paint-brush
What Is a CDN Cache Poisoning DoS Attack?by@indusface
757 reads
757 reads

What Is a CDN Cache Poisoning DoS Attack?

by IndusfaceMay 6th, 2022
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

Cache poisoning is where an HTTP request tricks a web server into responding with a harmful resource. This resource will have the same cache key as a normal, clean request, making it indistinguishable. This contaminated resource will then get cached and served to others. CPDoS attack poses an increased risk. Even attackers can disable critical messages or security alerts on mission-critical websites like official governmental or online banking websites. An effective countermeasure against CPDoS attacks is deploying WAF (Web Application Firewall)

Company Mentioned

Mention Thumbnail

Coins Mentioned

Mention Thumbnail
Mention Thumbnail
featured image - What Is a CDN Cache Poisoning DoS Attack?
Indusface HackerNoon profile picture

DoS attacks aren’t anything new. But with organizational technology stacks becoming increasingly complex, there are always new variables that can lead to unexpected behaviors. Hackers are constantly looking for security holes and are liable to exploit them.


Director of Research at PortSwigger, James Kettle, said, “The specific thing where you can cause a denial-of-service by poisoning the cache, there are so many ways to do.” He even says it would be impossible for one person to find all the exploits.


A DoS attack related to cache poisoning is a new security threat emerging in recent years. Cache Poisoning DoS attack, also known as CPDoS attack, is a type of DoS attack that primarily depends on the cache mechanism of the webserver. Here’s what you need to know.

What Is Cache Poisoning?

Cache poisoning is where an HTTP request tricks a web server into responding with a harmful resource. This resource will have the same cache key as a normal, clean request, making it indistinguishable. This contaminated resource will then get cached and served to others.



Image source: varutra


What Are DoS Attacks?

DoS refers to Denial-of-Service. A DoS attack is where the perpetrator makes cloud applications and internet content inaccessible to its users. This is achieved by shutting down a machine or network.


DoS attacks either flood the target with traffic or send information that results in crashes. Regardless of the method, the attack will deprive users of access to services or resources, sometimes for hours at a time.


The most popular types of flood attacks include the following:


● Buffer overflow attacks: The goal here is to send more traffic to a network than it has been designed to handle.


● SYN flood: Interrupts the handshake at the server, and keeps saturating open ports with requests until no others are available.


● ICMP flood: This method will send spoofed packets pinging every machine on a specific network. This triggers the network to amplify traffic.

Cache Poisoning DoS (CPDoS) Attack

In cache poisoning DoS attacks, the attacker targets an intermediate cache proxy server, which resides between the web server and the client (victim) with malicious HTTP requests and configures the cache response with error-related code (e.g., 400 bad Request).


Here is the CPDoS attack flow:



Source: varutra


  • The attacker sends an HTTP request with a malicious header to the webserver.
  • The intermediate cache server processes the request. As the malicious header remains inconspicuous, the cache server forwards it to the origin server.
  • The origin server recognizes the malicious requests and responds with an error message.
  • Consequently, the error response will be cached by the cache server instead of the requested resources, and the same will be sent as a response to the attacker.
  • Whenever the legitimate user initiates the request, he will receive the cached error message as a response.


This type of DoS attack results in a high probability of success with minimum or zero risk of being detected. CPDoS attack poses an increased risk. Attackers can even disable critical messages or security alerts on mission-critical websites like official governmental or online banking websites.


For example, a CPDoS attack can prevent security alerts about phishing emails from being shown to the corresponding users.

How To Protect Against CPDoS Attacks?

Technically, your first line of defense is caching the error message based on the HTTP standard policies. Configure CDNs not to cache all error messages but errors like 405 (Method not Permitted), 404 (Not Found), 501 (Cannot be Implemented), and 410 (Lost or Gone) based on CDN web caching standard.


An effective countermeasure against CPDoS attacks is deploying a WAF (Web Application Firewall) to block malicious requests before reaching the origin server.


There are many options available, and most, if not all, claim to offer unique protective measures against cache poisoning attacks. But every individual, organization, or company would do well to understand their own needs before committing to anyone's service. And that means finding the right WAF makes a difference.


Finding a WAF with a secure CDN, DoS protection, SSL integration, intelligent caching, solid customer support, and other customization options would prove invaluable.

Conclusion

Website and cloud application downtime can affect revenue, user experience, brand credibility, customer retention, customer acquisition, and search engine rankings.


CDN cache poisoning allows hackers to exploit your cloud applications and launch DoS attacks against them. Having understood the risks involved, protecting against such attacks will help you retain a stronger connection with your customers, employees, and users.