CPDoS can be used to attack content delivery networks (CDNs) to serve error pages instead of legitimate sites through caching.
Freshly termed as a Cache Poisoned Denial of Service (CPDoS) attack, two academics from the Cologne University of Applied Sciences in Germany have discovered [PDF] how content delivery networks can be attacked to serve error pages instead of legitimate sites through caching.
In normal circumstances, when the user re-visits a website, they are served a cached version of it through a content delivery network such as Cloudflare. On the other hand, during the poisoning process, the attacker visits a website with the intention of generating a request for the web page from the CDN. However, the request, in this case, contains a malformed header which can be from the following 3 options:
- An HTTP Header Oversize (HHO)
- An HTTP Meta Character (HMC)
- An HTTP Method Override (HMO)
Any of these, in turn, cause an error on the webserver. As a part of regular operations, the error page is then cached on the CDN and in turn served to legitimate users. Slowly, it spreads to other nodes of the CDN as they are updated hence giving the impression of the site being unavailable globally successfully completing the attack. This could cause both a reputational loss and financial losses as well for mission-critical websites.
This was further confirmed by the researchers themselves along the lines of,
To get a clearer picture on the real life impact of CPDoS attacks, we took some samples based on the URLs from the Alexa Top 500, DoD, and HTTP Archive data sets. Overall, we found twelve vulnerable resources within a few days. These also include mission-critical websites such as ethereum.org, marines.com, and nasa.gov which use CloudFront as CDN. At all these websites, we were able to block multiple resources including scripts, style sheets, images, and even dynamic content such as the start page.
Example screenshot on Marines.com website:
For those of you wondering when your site is getting poisoned, you can relax and luckily take a series of precautions. The first one is that you could turn off the caching of HTTP error pages by default on your CDN service through predefined options or by editing your server’s configuration files. Hence, the error page will never be distributed by the CDN en masse.
Secondly, you could make sure your CDN provider is complying with standard caching protocols. One of these involves caching only certain error pages such as the “404 Not Found” but not others such as the “400 Bad Request” one which is generated because of such an attack.
Continuing with the often seen pattern in the cybersecurity world, these revelations were also followed with responsible disclosure leading to companies like Microsoft and Amazon taking action to fix the problem at hand.
However, some companies like Flask have still not responded according to the researchers and so it is yet to be seen how the customers of such firms will react. For users looking to do further research on the subject in more detail, they can visit a recently released website by the team at CPDOS.