Two researchers from the Technical University of Cologne (TH Koln) have devised a new web attack that can be used by threat actors
The new attack has been named CPDoS (Cache-Poisoned Denial-of-Service), has three variants, and has been deemed practical in the real world (unlike most other web cache attacks).
The content displayed in most of the websites is stored on web servers while the CDNs maintain a cached copy that is periodically refreshed.
Web servers store the original website and its content, while CDNs store a cached copy of the website that is only refreshed at certain time intervals.
Web caching mechanism allows reusing HTTP responses to reduce the number of requests that reach the origin server, the volume of network traffic resulting from resource requests, and the latency of resource access
Experts pointed out that an attack on a CDN system can have devastating consequences for the availability of websites.
A CPDoS attack
The result of the attack is that when users try to access the same resource are served the cached error page.
Below the attack flow described by the researchers:
Experts discovered three variants of the CPDoS attack that differ, for the HTTP header type used by the attackers:
In the HHO attack scenario, hackers leverage the size limit intermediary systems and web servers set for an HTTP request header. The HTTP standard does not define a size limit for HTTP request headers this means that if the cache system accepts a request header size larger than the one the origin server can manage it is possible to cause webserver blocking the request and returning a 400 Bad Request error page that is then cached.
“HHO CPDoS attacks work in scenarios where a web application uses a cache that accepts a larger header size limit than the origin server.” reads the post published by the researchers.
“The cache forwards this request including all headers to the endpoint since the header size remains below the size limit of 20,480 bytes. The web server, however, blocks this request and returns an error page, as the request header exceeds its header size limit. This error page with status code 400 Bad Request is now stored by the cache. All subsequent requests targeting the denialed resource are now provided with an error page instead of the genuine content.”
Experts published a video PoC for this attack that shows them targeting a testing application hosted on Amazon CloudFront.
The second variant of CPDoS attack, the HTTP Meta Character (HMC), leverages a harmful meta character such as control characters like the
“The HTTP Meta Character (HMC) CPDoS attack works similar to the HHO CPDoS attack. Instead of sending an oversized header, this
The third variant of the attack, the HTTP Method Override Attack (HMO, benefits from intermediary systems (e.g.
“This means that HTTP requests with DELETE and PUT are simply blocked. To circumvent this restriction many REST-based APIs or web frameworks such as the Play Framework 1, provide headers such as X-HTTP-Method-Override, X-HTTP-Method or X-Method-Override for tunnel blocked HTTP methods (see Listing 1).” explained the security duo. “Once the request reaches the server, the header instructs the web application to override the HTTP method in the request line with the one in the corresponding header value.”
Experts explained that a CPDoS attack can impact multiple cache server locations worldwide,
Researchers made some tests using the TurboBytes Pulse and the speed testing tool of KeyCDN. Launching an attack from Frankfurt against a target in Cologne, they observed that cache servers across Europe and some regions of Asia were impacted.
Experts also described mitigations in their research paper, for example,
Technical details, including the list of vulnerable CDNs are included in the paper published by the experts.