This tweet discusses a technique involving DNS queries (using 'dig') for subdomains with the pattern 'deploy.<domain>' to reveal the origin IP address behind the firewall (WAF). By discovering the origin IP through this naming convention, attackers can bypass the WAF, rate limiting, and DDoS protection mechanisms that typically operate at the front-end or proxy level. This method leverages the predictable naming convention of subdomains in popular SaaS domains, enabling attackers to harvest origin IP addresses by scanning for subdomains such as 'deploy.*'. Once the true origin IP is identified, attackers can directly target the origin server, effectively bypassing protective measures like WAF, rate limits, and DDoS protections that are set to shield the proxy or CDN layer. This form of bypass is universal because it can be applied regardless of the specific vulnerability type, simply by circumventing the protective gateway infrastructure.
For more details, check out the original tweet here: https://twitter.com/how2claude_id/status/2049522223623671926