我有一个设置,使用 Amazon EC2 运行我的 Web 应用程序,而域托管在 cloudflare 上。我的基础设施中没有任何类型的负载平衡器设置。然而,当我们在 Qualys 运行安全测试时,报告向我们显示了严重程度为 1 的漏洞“检测到负载平衡设备的存在“。
报告的优点是它还提到了如何解决这个问题。以下片段是报告的一部分
THREAT :
The service detected a load-balancing device in front of your Web servers. This information can provide an attacker with additional information about your network.
Different techniques were used to detect the presence of a load-balancing device, including HTTP header analysis and analysis of IP Time-T o-Live (TTL) values, IP Identification (ID) values, and TCP Initial Sequence Numbers (ISN). The actual technique(s) responsible for the detection can be seen in the Result section.
The exact number of Web servers behind a load balancer is difficult to determine, so the number reported here may not be accurate. Furthermore, Netscape Enterprise Server Version 3.6 is known to display an erroneous "Date:" field in the HTTP header when the server receives a lot of requests. This makes it difficult for the service to determine if there is a load-balancing device present by analyzing the HTTP headers. Also, the result given by the analysis of IP ID and TCP ISN values may vary due to different network conditions when the scan was performed.
IMP ACT :
By exploiting this vulnerability, an intruder could use this information in conjunction with other pieces of information to craft sophisticated attacks against your network.
Note also that if the Web servers behind the load balancer are not identical, the scan results for the HTTP vulnerabilities may vary from one scan to another .
SOLUTION:
To prevent the detection of the presence of a load-balancing device based on HTTP header analysis, you should use Network-Time-Protocol (NTP) to synchronize the clocks on all of your hosts (at least those in the DMZ).
To prevent detection by analyzing IP TTL values, IP ID values, and TCP ISN values, you may use hosts with a TCP/IP implementation that generates randomized numbers for these values. However, most operating systems available today do not come with such a TCP/IP implementation.
COMPLIANCE: Not Applicable
EXPLOIT ABILITY :
There is no exploitability information for this vulnerability.
ASSOCIATED MALWARE:
There is no malware information for this vulnerability.
RESULTS:
Number of web servers behind load balancer: 100 - based on HTTP headers
此报告的问题和解决方案是,我没有设置任何负载平衡器,因此我无法同步我的服务器时钟(如果没有任何负载平衡器/主机供我设置 NTP,我应该将其与什么同步)