New ‘CPDoS’ Web Cache Poisoning Attack Impacts Content Delivery Networks (CDN)

• CPDoS attack can block and disable any web resource that is distributed through Content Distribution Networks (CDNs) via an HTTP request with a malicious header.
• Researchers recommend deploying Web Application Firewalls (WAF) in order to mitigate CPDoS attacks.

What’s new?

Researchers from the Technical University of Cologne (TH Koln) have detailed a new class of web cache poisoning attacks named ‘Cache-Poisoned Denial of Service (CPDoS)’ that impacts Content Delivery Networks (CDNs).

How does CPDoS work?

CPDoS attack can block and disable any web resource that is distributed through Content Distribution Networks (CDNs) via an HTTP request with a malicious header.

• An attacker sends a simple HTTP request containing a malicious header against the target resource provided by some web server.
• This request is processed by the intermediate cache, while the malicious header remains idle.
• Upon which, the intermediate cache forwards the request to the origin server.
• At the origin server, the HTTP request shows an error due to the malicious header it contains.
• As a consequence, the origin server returns an error page that gets stored by the cache instead of the requested resource.
• Legitimate users trying to obtain the target resource with subsequent requests will get the cached error page instead of the original content.

What are the different types of CPDoS?

Researchers have detected three variations of CPDoS, which include

• HTTP Header Oversize (HHO)
• HTTP Meta Character (HMC)
• HTTP Method Override (HMO)

What is the impact?

The researchers noted that the CDNs operate across large geographical locations and the error page generated by a CPDoS attack can reach multiple cache server locations. However, they determined that not all edge servers are affected by this threat and some clients will still receive the valid pages from the origin server.

During their research, an attack coordinated from Germany (Frankfurt) against a target in the same country (Cologne), impacted cache servers across Europe and some parts of Asia.

Mitigations

• In order to avoid CPDoS attacks, experts recommend caching error pages according to the policies of the HTTP standard.
• Content providers are advised to use the appropriate status code for the corresponding error case.
• It is always best to exclude error pages from caching and disable error page caching in the cache configuration, to avoid such attacks.
• Researchers also recommend deploying Web Application Firewalls (WAF) in order to mitigate CPDoS attacks.

“A Web Application Firewalls (WAF) can also be deployed to mitigate CPDoS attacks. However, WAFs must be placed in front of the cache in order to block malicious content before they reach the origin server. WAFs that are placed in front of the origin server can be exploited to provoke error pages that get cached either,” researchers said.

TH Koln team has provided more details about the attack and mitigations in their research paper titled ‘Your Cache Has Fallen: Cache-Poisoned Denial-of-Service Attack’.