Researchers from the Universities of Hamburg and Cologne
a new technique for attacking content delivery networks and caching proxies — (Cache-Poisoned Denial-of-Service). The attack allows access to the page to be denied through cache poisoning.
The problem is related to the fact that CDNs cache not only successfully completed requests, but also situations when the http server returns an error. As a rule, in case of problems with the formation of requests, the server issues a 400 (Bad Request) error, the only exception is IIS, which issues a 404 (Not Found) error for too large headers. The standard allows only 404 (Not Found), 405 (Method Not Allowed), 410 (Gone) and 501 (Not Implemented) errors to be cached, but some CDNs also cache 400 (Bad Request) responses, which depend on the sent request.
Attackers can cause a “400 Bad Request” error to be returned on the original resource by sending a request with specially designed HTTP headers. These headers are not taken into account by the CDN, so information about the impossibility of accessing the page will be cached, and all other valid user requests before the timeout expires may result in an error, despite the fact that the source site renders the content without any problems.
To force the HTTP server to return an error, three attack options have been proposed:
- HMO (HTTP Method Override) - an attacker can override the original request method through the "X-HTTP-Method-Override", "X-HTTP-Method" or "X-Method-Override" headers supported by some servers, but not considered in the CDN . For example, you can change the original "GET" method to the "DELETE" method that is forbidden on the server or the "POST" method that is not applicable for statics;
- HHO (HTTP Header Oversize) - An attacker can choose the header size in such a way that it exceeds the limit of the source server, but does not fall under CDN restrictions. For example, Apache httpd limits header size to 8 KB, while Amazon Cloudfront CDN allows headers up to 20 KB;
- HMC (HTTP Meta Character) - an attacker can substitute special characters (\n, \r, \a) in the request, which are considered invalid on the source server, but are ignored in the CDN.
The CDN CloudFront used in Amazon Web Services (AWS) turned out to be the most susceptible to the attack. Amazon has now fixed the problem by banning error caching, but it took researchers more than three months to get the protection added. The issue also affected Cloudflare, Varnish, Akamai, CDN77 and
Fastly, but the attack through them is limited to target servers that use IIS, ASP.NET, и . 11% of US Department of Defense domains, 16% of URLs from the HTTP Archive database, and about 30% of the 500 largest sites according to the Alexa rating could potentially be attacked.
As a workaround for blocking an attack on the site side, you can use the "Cache-Control: no-store" header, which prohibits caching responses. Some CDNs, such as
CloudFront and Akamai, you can disable error caching at the profile settings level. For protection, you can also use firewalls for web applications (WAF, Web Application Firewall), but they must be implemented on the CDN side in front of the caching hosts.
Source: opennet.ru