Hacking

Exploring the CPDoS attack on CDNs: Cache Poisoned Denial of Service

Boffins disclosed a web attack technique (CPDoS attack) that can poison content delivery networks (CDNs) into caching and then serving error pages.

Two researchers from the Technical University of Cologne (TH Koln) have devised a new web attack that can be used by threat actors to poison content delivery networks (CDNs) into caching and then serving error pages instead of the legitimate content.

The new attack has been named CPDoS (Cache-Poisoned Denial-of-Service), has three variants, and has been deemed practical in the real world (unlike most other web cache attacks).

The content displayed in most of the websites is stored on web servers while the CDNs maintain a cached copy that is periodically refreshed.

Web servers store the original website and its content, while CDNs store a cached copy of the website that is only refreshed at certain time intervals.

Web caching mechanism allows reusing HTTP responses to reduce the number of requests that reach the origin server, the volume of network traffic resulting from resource requests, and the latency of resource access

Experts pointed out that an attack on a CDN system can have devastating consequences for the availability of websites.

A CPDoS attack (Cache-Poisoned Denial-of-Service) targets this mechanism, it aims at CDNs that receives and stores an error page caused by a malformed HTTP request header.

The result of the attack is that when users try to access the same resource are served the cached error page.

Below the attack flow described by the researchers:

  1. An attacker sends a simple HTTP request containing a malicious header targeting a victim resource provided by some web server. The request is processed by the intermediate cache, while the malicious header remains unobtrusive.
  2. The cache forwards the request to the origin server as it does not store a fresh copy of the targeted resource. At the origin server, the request processing provokes an error due to the malicious header it contains.
  3. As a consequence, the origin server returns an error page which gets stored by the cache instead of the requested resource.
  4. The attacker knows that the attack was successful when she retrieved an error page in response.
  5. Legitimate users trying to obtain the target resource with subsequent requests…
  6. …will get the cached error page instead of the original content.

Experts discovered three variants of the CPDoS attack that differ, for the HTTP header type used by the attackers:

In the HHO attack scenario, hackers leverage the size limit intermediary systems and web servers set for an HTTP request header. The HTTP standard does not define a size limit for HTTP request headers this means that if the cache system accepts a request header size larger than the one the origin server can manage it is possible to cause webserver blocking the request and returning a 400 Bad Request error page that is then cached.

“HHO CPDoS attacks work in scenarios where a web application uses a cache that accepts a larger header size limit than the origin server.” reads the post published by the researchers.

“The cache forwards this request including all headers to the endpoint since the header size remains below the size limit of 20,480 bytes. The web server, however, blocks this request and returns an error page, as the request header exceeds its header size limit. This error page with status code 400 Bad Request is now stored by the cache. All subsequent requests targeting the denialed resource are now provided with an error page instead of the genuine content.”

Experts published a video PoC for this attack that shows them targeting a testing application hosted on Amazon CloudFront.

The second variant of CPDoS attack, the HTTP Meta Character (HMC), leverages a harmful meta character such as control characters like the break/carriage return (‘\n)’, line feed (‘\r’) or bell (‘\a’).

“The HTTP Meta Character (HMC) CPDoS attack works similar to the HHO CPDoS attack. Instead of sending an oversized header, this attack tries to bypass a cache with a request header containing a harmful meta character.” continues the experts.

The third variant of the attack, the HTTP Method Override Attack (HMO, benefits from intermediary systems (e.g. proxies, load balancers, caches, firewalls) supporting only the GET and POST HTTP request methods.

“This means that HTTP requests with DELETE and PUT are simply blocked. To circumvent this restriction many REST-based APIs or web frameworks such as the Play Framework 1, provide headers such as X-HTTP-Method-Override, X-HTTP-Method or X-Method-Override for tunnel blocked HTTP methods (see Listing 1).” explained the security duo. “Once the request reaches the server, the header instructs the web application to override the HTTP method in the request line with the one in the corresponding header value.”

As result, the web server reply with an error message that is cached and served for subsequent valid GET requests for the same resource.

Experts explained that a CPDoS attack can impact multiple cache server locations worldwide, however not all edge servers are affected.

Researchers made some tests using the TurboBytes Pulse and the speed testing tool of KeyCDN. Launching an attack from Frankfurt against a target in Cologne, they observed that cache servers across Europe and some regions of Asia were impacted.

Experts also described mitigations in their research paper, for example, HHO and HHM variants could be addressed by correctly implementing the standard HTTP which, by default, does not allow storing responses that contain error codes.

Technical details, including the list of vulnerable CDNs are included in the paper published by the experts.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – CPDoS attack, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Google: China dominates government exploitation of zero-day vulnerabilities in 2023

Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…

2 hours ago

Google addressed 2 Chrome zero-days demonstrated at Pwn2Own 2024

Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…

13 hours ago

INC Ransom stole 3TB of data from the National Health Service (NHS) of Scotland

The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…

18 hours ago

CISA adds Microsoft SharePoint bug disclosed at Pwn2Own to its Known Exploited Vulnerabilities catalog

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds a Microsoft SharePoint vulnerability disclosed at the…

23 hours ago

The DDR Advantage: Real-Time Data Defense

This is the advantage of Data Detection and Response (DDR) for organizations aiming to build…

1 day ago

Finnish police linked APT31 to the 2021 parliament attack

The Finnish Police attributed the attack against the parliament that occurred in March 2021 to…

1 day ago

This website uses cookies.