Vulnerability in content distribution networks found by researchers – Naked Security


Researchers have found a flaw that could lead to denial of service attacks on content distribution networks around the world.

A content distribution network (CDN) is a network of computers that makes it faster and more efficient for people to access content on the internet. The computers are spread around different regions, and each stores a website’s content in a process called caching.

When someone wants to access content from the website (known as the origin), they’re directed to the computer in the CDN that’s closest to them. Because the CDN has cached the data, they can download it more quickly and efficiently than if they downloaded it directly from the origin site.

The researchers, Hoai Viet Nguyen, Luigi Lo Iacono, and Hannes Federrath, figured out a way to make these CDNs serve up error pages, even when the origin website is working. The attack, called CPDoS, works by fooling the CDN into caching an error page.

Every so often, the CDN will choose not to serve up the page it has cached when responding to a request, but will instead go and get a fresh one. The attacker keeps pinging the CDN with a page request until this happens.

The attacker specially crafts their request so that the originating site won’t know what to do with it. Instead, the site returns an error page, and the CDN caches it. So whenever anyone else asks for the same page, the CDN shows them the error page. It’s effectively a denial of service attack.

What does the attacker do to their request to make it so indigestible? It all comes down to hypertext transfer protocol (HTTP) requests. HTTP is the language that web servers and browsers use to communicate. When your browser sends a HTTP request to the server it includes a header, which contains information such as the version of the browser you’re using, the operating system you’re running, and the page you want.