Warp-Tag-Id

This header started showing up yesterday and is associated with Cloudflare's "Warp" VPN service. The scans do include a random-looking value, but may count on the value to either not be verified, or the request actually went through the Cloudflare Warp VPN to obfuscate its source.

X-Fastly-Request-Id

As the name implies, this header is associated with the Fastly CDN. It started showing up in our data on November 20th.

X-Akamai-Transformed

A header added by Akamai. Also started showing up on November 20th (so are the remaining headers)

X-T0Ken-Inf0

Not sure what this header is used for (any ideas? Let me know). It looks like it could contain some form of authentication token, but the "l33t spelling" is odd.

x-sfdc-request-id
x-sfdc-lds-endpoints

These headers are used by Salesforce to track requests. 

Around the same time, we also started seeing a lot of headers starting with the string "Xiao9-", but I have no idea what they are used for. If anybody has any ideas, please let me know :)

--
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|