Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Unveiling the Bandwidth Nightmare: CDN Compression Format Conversion Attacks

Ziyu Lin, Zhiwei Lin, Ximeng Liu, Zuobing Ying, Cheng Chen

TL;DR

A novel HTTP amplification attack, CDN Compression Format Convert(CDN-Convet) Attacks, that allows attackers to massively exhaust not only the outgoing bandwidth of the origin servers deployed behind CDNs but also the bandwidth of CDN surrogate nodes.

Abstract

Content Delivery Networks (CDNs) are designed to enhance network performance and protect against web attack traffic for their hosting websites. And the HTTP compression request mechanism primarily aims to reduce unnecessary network transfers. However, we find that the specification failed to consider the security risks introduced when CDNs meet compression requests. In this paper, we present a novel HTTP amplification attack, CDN Compression Format Convert (CDN-Convet) Attacks. It allows attackers to massively exhaust not only the outgoing bandwidth of the origin servers deployed behind CDNs but also the bandwidth of CDN surrogate nodes. We examined the CDN-Convet attacks on 11 popular CDNs to evaluate the feasibility and real-world impacts. Our experimental results show that all these CDNs are affected by the CDN-Convet attacks. We have also disclosed our findings to affected CDN providers and have received constructive feedback.

Unveiling the Bandwidth Nightmare: CDN Compression Format Conversion Attacks

TL;DR

A novel HTTP amplification attack, CDN Compression Format Convert(CDN-Convet) Attacks, that allows attackers to massively exhaust not only the outgoing bandwidth of the origin servers deployed behind CDNs but also the bandwidth of CDN surrogate nodes.

Abstract

Content Delivery Networks (CDNs) are designed to enhance network performance and protect against web attack traffic for their hosting websites. And the HTTP compression request mechanism primarily aims to reduce unnecessary network transfers. However, we find that the specification failed to consider the security risks introduced when CDNs meet compression requests. In this paper, we present a novel HTTP amplification attack, CDN Compression Format Convert (CDN-Convet) Attacks. It allows attackers to massively exhaust not only the outgoing bandwidth of the origin servers deployed behind CDNs but also the bandwidth of CDN surrogate nodes. We examined the CDN-Convet attacks on 11 popular CDNs to evaluate the feasibility and real-world impacts. Our experimental results show that all these CDNs are affected by the CDN-Convet attacks. We have also disclosed our findings to affected CDN providers and have received constructive feedback.
Paper Structure (27 sections, 4 figures, 6 tables)

This paper contains 27 sections, 4 figures, 6 tables.

Table of Contents

  1. Introduction
  2. Background
  3. CDN Overview
  4. Compression Mechanism on CDN
  5. Compression-Specific Implementations In CDNs
  6. Consideration in Selecting CDN Vendors
  7. Differences in CDNs Handling Compression Requests
  8. CDN Convert Format Attack
  9. Threat Model
  10. CDN Convert to Compression Format (CCCF) Attack
  11. CDN Convert to Uncompressed Format (CCUF) Attack
  12. Real-world Evaluation
  13. Feasibility of the CCCF Attacks
  14. The Amplification Factor of the CCCF Attack
  15. Feasibility of the CCUF Attacks
  16. ...and 12 more sections

Figures (4)

  • Figure 1: Multiple segments of connectivity in a CDN environment
  • Figure 2: General construction of the CDN-Convert Attacks
  • Figure 3: Flow and example construction of a CCCF attack.
  • Figure 4: Two new ways of domain takeover.