Abusing CDNs for Fun and Profit: Security Issues in CDNs’ Origin Validation

Abstract

Content Delivery Networks (CDNs) are critical Internet infrastructure. Besides high availability and high performance, CDNs also provide security services such as anti-DDoS and Web Application Firewalls (WAF) to CDN-powered websites. However, the massive resources of CDNs may also be leveraged by attackers exploiting their architectural, implementation, or operational weaknesses. Prior research has shown that CDNs themselves are vulnerable to forwarding loop attacks. In this paper, we show that today’s CDN operation is overly loose in user-controlled forwarding policy and subject to a wide range of abuse cases such as DoS attacks and stealthy port scan. We systematically study these abuse cases and demonstrate their feasibility in popular CDNs. Further, we evaluate the impact of these abuses by discovering that there are millions of CDN edge servers, and a substantial fraction of them can be abused. Lastly, we propose some mitigation solutions against such abuses and discuss their feasibility.

Publication
IEEE 37th Symposium on Reliable Distributed Systems
Date
Links