A new type of DoS attacks affecting all 16 CDNs we tested

Introduction

Content Delivery Networks (CDNs) are important Internet infrastructure and improve the performance, scalability and security for websites. Therefore, attacks against availability of CDNs affect the reachability to a large amount of web sites.

In this study, we present how malicious customers could attack the availability of CDN by creating forwarding loops inside one CDN or across multiple CDNs. Such forwarding loops cause one request to be processed repeatedly or even indefinitely, resulting in undesired resource consumption and potentially Denial-of-Service attacks. We show that forwarding loop is a realistic and common threat against today’s commercial CDNs. We examined 16 popular CDN providers, and found that all these CDNs are vulnerable to the forwarding loop attacks. While some CDNs seem to be aware of this threat and have adopted specific forwarding loop detections, we discovered that all of them can be bypassed with new attacking techniques. We also consider possible defenses. However, we found that, although conceptually simple, a comprehensive defense needs collaboration among all CDNs.

A concept view of CDN forwarding loop attacks

Vendor Responses

We reported these attacks to affected CDN vendors. Here are some of their responses:

  • CloudFlare and Baidu: implemented the RFC 7230-compliant Via header in their CDN systems. Cloudflare also wrote a blog to introduce our paper and explained how they defend this attack[1].
  • Tencent: evaluated the problem as a high-risk vulnerability. They stated that they view it as indeed a problem for the CDN industry. They thanked us for our report and provided some rewards.
  • CDN77 and CDNsun: changed their system to not reset Via header.
  • Fastly: acknowledged and discussed our report with us. They also offered several T-shirts as a token of gratitude.
  • Akamai: acknowledged our report and published an response to our paper[2].
  • CERT/CC: acknowledged our report and assigned a VU number(#938151) to track this problem[3].
  • Verizon (EdgeCast): contacted us to discuss the problem after learning of this issue from one of their clients, even though we did not include their service in our study. They stated that this problem is valid and can be a great danger to CDNs and the Internet in general.

Full paper

This work(”Forwarding Loop Attacks in Content Delivery Networks”) was published on NDSS 2016, and won the distinguished paper award.

Distinguished Paper Award in NDSS 2016

References

  1. Preventing Malicious Request Loops, Nick Sullivan, https://blog.cloudflare.com/preventing-malicious-request-loops, 2016
  2. Akamai Response To “Forwarding-Loop” Issue, https://blogs.akamai.com/2016/03/akamai-response-to-forwarding-loop-issue.html, 2016
  3. Vulnerability Note VU#938151, CERT/CC, https://www.kb.cert.org/vuls/id/938151, 2016