Identify web defensive services

An adversary can attempt to identify web defensive services as CloudFlare, IPBan, and Snort. This may be done by passively detecting services, like CloudFlare routing, or actively, such as by purposefully tripping security defenses. [1]

ID: T1256
Sub-techniques:  No sub-techniques
Tactic: Technical Information Gathering
Version: 1.0
Created: 14 December 2017
Last Modified: 17 October 2018


Detectable by Common Defenses (Yes/No/Partial): Yes

Explanation: Active service detection may trigger an alert. Passive service enumeration is not detected.

Difficulty for the Adversary

Easy for the Adversary (Yes/No): Yes

Explanation: Adversary can passively detect services (e.g., [ CloudFlare] routing) or actively detect services (e.g., by purposefully tripping security defenses)


  1. Paulino Calderon. (n.d.). http-waf-detect. Retrieved April 2, 2017.