CDN Cache Poisoning DDoS’ed Cloud Apps
Share this:
Researchers has discovered more than 70 flaws in combinations of cloud applications and content delivery networks (CDNs) that could be used to poison the CDN caches and result in DoS attacks on the applications.
Diversified inconsistencies found in the way that a variety of content-caching services and technologies handled common headers variations, such as the capitalization of host information, URL fragments, and invalid values. Because the caching service or technology may handle the information differently such as lowercasing capitalized headers the application might return an error, which the caching service would store indexed to a legitimate application route. The result would be that valid HTML or API requests would return the cached error, essentially creating a DoS condition.
The research shows that poisoning Web caches is still a significant threat to cloud applications, greater complexity would result in more vulnerabilities, making cache poisoning a fertile area for research.
Using Web cache poisoning to block access to cloud services and websites is a very efficient DoS attack. A single request, when cached, can cause a site, service, or specific page to become inaccessible for hours, depending on the length of time between cache refreshes. Any Web or API request that a CDN passes to the application that causes the application to throw an exception could poison the cache and result in a DoS attack.
The researcher originally discovered a flaw in a specific configuration of the Varnish Web caching proxy, but soon found that some services including Cloudflare and Fastly were vulnerable to a capitalized host header attack: CDNs lowercased the header for the cache index, considering the request valid, while some case-sensitive applications returned an error that was then cached.
This research underscores that cache-based DoS attacks, which cloud-service providers often do not allow in bug-bounty research, should be considered in scope in the future. While no company wants to encourage hackers to experiment with methods that might take down its site or service, companies should want to know whether attackers could disrupt their service.
Going forward, more companies consider DoS attacks especially those caused by single requests and exploiting architectures to be in scope for penetration tests and bug bounties.
