Research Academy
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Create new post

Burp Collaborator - Will load balancing mangle traffic

Chase | Last updated: Jul 12, 2021 06:33PM UTC

We would like to deploy Burp Collaborator, but front it with a load balancer. We intend to run just a single instance. Our company has a compliance requirement that anything internet-facing be fronted by a load balancer (which gives us greater visibility on traffic flows and flexibility around ACLs). We have searched around trying to find deployment examples involving load balancers; however we can't seem to find any mention of load balancing Burp Collaborator. We deploy in AWS, and we're curious if deploying with a load balancer in front of the Burp Collaborator instance would be problematic, in terms of traffic mangling (if any), or whether source IP would be retained for inbound traffic destined to Collaborator. For clarity, we're looking to achieve this by, instead of an A record pointing to an Elastic IP (directly-accessible approach, which all seen documentation suggests), we would instead create an additional NS record that points to the load balancer: collaborator.xyz.com -> NS -> ns1.collaborator.xyz.com ns1.collaborator.xyz.com -> NS -> [load balancer] Then in the collaborator config, EXTERNAL_IP would be a list of IPs of the Load Balancer (spanning multiple AZs), this way the collaborator nameserver would report back the IPs of the load balancer. The type of load balancer we'd use would be an NLB (Network Load Balancer), which would be able to handle the traffic flows [tcp_udp 53], [tcp 80,443,25,465,587,9090,9443] and forward these to the collaborator. We're primarily concerned whether fronting with a load balancer is going to mangle the inbound non-interactive receiver traffic (tcp 80,443,25,465,587), or make the inbound flows to collaborator appear to come from the LB instead of the vulnerable hosts interacting with collaborator. Would your team be able to advise on this type of architectural design?

Michelle, PortSwigger Agent | Last updated: Jul 19, 2021 08:34AM UTC

Sorry for the delay in getting back to you. We've replied to the mail you sent in. The collaborator needs to be the authoritative nameserver for the domain which could cause an issue here. If you've got any questions, please feel free to email them over.

You must be an existing, logged-in customer to reply to a thread. Please email us for additional support.