CPDoS – Cache Poisoned Denial of Service Attack


CPDoS – Cache Poisoned Denial of Service Attack


https://securiumsolutions.org/2020/03/25/cpdos-cache-poisoned-denial-of-service-attack/
CDN: Content Delivery Network
It’s a geographically distributed group of servers that are providing the fast delivery of Web Resources and Content.
Principle of CDN:
Here the CDN will allow quick transfer of network assets content while the loading on the Internet which including HTML pages, JavaScript files, videos, images, and much more stuff. The popularity of the CDN is increasing nowadays as some giants Internet players are using the CDN platform to deliver their content on the Internet like Facebook, Amazon, Netflix, etc.


Figure-1: CDN – Content Delivery Network
  • Redundant in Service: The architecture must be inclusive and its overall performance deliver content
  • Provide continuous performance: High performance through network throughputs
  • Flexible: There are very low network congestions of traffic
  • Security: Integrity is the priority
  • Responsiveness: Work as per demand
  • Efficiency: Go network connections and geographical location to provide better data transfer speeds.
For example:
Website Security
Nowadays Cyber Security is a very important concern as all the access to data is going from Website and Web Application. Here we have to manage input validations, entrance points of the web application. Here it deploys the edge of the network, which provides a virtual high-security fence and it will protect attacks on the website. Also, it will deal with DDoS floods and spam attacks.


Figure – 2: Cloudflare Website Security
Here in the above image, we can understand that if the CDN does not enable the security of the website is present but it can’t control the requests sent by the attackers. As it will a huge amount of traffic at the same time which leads to buffer overflow of Cache Server Memory after some time and it called a DDoS attack.
But when we enable the CND we are securing this type of attacks and control the header oversized Metadata attack through HTTP header on web servers.
CDN Infrastructure
Here CDN is setup is done on regional Data Centres responsible to communicate with users with their proximity. As it builds up with a basic building block. The Infrastructures are PoPs – Points of Presence. It deploys on regional content with cuts done the round-trip time (RTT), which will make the website faster and more responsive for all the users, even the geolocation can’t interfere with it.

CDN infrastructure architecture

Figure – 3: Architecture of CDN
Points that show the benefits of CDN:
  • Performance
  • Reliability
  • Scalability
  • Responsiveness
Working of CDN:
Now here we can see how the CDN providing very cheap and very reliable fast delivery of content over the Internet. It connects on different geographical server points. They are put at exchange points between various network architecture. These are called Internet Exchange Points where the primary locations are connected on different Internet providers to access the origin traffic flow on the Internet.
Due to this highly connected network on different network platforms, it provides very high speed and transmits great deliver content. 
Now the advance point of CDN apart from IPXs, is also based on Standard client/server data transfer as it a place on Data Centres across the globe, that will enhance security and it will survive various types of hardware failures and Network congestion.
So, the CDN can do for us?
  • Provide page load speed
  • Enhance the high traffic loads
  • It will stop the spammers, scrapers and other malicious bad bots
  • Reduce Internet bandwidth consumption
  • It will balance the multiple traffic servers
  • Also, protect from DDoS attacks
  • Also, secure your Web Application and many other services.
Some Benefits of CDN:
  • Reducing the Bandwidth costs: As an Internet edge world, the bandwidth required must. As it consumes costs for website hosting which is very primer expenses. So here we can use caching and optimization techniques to deliver the content, it will reduce the amount of data from an origin server, and hence it will reduce the costs of website owners.
  • Enhance Website Security:  For DDoS mitigation, CDN will improve security and improve the optimizations.
  • Enhancing the Load times: Here for any website loading time plays very important roles. The visitor only stays on the website if the website loads fast and very light to explore. With the help of the CDN server the bouncing rates increases and the amount of people spending on the site also increases.
  • Redundancy increasing: When a very large amount of content is transferring from one server to the client-side, there are changes in traffic interruption or failure maybe happen, but with the help of CDN we can handle the traffic and sometimes reduce the chances of Hardware failure to.


Figure – 4: Advantage of CDN
Issues of CDN:
  • Required additional costs for using the CDN, as it required a dedicated server to manage the traffic and resources
  • It creates complexity, as the website will not depend on a single web hosting provider, but it depends on the hosting provider and CNDs to set up all the resources
  • Geo-location is not working well, the experience with CDN is not quite well. As in every country, we don‘t have the servers available to provide faster services to the customers and clients.
CPDoS – Cache Poisoned Denial of Service Attack
It is a new class web cache poisoning attack that aimed to disable the web content and web resources.
Working of CPDoS attack:
  • When an attacker sends a simple HTTP request packet with malicious header targeting the victim resource provided by some random web server. This request will process by the cache of the server and the malicious header remains as it is.
  • So at the origin server, the request will process error due to the malicious header contains.
  • Then it will return as error page which will be stored by cache instead of the requested resource
  • Then the attacker knew the attack was successful and it retrieved an error page in response
  • So whenever the legitimate users trying to fetch the content it will target the subsequent target requests only
  • And then it will give the cached error page.

https://cpdos.org/img/CPDoS.png

Figure – 5: CPDoS attack
So, due to the malicious client will block the content resources which is distributed through CNDs or any hosted proxy cache server.
Apart from this is has three types:
  • HTTP Header Oversize (HHO):
    • Here we send an oversized packets allowance from the HTTP headers, as it contains vital information like the metadata on the client that supports languages, media types, and encodings. So if we take Apache HTTPD provide a request header size limit 8KB to mitigate the Request Header Buffer Overflow (ReDoS) attacks. But at the same place if we take Amazon Cloudfront CDN allows up to 20KB which leads to exploit and due to header size is generate to denial of service.


Figure – 6: Understand the Size of Metadata and HTTP Header size increased
To stop this attack we have to minimize the Header size limit. And also use the error page with status code 400 bad Request.
  • HTTP Header Meta Character (HMC)
    • Here it is also similar to the HHO CPDoS attack. Here we just manipulate meta character containing harmful metadata, as the attacker tries to bypass a cache with header request. So to control this type of brokerage we can return or break the request using characters like \n, \r or \a.

https://cpdos.org/img/HMC.png

Figure – 7: HTTP Meta Character process attack and control.
  • HTTP Method Override
    • Here the simple method follows, in HTTP header we have different input methods use to send the packets and get a response from the server. Now in web application and REST-based web services like proxies, load balancers, caches or firewalls only support GET and POST methods. But if we use the DELETE and PUT method to block the connection or provide a header that overrides this request will lead to exploit and CPDoS is possible to perform it.


Figure -8: Manipulation of the HTTP header method.

HRS attack

Figure -9: Here HTTP Method Override attack process.
Mitigations of CPDoS attack:
  • Here we can protect against these attacks, it just that the website owner has to configure the CDN service to not cache the HTTP error pages by default.
    • It means while configuring the CDN in any CDN provider just do not enable the HTTP error pages by default, only enable that web pages that required the error at the time of any malicious request comes from client sides or re-direct that requests to Home Page on website.
  • If we don’t have access to the CDN web dashboard, then what we can do, we have to go in CPanel and then into the file manager, and edit in the server files by adding the “Cache-Control: no-store” in HTTP header to every error page type.
  • The web caching standard only allows to cache the “404 Not Found”, “405 Method Not Allowed” and “501 Not Implemented”, as the researchers said.
  • So if we follow the Standard of HTTP cache management this leads to secure from CPDoS attack. Even over there we can configure the WAF-Web Application Firewall which will catch the malicious content from the origin server.
Now present issue stills present:
Here in the below image, we can still see that different CDN providers not updated Cache Standard to prevent from CPDoS attack.
As per the research study, out of the 25 traffics servers and web frameworks provider is tested, but the HTTP implementation and only from 25 web frameworks only three are secured till yet, Apache TS, Google Cloud Storage, and Squid servers.
Even Microsoft also updated its ISS Server the CVE-2019-0941 in June.

https://www.bleepstatic.com/images/news/u/1100723/CPDoS_06.png

Figure – 10: A research study of the CPDoS attack detection.
 Here the top 500 websites, is tested where some researchers use 500 Google Big Query service to monitor around 360 million URLs stored in HTTP archive Data and set tit HTTP archive.summary_requests.2018_12_15_desktop.


Figure – 11: Understand the test done by the researcher to found the CPDoS attack on s Web servers of CDN provider.


Figure -12: Different types of Web caching servers
Responsible Disclosure:
Amazon Web Services, issue the report that Cloundfront is also affected by the CPDoS attack, here the security team stopped the caching error pages that start with the code 400 Bad Request by default. But after sometime later, it comes to knows that its default caching policy is not yet updated and is hosted in GitHub servers.
At least, AWS comes with AWS WAF to secure the attack and mitigate the attack properly.
On 2019 June, Microsoft also reported these issues and published the mitigation of the vulnerability as CVE-2019-0941.
Flask also reported that they face the HMO attack on the developer team. Where all web-applications are still vulnerable not yet updated and still it can impose the CPDoS attack.
The above disclosure is taken in the reference research paper “Your Cache Has Fallen: Cache-Poisoned Denial-of-Service Attack”.
Scope of Future Aspect:
As per the study done by the researcher I get the release that, still we need to improve the Security of HTTP Header and we have to follow the standard policy of CORS and HTTP Method as we move further at the development of website we don’t have the awareness of the vulnerability can be possible.
Only do that pages as 404 Not Found Error Pages, that’s very needed and by default setting will not acceptable as we don’t know from which web pages a website can be damage or shutdown due to Denial-of-Service Attack.
Future Effectiveness:
CDN provider following the HTTP methods policy to secure the HTTP headers but yet we have to check out the Caching Server management and memory management.
As we know that, if the size of packets increases above the 8kb of data it will possible to CPDoS attack an attacker perform on the web application. So we have to filter the rules on .htaccess file if we don’t have access to the CDN servers.
All the security measures depend on the CDN providers as we have HTTP methods standards policy available as well if we follow the CORS – Cross-Origin Resources Sharing standard policies we may be secure from this CPDoS attacks and other DoS attacks on Web Applications.

Comments

Popular posts from this blog

Cyber Security

Digital Marketing, a changing game

How Custom Android App Development Is Helpful To Your Business