Exploring the CPDoS Attack on CDNs: Cache Poisoned Denial of Service
October 24, 2019 Share

Exploring the CPDoS Attack on CDNs: Cache Poisoned Denial of Service

Two researchers from the Technical University of Cologne (TH Koln) have devised a new web attack that can be used by threat actors to poison content delivery networks (CDNs) into caching and then serving error pages instead of the legitimate content.

The new attack has been named CPDoS (Cache-Poisoned Denial-of-Service), has three variants, and has been deemed practical in the real world (unlike most other web cache attacks).

The content displayed in most of the websites is stored on web servers while the CDNs maintain a cached copy that is periodically refreshed.
Web servers store the original website and its content, while CDNs store a cached copy of the website that is only refreshed at certain time intervals.

Web caching mechanism allows reusing HTTP responses to reduce the number of requests that reach the origin server, the volume of network traffic resulting from resource requests, and the latency of resource access

Experts pointed out that an attack on a CDN system can have devastating consequences for the availability of websites.
A CPDoS attack (Cache-Poisoned Denial-of-Service) targets this mechanism, it aims at CDNs that receives and stores an error page caused by a malformed HTTP request header.

The result of the attack is that when users try to access the same resource are served the cached error page.

Below the attack flow described by the researchers:

An attacker sends a simple HTTP request containing a malicious header targeting a victim resource provided by some web server. The request is processed by the intermediate cache, while the malicious header remains unobtrusive.
The cache forwards the request to the origin server as it does not store a fresh copy of the targeted resource. At the origin server, the request processing provokes an error due to the malicious header it contains.
As a consequence, the origin server returns an error page which gets stored by the cache instead of the requested resource.
The attacker knows that the attack was successful when she retrieved an error page in response.
Legitimate users trying to obtain the target resource with subsequent requests…
…will get the cached error page instead of the original content.

Experts discovered three variants of the CPDoS attack that differ, for the HTTP header type used by the attackers:

HTTP Header Oversize (HHO)
HTTP Meta Character (HMC)
HTTP Method Override (HMO)
In the HHO attack scenario, hackers leverage the size limit intermediary systems and web servers set for an HTTP request header. The HTTP standard does not define a size limit for HTTP request headers this means that if the cache system accepts a request header size larger than the one the origin server can manage it is possible to cause webserver blocking the request and returning a 400 Bad Request error page that is then cached.

“HHO CPDoS attacks work in scenarios where a web application uses a cache that accepts a larger header size limit than the origin server.” reads the post published by the researchers.

“The cache forwards this request including all headers to the endpoint since the header size remains below the size limit of 20,480 bytes. The web server, however, blocks this request and returns an error page, as the request header exceeds its header size limit. This error page with status code 400 Bad Request is now stored by the cache. All subsequent requests targeting the denialed resource are now provided with an error page instead of the genuine content.”

Experts published a video PoC for this attack that shows them targeting a testing application hosted on Amazon CloudFront.

The second variant of CPDoS attack, the HTTP Meta Character (HMC), leverages a harmful meta character such as control characters like the break/carriage return (‘\n)’, line feed (‘\r’) or bell (‘\a’).

“The HTTP Meta Character (HMC) CPDoS attack works similar to the HHO CPDoS attack. Instead of sending an oversized header, this attack tries to bypass a cache with a request header containing a harmful meta character.” continues the experts.

The third variant of the attack, the HTTP Method Override Attack (HMO, benefits from intermediary systems (e.g. proxies, load balancers, caches, firewalls) supporting only the GET and POST HTTP request methods.

“This means that HTTP requests with DELETE and PUT are simply blocked. To circumvent this restriction many REST-based APIs or web frameworks such as the Play Framework 1, provide headers such as X-HTTP-Method-Override, X-HTTP-Method or X-Method-Override for tunnel blocked HTTP methods (see Listing 1).” explained the security duo. “Once the request reaches the server, the header instructs the web application to override the HTTP method in the request line with the one in the corresponding header value.”

As result, the web server reply with an error message that is cached and served for subsequent valid GET requests for the same resource.

Experts explained that a CPDoS attack can impact multiple cache server locations worldwide, however not all edge servers are affected.

Researchers made some tests using the TurboBytes Pulse and the speed testing tool of KeyCDN. Launching an attack from Frankfurt against a target in Cologne, they observed that cache servers across Europe and some regions of Asia were impacted.

Experts also described mitigations in their research paper, for example, HHO and HHM variants could be addressed by correctly implementing the standard HTTP which, by default, does not allow storing responses that contain error codes.

Technical details, including the list of vulnerable CDNs are included in the paper published by the experts.

This post Exploring the CPDoS Attack on CDNs: Cache Poisoned Denial of Service originally appeared on Security Affairs.

Read More