Your Cache Has Fallen: Cache-Poisoned Denial-of-Service Attack

Web caching enables the reuse of HTTP responses with the aim to reduce the number of requests that reach the origin server, the volume of network traffic resulting from resource requests, and the user-perceived latency of resource access. For these reasons, a cache is a key component in modern distributed systems as it enables applications to scale at large. In addition to optimizing performance metrics, caches promote additional protection against Denial of Service (DoS) attacks. In this paper we introduce and analyze a new class of web cache poisoning attacks. By provoking an error on the origin server that is not detected by the intermediate caching system, the cache gets poisoned with the server-generated error page and instrumented to serve this useless content instead of the intended one, rendering the victim service unavailable. In an extensive study of fifteen web caching solutions we analyzed the negative impact of the CachePoisoned DoS (CPDoS) attack-as we coined it. We show the practical relevance by identifying one proxy cache product and five CDN services that are vulnerable to CPDoS. Amongst them are prominent solutions that in turn cache high-value websites. The consequences are severe as one simple request is sufficient to paralyze a victim website within a large geographical region. The awareness of the newly introduced CPDoS attack is highly valuable for researchers for obtaining a comprehensive understanding of causes and countermeasures as well as practitioners for implementing robust and secure distributed systems.

[1]  Paul J. Leach,et al.  An HTTP Extension Framework , 2000, RFC.

[2]  Sam Newman,et al.  Building microservices - designing fine-grained systems, 1st Edition , 2015 .

[3]  Roy T. Fielding,et al.  Additional HTTP Status Codes , 2012, RFC.

[4]  Jörg Schwenk,et al.  All your clouds are belong to us: security analysis of cloud management interfaces , 2011, CCSW '11.

[5]  Andrew H. Mutz,et al.  Transparent Content Negotiation in HTTP , 1998, RFC.

[6]  Roy T. Fielding,et al.  Hypertext Transfer Protocol (HTTP/1.1): Caching , 2014, RFC.

[7]  Roy T. Fielding,et al.  Hypertext Transfer Protocol (HTTP/1.1): Semantics and Content , 2014, RFC.

[8]  G. Barish,et al.  World Wide Web caching: trends and techniques , 2000, IEEE Commun. Mag..

[9]  Hannes Federrath,et al.  Systematic Analysis of Web Browser Caches , 2018 .

[10]  Roy T. Fielding,et al.  Hypertext Transfer Protocol (HTTP/1.1): Message Syntax and Routing , 2014, RFC.

[11]  L. Miles,et al.  2000 , 2000, RDH.

[12]  Thomas Erl,et al.  SOA Principles of Service Design , 2007 .

[13]  Michael Pradel,et al.  Freezing the Web: A Study of ReDoS Vulnerabilities in JavaScript-based Web Servers , 2018, USENIX Security Symposium.

[14]  Jian Jiang,et al.  Host of Troubles: Multiple Host Ambiguities in HTTP Implementations , 2016, CCS.

[15]  Larry Masinter,et al.  Hyper Text Coffee Pot Control Protocol (HTCPCP/1.0) , 1998, RFC.

[16]  E. James Whitehead,et al.  Binding Extensions to Web Distributed Authoring and Versioning (WebDAV) , 2010, RFC.

[17]  Tim Bray An HTTP Status Code to Report Legal Obstacles , 2016, RFC.

[18]  Lisa Dusseault,et al.  HTTP Extensions for Web Distributed Authoring and Versioning (WebDAV) , 2007, RFC.

[19]  Zhenkai Liang,et al.  Man-in-the-browser-cache: Persisting HTTPS attacks via browser cache poisoning , 2015, Computers & security.

[20]  Vitaly Shmatikov,et al.  Abusing File Processing in Malware Detectors for Fun and Profit , 2012, 2012 IEEE Symposium on Security and Privacy.

[21]  Martin Thomson,et al.  Hypertext Transfer Protocol Version 2 (HTTP/2) , 2015, RFC.