In external and red team engagements, we often come across different forms of IP based blocking. This prevents things like password brute forcing, password spraying, API rate limiting, and other forms of IP blocking like web application firewalls (WAFs).
IP blocking has always been a simple and common way of blocking potentially malicious traffic to a website. The general method of IP based blocking is to monitor for a certain type of request or behavior, and when it is found, disable access for the IP that the request or behavior came from.
In this post, we walk through the need for and creation of a Burp Suite extension that we built in order to easily circumvent IP blocking.
Bypassing IP Based Blocking
Cloud resources can be used to change the source IP of an attacker in order to bypass IP based blocking and rate limiting. IP based blocking seems to be becoming less effective as cloud resources and services are becoming very cheap and easily available.
For example, if my IP had been blocked by a website, I could simply deploy an EC2 instance in AWS. Once the EC2 instance was deployed, I would then have a different IP address and be able to access that website again.
Real World Bypassing IP Blocking
In this article by Laxman Muthiyah, the author explains how he found a vulnerability in Instagram that allowed him to gain access to any Instagram account without consent permission. The article is a great example of the impact of using cloud resources to bypass IP based rate-limiting.
The article demonstrates being able to brute force a password reset verification PIN which otherwise would have been rate limited. This example also involved using many instances to achieve concurrent requests, but the concept of bypassing the rate-limiting is the same.
Rhino Security Labs’ Solution
Since we have faced this issue during engagements, we decided it would be helpful to have a tool that we could use to make many requests from different IPs in a short amount of time with minimal configuration and cloud infrastructure setup. This would allow us to perform password brute forcing and spraying against targets which attempt to block our IP as well as get around some rate-limiting.
IP Rotate Burp Extension
After some thought on the idea, we came up with a solution using AWS API Gateway and implemented it as a Burp Suite extension, which can be found here on our GitHub. With this extension enabled, any HTTP traffic you want to bypass IP based blocking can simply be routed through Burp Suite and each request will have a different source IP.
In addition, when using this extension, any tools within Burp Suite, such as Intruder and Repeater, will also have a different IP on each request.
AWS API Gateway
AWS API Gateway, as described by AWS, is “a fully managed service that makes it easy for developers to create, publish, maintain, monitor, and secure APIs at any scale. With a few clicks in the AWS Management Console, you can create REST and WebSocket APIs that act as a ‘front door’ for applications to access data, business logic, or functionality from your backend services.”
It is essentially a gateway that you can put in front of an application in order to target endpoints and functionality of that application. API Gateway also allows HTTP requests to simply be “proxied” through it which is the functionality this Burp extension uses. The request will be forwarded unmodified and the response will be returned. Each time the gateway makes a request to the target it will do so using an AWS IP.
Using AWS API Gateway to Rotate IPs
If you point the gateway to the target which you want to bypass IP blocking for and send all the traffic through the gateway, the IP will be cycled on each request using an IP from AWS. In addition to this, each region an API Gateway is started in will have a different IP range, meaning the more regions we spin up API Gateways in, the larger the pool of IPs to cycle through.
This basic concept is shown in the diagram below.
Burp Suite Extension
The Burp Suite extension that we created makes the setup and use of the configuration and API Gateway fairly simple. As a prerequisite to using the extension, you will need AWS keys that have full permissions to the API Gateway service and the Python Boto3 library installed.
Using the Extension
Once those are set up, you can add the extension to Burp Suite, fill in the fields as shown below, and select how many regions you would like to deploy.
Once you have enabled the extension, each request will now cycle through the AWS API Gateway endpoints in each region changing your source IP on each request to the target.
The screenshot below shows the difference between the extension being disabled and enabled.
It is important to note that each time the extension is “disabled”, it will delete all the API Gateways it started.
Currently, AWS API Gateway is available in the free tier at 1 million requests per month, costs beyond that will vary–check out their website for more details on pricing.
With cloud resources being so accessible, IP blocking and rate-limiting purely on source IP has become less effective. The goal of the Burp Suite extension we created is to help demonstrate that IP blocking may not always be the best solution and can often be bypassed using cloud resources. This extension also simplifies the setup and makes this easy.
For now, you can get the extension in our Github repo here. We are also currently working on getting the extension added into the Burp Suite BApp Store.