WAF bypass. How to call an IP site that uses WAF or DDoS protection

WAF bypass. How to call an IP site that uses WAF or DDoS protection

There are different services that hide the site address behind another IP – to protect against DoS, DDoS or other attacks. These can be both well-known cloud services like Cloudflare, and web application firewalls (WAF) and other security solutions. The task of circumventing them is to call the real IP, and there are ready-made utilities for this. Let’s see how to use them in practice.

To start with, I will tell you a little bit more about what a WAF is and how it works. For example, the familiar Apache web server has a mod_security module, which can act as a firewall for web applications and help protect your service from some trivial DoS attack. One of such attacks is HTTP(S) GET Flood, when the server is sent countless requests for information. The server is unable to process so many requests in a very short period of time and simply drops.

Such a function can be provided by some cloud provider – for simplicity, I will call different services of this type just WAF. The principle of their work can be described as follows.

  1. The web server to be protected runs as usual without filtering dangerous requests, and the WAF service is configured on a separate server of the company providing such services.
  2. The IP address of the WAF.
  3. server is not its real address, but rather the IP address of the WAF server.
  4. After this configuration, all requests to the domain name of the site will be sent to the WAF server rather than the site itself.
  5. This server accepts the request, processes it and if the request meets the configured rules, sends it to the protected server. WAF receives the requested information (web page, file) from this server and forwards it to the client (user).
  6. This server accepts the request and if the request meets the rules set.


How to beat the system

Since modern WAFs block many malicious requests, it will not be possible to use utilities such as sqlmap or WPScan. Also, attacks like DoS or DDoS are not possible.

That’s why we have two options.

  1. Construct the request in such a way as to bypass the rules written in WAF
  2. Send request directly to web server without WAF check.

Next, we will focus on the second point. To implement it, we need to know the real IP address of the server and make sure that this server is able to accept requests directly from anyone on the network. The direct IP address of the server is often called the word bypass. Sometimes, direct access to it is specially saved so that the server can continue to work in case of problems on the WAF side.

For this purpose we will use a script with a long but speaking name: Bypass firewalls by abusing DNS history.

This utility tries to know the real IP address of the server we need in two ways at once.

  1. Analysis of DNS records history.
  2. Search for subdomains and then analyze their IP addresses.

To all found IP addresses, the script makes requests for verification.


The script is publicly available at GitHub. I ran it on Kali Linux but it can work in other distributions as well.

The commands to install it on Kali look like this:

$ sudo apt install jq
$ git clone https://github.com/vincentcox/bypass-firewalls-by-DNS-history

The team for installation in the BlackArch distribution:

$ sudo pacman -S bypass-firewall-dns-history jq

We return to Kali. The first line is to put the necessary module for the script, and the second line is to download the script from GitHub. To get help on using the tool, just go to its directory and execute the following command:

$ bash bypass-firewalls-by-DNS-history.sh --help

As the help shows, the script developer has provided several parameters:

    • -d is a mandatory key for using the script. With it, we specify the domain name of the site for which we want to find bypass;
    • -a – with this option found IPs will be checked not only for the primary domain, but also for subdomains;
    • -l – this option allows you to upload your subdomain list to the script for a more detailed and accurate check;
    • -o – this parameter allows you to save the result of the script to a file, the path to which is specified after the parameter.

And now let’s run the script:

$ bash bypass-firewalls-by-DNS-history.sh -d <Your_target>

For example, I found one site that is vulnerable to an attack of this kind. This is what the output of the script for this site looks like.


Script output

In the IP column will be written down one by one IP addresses, which can be used to directly contact the server. The second column shows the probability that this is the correct IP, expressed as a percentage. The Organization column contains the name of the company, which owns this IP.

Let’s take another example and expand the search area: add IP to subdomains mapping:

$ bash bypass-firewalls-by-DNS-history.sh -d <Your_target> -a


Extended search result

Here, among other things, another column appears – Domain, which lists subdomains corresponding to the found IP addresses.

In order not to lose the result later, it is usually saved to a file. Well, let’s use the -o option and write the path to save the log to the user’s home folder.

$ bash bypass-firewalls-by-DNS-history.sh -d <Your_target> -a -o /home/kali/<output.txt>


May specify not the whole path, but only the name of the file in which the result will be written. The file will be saved in a folder with the script..

As you know, not everything is hacked in one click. Sometimes programs also need help – in our case, we can make it easier for the Toulouse by making a voluminous list of subdomains. We will fill this list with the help of the Amass script, which knows how to do it perfectly. Amass is launched with this command:

$ Amass enum -d <Your_target> -o <subdomains.txt>

With the -d parameter, we specify our target, with the -o file to save the result.


Return to WAF Bypass. Now we will use the list of found subdomains to find the real IP address of the attacked server:

$ bash bypass-firewalls-by-DNS-history.sh -d <Your_target> -l <subdomains.txt>


A WAF Bypass result with subdomain list

As we can see, two most likely bypasses-ip have been found.


Try Skills in Business

To dispel your doubts about the performance of this method, I suggest a little research. We will try to break through several sites with the help of this utility and make a small statistics.


All further actions were done only for training and research purposes. The author does not intend to hurt any company or individuals.

I want to clarify: we will check only servers that are protected by WAF. To make sure, we will use the dig utility built into Kali:

$ dig <DOMAIN> NS +short

The utility will show us a list of DNS servers to which the site is connected. If you see the DNS servers of Cloudflare or other WAFs, it means that the site is protected from DOS and DDoS attacks.

We will use the same command for testing:

$ bash bypass-firewalls-by-DNS-history.sh -d <Your_target> -a

So, let’s go. Take for example one game site protected by Cloudflare. I will not show the domain for obvious reasons. Let’s try to use our tool to break through WAF and see if we will succeed.


Punching result

As you can see, we got a list of possible bypasses, but it is too huge, and each IP has its own probability estimation. This suggests that it is not so easy to break through large companies.

Now let’s have a look at one of the servers to play Minecraft together. They also often use protection services against DoS and DDoS.


Punching result


For the experiment I take the first available servers. This one was a foreign one and its protection has survived.

Let’s try something more defenseless – I got a custom role-playing server of GTA V game at hand.


Punching result

One hundred percent success. However, the server was so modest that it had to force a complete scan to stop.

Now let’s check some news sites. The first “victim” (in quotes, as we did no harm) was one popular news portal.


Punching result

We have received a huge number of errors. These are due to the fact that the log server has limited our ability to make requests. However, this did not prevent the utility from achieving success. The very first report found a bypass with 100% probability, but it was a subdomain.

Next, let us try the foreign educational journal.


Punching result

You may notice that the program has already started to fall off, but still tried to find bypasses in subdomains. The success rate is quite small.

And finally, the last candidate.



Punching result

Success! One hundred percent bypass found.



As you can see, this method really can find the right bypasses. Of course, it does not always work out qualitatively, otherwise WAFs would be useless at all. However, when you come across one of them, don’t give up, because there are a couple more efficient tools in your arsenal now.


WARNING! All links in the articles may lead to malicious sites or contain viruses. Follow them at your own risk. Those who purposely visit the article know what they are doing. Do not click on everything thoughtlessly.


0 0 vote
Article Rating
Notify of
Inline Feedbacks
View all comments

Do NOT follow this link or you will be banned from the site!
Would love your thoughts, please comment.x

Spelling error report

The following text will be sent to our editors: