CDN Judo: Breaking the CDN DoS Protection with Itself

Guo, Runhua; Li, Weizhong; Liu, Baojun; Hao, Shuang; Jia, Zhang; Duan, Haixin; Sheng, Kaiwen; Chen, Jianjun; Liu, Ying

doi:10.14722/ndss.2020.24411

Cited by 13 publications

(7 citation statements)

References 29 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…These vulnerabilities allow powerful DoS attacks against origin servers, utilizing minimal bandwidth, yet yielding substantial effects. The amplification factor reach a 2,000 times in general, and under certain conditions, can even surpass 1,920,000 times, which is significantly higher than previous attacks [25], [32], [40].…”

Section: Http Amplification Attacksmentioning

confidence: 69%

“…CDNs might adopt this approach for commercial purposes, such as enhancing cache hit rates, or for safety measures leading to normalized requests. However, these disparities, known as CDN forwarding request inconsistencies, may also engender security vulnerabilities, including Denial of Service (DoS), Cache Poisoned Denial of Service (CPDoS), Forwarding Loop (FL), and Web Cache Poisoning (WCP) [11], [25], [32], [50].…”

Section: A Threat Modelmentioning

confidence: 99%

“…Historically, the majority of proposed request discrepancies have been discovered manually in prior research [11], [25], [32]. This method may result in some variations in the forwarding request being overlooked.…”

Section: A Threat Modelmentioning

confidence: 99%

“…A wealth of significant research reveals that CDNs frequently alter client requests as they relay them to the original server, thereby unveiling operational inconsistencies. These inconsistencies could potentially lead to security vulnerabilities, including the Host of Trouble (HoT), HTTP Request Smuggling (HRS), Denial of Service (DoS), and Cache Poisoned Denial of Service (CPDoS) [11], [25], [32], [50]. Concurrently, innovative attacks that exploit these inconsistencies pose substantial security threats to HTTP servers and CDNs, with HTTP/2 amplification attacks [25] and RangeAmp attacks [32] being notable examples.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

ReqsMiner: Automated Discovery of CDN Forwarding Request Inconsistencies and DoS Attacks with Grammar-based Fuzzing

Zheng,

Li,

Wang

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

Content Delivery Networks (CDNs) are ubiquitous middleboxes designed to enhance the performance of hosted websites and shield them from various attacks. Numerous notable studies show that CDNs modify a client's request when forwarding it to the original server. Multiple inconsistencies in this forwarding operation have been found to potentially result in security vulnerabilities like DoS attacks. Nonetheless, existing research lacks a systematic approach to studying CDN forwarding request inconsistencies.In this work, we present REQSMINER, an innovative fuzzing framework developed to discover previously unexamined inconsistencies in CDN forwarding requests. The framework uses techniques derived from reinforcement learning to generate valid test cases, even with minimal feedback, and incorporates real field values into the grammar-based fuzzer. With the help of REQSMINER, we comprehensively test 22 major CDN providers and uncover a wealth of hitherto unstudied CDN forwarding request inconsistencies. Moreover, the application of specialized analyzers enables REQSMINER to extend its capabilities, evolving into a framework capable of detecting specific types of attacks. By extension, our work further identifies three novel types of HTTP amplification DoS attacks and uncovers 74 new potential DoS vulnerabilities with an amplification factor that can reach up to 2,000 generally, and even 1,920,000 under specific conditions. The vulnerabilities detected were responsibly disclosed to the affected CDN vendors, and mitigation suggestions were proposed. Our work contributes to fortifying CDN security, thereby enhancing their resilience against malicious attacks and preventing misuse.

show abstract

Section: Http Amplification Attacksmentioning

confidence: 69%

Section: A Threat Modelmentioning

confidence: 99%

Section: A Threat Modelmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

ReqsMiner: Automated Discovery of CDN Forwarding Request Inconsistencies and DoS Attacks with Grammar-based Fuzzing

Zheng,

Li,

Wang

et al. 2024

Proceedings 2024 Network and Distributed System Security Symposium

View full text Add to dashboard Cite

show abstract

“…Besides CDN cache, researchers also presented approaches to disclosing the IP addresses of origin servers hidden behind CDNs, demonstrating insufficient DDoS protection of CDNs [54,30]. Moreover, attackers may utilize a CDN to launch DoS to an origin server or to the CDN itself [52,16,23]. In addition, Durumeric et al's measurement shows that the HTTPS interception on CDNs may downgrade the TLS version or cipher suites and thus reduce connection security [17].…”

Section: Related Workmentioning

confidence: 99%

Quantifying User Password Exposure to Third-Party CDNs

Xu¹,

Lin²,

Yang³

2023

Preprint

View full text Add to dashboard Cite

Web services commonly employ Content Distribution Networks (CDNs) for performance and security. As web traffic is becoming 100% HTTPS, more and more websites allow CDNs to terminate their HTTPS connections. This practice may expose a website's user sensitive information such as a user's login password to a third-party CDN. In this paper, we measure and quantify the extent of user password exposure to third-party CDNs. We find that among Alexa top 50K websites, at least 12,451 of them use CDNs and contain user login entrances. Among those websites, 33% of them expose users' passwords to the CDNs, and a popular CDN may observe passwords from more than 40% of its customers. This result suggests that if a CDN infrastructure has a vulnerability or an insider attack, many users' accounts will be at risk. If we assume the attacker is a passive eavesdropper, a website can avoid this vulnerability by encrypting users' passwords in HTTPS connections. Our measurement shows that less than 17% of the websites adopt this countermeasure.

show abstract

Less is Often More: Header Whitelisting as Semantic Gap Mitigation in HTTP-Based Software Systems

Büttner

Nguyen

Gruschka

et al. 2021

IFIP Advances in Information and Communication Technology

View full text Add to dashboard Cite

The web is the most wide-spread digital system in the world and is used for many crucial applications. This makes web application security extremely important and, although there are already many security measures, new vulnerabilities are constantly being discovered. One reason for some of the recent discoveries lies in the presence of intermediate systems-e.g. caches, message routers, and load balancers-on the way between a client and a web application server. The implementations of such intermediaries may interpret HTTP messages differently, which leads to a semantically different understanding of the same message. This so-called semantic gap can cause weaknesses in the entire HTTP message processing chain. In this paper we introduce the header whitelisting (HWL) approach to address the semantic gap in HTTP message processing pipelines. The basic idea is to normalize and reduce an HTTP request header to the minimum required fields using a whitelist before processing it in an intermediary or on the server, and then restore the original request for the next hop. Our results show that HWL can avoid misinterpretations of HTTP messages in the different components and thus prevent many attacks rooted in a semantic gap including request smuggling, cache poisoning, and authentication bypass.

show abstract

CDN Judo: Breaking the CDN DoS Protection with Itself

Cited by 13 publications

References 29 publications

ReqsMiner: Automated Discovery of CDN Forwarding Request Inconsistencies and DoS Attacks with Grammar-based Fuzzing

ReqsMiner: Automated Discovery of CDN Forwarding Request Inconsistencies and DoS Attacks with Grammar-based Fuzzing

Quantifying User Password Exposure to Third-Party CDNs

Less is Often More: Header Whitelisting as Semantic Gap Mitigation in HTTP-Based Software Systems

Contact Info

Product

Resources

About