As organizations increasingly rely upon their web pages for connecting to their customers, they need the ability to scale these webpages to growing customer bases. As a result, many organizations have deployed a Content Delivery Network (CDN). The purpose of a CDN is to reduce the load on the main web server and latency of customer requests by handling requests at geographically distributed CDN nodes.
However, this architecture can also open up an organization to new attacks, as demonstrated by recent research.
Caching and Cache Poisoning
The goal of a CDN is to reduce load on a webserver and the latency of client requests. This is accomplished by deploying a network of CDN nodes that are geographically distributed. When a user wants to visit a certain web page, they are directed to the nearest CDN node instead of the main web server. This allows the client to receive their web content more quickly (since their traffic has to go a much shorter distance), reduces the load on the main web server (since it doesn’t have to deal with all of the clients requests itself), and allows an organization to deploy location-specific content on web pages by providing it only to certain CDN nodes.
In order for a CDN to reduce client latency and main server load, it needs to be able to operate autonomously. If every time a CDN node receives a request, it passes it on to the main web server, then the use of a CDN will only make page load times slower. Instead, a CDN node caches a copy of the web page, storing it locally. When a client requests a copy of the page, the CDN node serves them the cached copy rather than requesting a brand new one. Since most web pages change infrequently, there is a very high probability that the client will receive the same content from a cached page as they would get from asking the main webserver directly. However, since pages can grow “stale”, a CDN node will occasionally request a new copy of the page from the main web server and use that new version to fulfill requests for a certain period of time.
This practice of requesting a page from the main web server and then using that page to respond to many future requests opens up a CDN to potential attack. If an attacker can cause a CDN node to cache an invalid version of a web page, called a cache poisoning attack, the CDN node will serve up this invalid page until its next update.
The CDN DoS Attack
Recently, a team of German cybersecurity researchers have discovered a cache poisoning vulnerability that would allow attackers to perform a Denial of Service (DoS) attack on a webpage. This vulnerability, named Cache Poisoned Denial of Service (CPDoS) affects several major CDNs, including Akamai, Amazon CloudFront, CDN77, CloudFlare, and Fastly.
This vulnerability works by taking advantage of the fact that a CDN node and the main web server often process a request differently. Requests for a web page are carried over the Hypertext Transfer Protocol (HTTP), which is a fairly flexible protocol. HTTP includes headers that are under the client’s control and are designed to carry cookies, User Agents designed to identify certain types of browsers, and other types of information that would be useful to a web server.
The CPDoS attack uses deliberately malformed headers that a CDN node may not notice or filter out but that would cause a request to fail once it reached the main web server. As a result, when a CDN node updates its cache, it would think that a request was valid, but the main web server would return an error page. Since this error page would be cached by the CDN node, every future request for the same page would result in the error page being served to the client. Since this prevents the client from visiting the organization’s web page, this is a DoS attack on the page.
The main limitation of a cache poisoning attack is that the effect of the attack only persists until the CDN node updates its cached version of a page. However, this is accomplished by passing on a user request that the CDN node receives to the main web server and caching the response. By bombarding a CDN node with malicious requests, an attacker can ensure that the CDN node caches another “poisoned” version of the page with high probability.
Ensuring CDN Security
The CPDoS attack takes advantage of differences between a CDN and a web server in how they interpret a request for a web page. If the CDN node feels that a request looks valid but the webserver disagrees, then the CDN node will cache an invalid version of the page until the next time it updates its cache. If the invalid request is part of an attack, this Denial of Service attack can continue for some time.
The CPDoS vulnerability demonstrates the importance of considering CDN nodes as part of an organization’s network infrastructure and protecting them appropriately. Deploying strong protections at the CDN nodes can help with identifying and filtering out malicious or malformed traffic at the CDNnode. These protections would make CPDoS and similar vulnerabilities a non-event since no mismatch would exist between the CDN nodes and the web server’s filtering rules that could result in the CDN nodes caching an error page.