Detecting Webserver & DNS Load Balancing with lbd
Loadbalancing is the technique used in different services for balancing the load across different servers or NICs. It can be in any form. Load balancing can be done to evenly distribute work load through a series of Computer clusters. Or it can be used within a single system to balance connections across a set of network interface cards or disks. In a cluster of computers, all systems will have all the data synced within them. A manager resource selects the specific node within the cluster when an incoming request is made. The manager effectively transfers the connections to another node if the work load of any one of the nodes is high. Thus load balancing minimizes response-time & maximizes throughput. Load balancing can be implemented in both software & hardware levels.
Typically HTTP & DNS load balancing are done when a website has got a lot of incoming traffic like an e-Commerce website or the best example would be Facebook or google itself. These websites receive at least 10M requests per minute. So obviously a single host will not be able to serve all these requests. So their requests will be spread over a series of computing resource clusters in order to keep them running.
In a Security perspective, implementing HTTP load balancing has the following major advantages:
DDos & Synflood Protection
Load Balancing enables SYN-Cookies which help in preventing DDoS Attacks. & SYN flood attacks.
SSL Offload & Accleration
In TLS enabled sites, loads are much higher for the web server since a series of continuous asymmetric encryption is going on. This decreases the throughput, but load balancing balances the load across different nodes inside a cluster and distributes the excessive load due to TLS.
Hiding Error Pages
Some HTTP loadbalancers can hide the HTTP error pages from being seen outside.
Firewall & IPS
Implementing load balancing creates a layer between the client and the server. So direct connection between the client & server is not possible. So within this layer, firewalls & Intrusion Prevention Systems can be implemented. Moreover, a WAF also can be in the way.
Loadbalancers can prioritize the traffic & intelligently serve the incoming requests.
Comming to the tool, lbd is short form for Load Balancing Detection. It is simply a shell script which automates a series of tests to verify whether a domain has load balancing.
Pratical Use to a Pentester
One may ask why detect load balancing during a pentest. Answer is that, it eliminates inconsistency in results. Explanation is, Recon is the major part in every pentest. So it is very essential to determine the range of IP addresses which should be included in the scope of test. When dealing with servers with load balancing, the results of regular tests may vary due to the load balancer in work. Sometimes we may get different IP addresses when we ping the host at different times during a test. This is because, a DNS-load balancer might be in place. Missing this fact may prove fatal. Moreover when determining the infrastructure of the target, we may miss this critical fact and as said earlier, we may miss the presence of an IDS/IPS or a Firewall in between the outside world & the target server. Simply it may be configured to allow all HTTP traffic, so that we are not able to detect it.
Syntax: lbd targetdomain port(defaults to 53 & 80) <options>
If your are interested to get under the hood, try the following
Lab : Enumerate a domain and detect whether it has load balancing enabled
This is simple detection. Let our target be Microsoft’s bing this time.
command: lbd bing.com 80
Try for yourself. Detect whether the e-Commerce company Amazon has load balancing on its web servers. Remember not to harm them or you may face consequences.