New CPDoS attack threatens sites that rely on popular CDNs
INXY.COM has been chosen by Forbes as one of Top Cybersecurity Companies. Our mission is to protect you and your resources and talk about ways to counter CPDoS attacks.
Experts from the Technical University of Cologne talked about a new attack aimed at poisoning the web cache. The problem is a danger to the content delivery network (CDN) and the sites that work with them, as it can force the CDN to cache and then serve error pages instead of legitimate resources.
The attack is called CPDoS (Cache-Poisoned Denial-of-Service) and has three execution options that may well be put into practice.
According to researchers, 30% of Alexa Top-500 sites, 11% of the US Department of Defense domains, and 16% of 365 million URL samples from the Google Big Query archive show potential vulnerability to CPDoS attacks.
CPDoS attacks target two main components of the modern web: web servers and content delivery networks. So, if web servers store the source site and its contents, then the CDN stores a cached copy of the resource, which is updated at regular intervals. This helps to significantly ease the load on web servers. Since today CDNs are used very widely, an attack on the CDN system can significantly affect the availability of the site and, consequently, affect its profit.
In that sense, using CPDoS, criminals can implement the following scenario:
  • The attacker connects to the site until his request generates a new CDN record;
  • The attacker request contains a malformed or oversized HTTP header
  • CDN allows this header to pass through a legitimate site, and as a result, it can be processed and used to generate the web page that CDN caches;
  • The long header causes an error on the web server;
  • The server generates an error page (error "400 Bad Request");
  • The error page is cached in CDN;
  • Other users accessing the site see an error page instead of the real site;
  • The cached error spreads to other nodes of the CDN network, creating a false disconnect on a legitimate site.
Researchers found out that there are three types of CPDoS attacks that depend on how the attackers structure their distorted header: using large header fields, metacharacters that cause errors, or instructions that overwrite normal server responses:
  • HTTP Header Oversize (HHO);
  • HTTP Meta Character (HMC);
  • HTTP Method Override (HMO).
It's not so difficult for website owners to resist CPDoS attacks: just configure your CDN provider so that HTTP error pages are not cached by default. Many CDN service providers have the appropriate settings in the control panel, so this is not a difficult task. You can also disable this in the server configuration files by adding the HTTP header "Cache-Control: no-store" to each type of error page.
For CDN providers, the root of the problem is that the web caching standard allows CDNs to cache only 404 Not Found, 405 Method Not Allowed, 410 Gone, and 501 Not Implemented error codes, while CDN should not cache 400 pages Bad Request "generated during CPDoS attacks. Alas, not all CDNs follow the standards, which leads to problems.
We monitor all suppliers continually and update our data to ensure our results are comprehensive and accurate at all times. Choose CDN from main providers right now.
Thank you for selecting us! And if you are not an INXY customer yet, join us and enjoy the hosting services complying with the highest performance and security standards.
Contact us if you need free consultation and professional advice. Our qualified engineers will choose the best solution for your project at the best price possible.
See also