Exploiting Content Delivery Networks for covert channel communications

We proposed a CDN-based covert channel communication attack.We performed experiments on a commercial CDN to show that such an attack is possible.We discussed possible countermeasures against such an attack. Content Delivery Networks (CDNs) became an important infrastructure in today's Internet architecture. More and more content providers use CDNs to improve their service quality and reliability. However, providing better quality of service (QoS) by using CDNs could also be abused by attackers to commit network crimes. In this paper, we show that CDNs can be used as a covert communication channel to circumvent network censorships. Specifically, we propose the CDN covert channel attack, where accessing contents through different CDN nodes can form a unique pattern, which can be used in encoding secret messages. We implemented a proof-of-concept covert channel based on our proposed attack on CloudFront, a commercial CDN service provided by Amazon Web Service. We showed that our constructed covert channel can transmit messages with various lengths with an average transmission efficiency as 2.29 bits per request (i.e., each penetration request transmits 2.29 bits of secret message on average). After presenting the CDN covert channel attack, we also discuss possible countermeasures.

[1]  Maarten Van Horenbeeck,et al.  Deception on the network: thinking differently about covert channels , 2006 .

[2]  Sudip Saha,et al.  DNS for Massive-Scale Command and Control , 2013, IEEE Transactions on Dependable and Secure Computing.

[3]  Balachander Krishnamurthy,et al.  Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites , 2002, WWW.

[4]  Abhinav Srivastava,et al.  Evaluating email’s feasibility for botnet command and control , 2008, 2008 IEEE International Conference on Dependable Systems and Networks With FTCS and DCC (DSN).

[5]  Larry L. Peterson,et al.  Reliability and Security in the CoDeeN Content Distribution Network , 2004, USENIX Annual Technical Conference, General Track.

[6]  Gabi Nakibly,et al.  OSS: Using Online Scanning Services for Censorship Circumvention , 2013, Privacy Enhancing Technologies.

[7]  Michael Pearce,et al.  A framework for network aware caching for video on demand systems , 2013, TOMCCAP.

[8]  Michael Rabinovich,et al.  Content Delivery Networks: Protection or Threat? , 2009, ESORICS.

[9]  Markus G. Kuhn,et al.  Information hiding-a survey , 1999, Proc. IEEE.

[10]  Aleksandar Kuzmanovic,et al.  Thinning akamai , 2008, IMC '08.

[11]  Kenton Born Browser-Based Covert Data Exfiltration , 2010, ArXiv.

[12]  Anees Shaikh,et al.  Improving the resilience of content distribution networks to large scale distributed denial of service attacks , 2007, Comput. Networks.

[13]  Ron M. Roth,et al.  Introduction to Coding Theory , 2019, Discrete Mathematics.

[14]  Kenton Born PSUDP: A PASSIVE APPROACH TO NETWORK-WIDE COVERT COMMUNICATION , 2010 .

[15]  Jian Jiang,et al.  Forwarding-Loop Attacks in Content Delivery Networks , 2016, NDSS.

[16]  Bruce M. Maggs,et al.  Algorithmic Nuggets in Content Delivery , 2015, CCRV.