The New CPDoS web Cache Poisoning Attack Let Hackers Target CDN Sites

A new cache poisoning attack against the web is used by an attacker to make a targeted website into delivering error pages to its visitors instead of legal content or resources.

The distribution through Content Distribution Networks (CDNs) via an HTTP request with a poisonous header the CPDoS attack can block and disable web resources. Researchers suggest installing Web Application Firewalls (WAF) in order to reduce CPDoS attacks.

What’s newly discovered?

The testers from the Technical University of Cologne (TH Koln) have complete a new class of web cache poisoning attacks named ‘Cache-Poisoned Denial of Service (CPDoS)’ that impacts Content Delivery Networks (CDNs).

Working of CPDoS

  • The attacker sends a simple HTTP request against the target resource provided by some web servers.
  • This request is processed by the intermediate cache, while the malicious header remains lazy.
  • Concerning which, the intermediate cache forwards the request to the beginning server.
  • At the beginning server, the HTTP request shows an error due to the malicious header it contains.
  • As a result, the beginning server returns an error page that gets stored by the cache instead of the requested resource.
  • Legal users trying to obtain the target resource with the following requests will get the cached error page instead of the original content.
The New CPDoS web Cache Poisoning Attack Let Hackers Target CDN Sites

3 Ways to start CPDoS Attacks

The three types of HTTP request are as follows:

  • HTTP Header Oversize  
  • HTTP Meta Character  
  • HTTP Method Override

We won’t discuss each attack since this is out of this article’s scope. More details are available on this website, or in the researcher’s CPDoS white paper.

IMPROVEMENT

Improvements against CPDoS attacks, luckily, exist. The CDN service to not cache HTTP error pages by default.

  • In the case website owners haven’t controlled in their CDN web dashboard to impair the caching of error pages, then they can impair this from within their server’s design files by adding the “Cache-Control: no-store” HTTP header to every error page.
  • The more complicated solution to deal with CPDoS attacks resides with the CDN providers themselves, need to modify the working of their products.
  • To explain — according to the research team — the reason that some CDN providers are in danger to CPDoS attacks because they don’t follow internet caching protocols.”The web caching standard only allows [CDNs] to cache the error codes 404 Not Found405 Method Not Allowed410 Gone and 501 Not Implemented,” the research team said, pointing out that CDNs shouldn’t be caching the “400 Bad Request” that error pages generated by CPDoS attacks.
  • ” Caching error pages according to the policies of the HTTP standard is the first step to avoid CPDoS attack
  • This approach is more complex and requires some more work being done in the backend of many CDN providers.
  • Until then, the first action is easier to apply.
  • Since CPDoS attacks are possible, with some very little effort most website owners can secure their servers against any possible misuse.
  • Researchers alert webmasters not to ignore the issue. The tests shows, 30% of the Alexa Top 500 websites, 11% of the Department of Defense domains, and 16% of the URLs from a 365 million URL sample obtained from a Googletentially in danger to CPDoS attacks.

CPDOS ATTACKS CONSIDER PRACTICAL

During the research of CPDoS attacks, the TH Koln team said they managed to carry out general cache poisoning attacks against a test website of several CDN providers.

For example, the map below shows an attacker (hazard symbol) launch an attack against a valid site’s CDN server (blue marker), which spread the cached error page to other CDN servers (red markers), adulterate
a large portion of a CDN provider’s network.

cpdos-map.png
Image: Nguyen et al.

Such attacks as the one present above can create draw out free time for valid sites, experience financial losses to the website’s owner.

There is good news is that not all web servers (HTTP protocol implementations) and CDN networks are in danger.

The table below shows which server+CDN combinations are in danger, according to the researchers’ tests.

cpdos-table.png
Image: Nguyen et al.

Related Post: Slowloris, The DDoS Attack

Keep following us for more updates #TeamBugNResearch

Leave a Reply

Your email address will not be published. Required fields are marked *