Abusing CDNs for Fun and Profit: Security Issues in CDNs' Origin Validation

Content Delivery Networks (CDNs) are critical Internet infrastructure. Besides high availability and high performance, CDNs also provide security services such as anti-DoS and Web Application Firewalls to CDN-powered websites. However, the massive resources of CDNs may also be leveraged by attackers exploiting their architectural, implementation, or operational weaknesses. In this paper, we show that today's CDN operation is overly loose in customer-controlled forwarding policy and the lack of origin validation leads to a wide range of abuse cases such as DoS attack and stealthy port scan. We systematically study these abuse cases and demonstrate their feasibility in popular CDNs. Further, we evaluate the impact of these abuses by discovering that there are millions of CDN edge servers, and a substantial fraction of them can be abused. Lastly, we propose mitigation solutions against such abuses and discuss their feasibility.

[1]  Martin Nilsson,et al.  Forwarded HTTP Extension , 2014, RFC.

[2]  Michael Rabinovich,et al.  Content Delivery Networks: Protection or Threat? , 2009, ESORICS.

[3]  Chase Cotton,et al.  Your Remnant Tells Secret: Residual Resolution in DDoS Protection Services , 2018, 2018 48th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN).

[4]  Towards a Comprehensive Picture of the Great Firewall's DNS Censorship , 2014, FOCI.

[5]  Jonathan Lemon,et al.  Resisting SYN Flood DoS Attacks with a SYN Cache , 2002, BSDCon.

[6]  Vern Paxson,et al.  Blocking-resistant communication through domain fronting , 2015, Proc. Priv. Enhancing Technol..

[7]  Angelos Stavrou,et al.  End-Users Get Maneuvered: Empirical Analysis of Redirection Hijacking in Content Delivery Networks , 2018, USENIX Security Symposium.

[8]  Jianping Wu,et al.  When HTTPS Meets CDN: A Case of Authentication in Delegated Service , 2014, 2014 IEEE Symposium on Security and Privacy.

[9]  Amir Houmansadr,et al.  Practical Censorship Evasion Leveraging Content Delivery Networks , 2016, CCS.

[10]  Anja Feldmann,et al.  Exploring EDNS-client-subnet adopters in your free time , 2013, Internet Measurement Conference.

[11]  Georgios Smaragdakis,et al.  The growing complexity of content delivery networks: Challenges and implications for the Internet ecosystem , 2017 .

[12]  Nick Feamster,et al.  Examining How the Great Firewall Discovers Hidden Circumvention Servers , 2015, Internet Measurement Conference.

[13]  J. Alex Halderman,et al.  A Search Engine Backed by Internet-Wide Scanning , 2015, CCS.

[14]  Amir Herzberg,et al.  CDN-on-Demand: An affordable DDoS Defense via Untrusted Clouds , 2016, NDSS.

[15]  Wouter Joosen,et al.  Maneuvering Around Clouds: Bypassing Cloud-based Security Providers , 2015, CCS.

[16]  Amir Houmansadr,et al.  CacheBrowser: Bypassing Chinese Censorship without Proxies Using Cached Content , 2015, CCS.

[17]  Jian Jiang,et al.  Forwarding-Loop Attacks in Content Delivery Networks , 2016, NDSS.

[18]  Bruce M. Maggs,et al.  Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem , 2016, CCS.

[19]  Dan Boneh,et al.  Stickler: Defending against Malicious Content Distribution Networks in an Unmodified Browser , 2016, IEEE Security & Privacy.

[20]  Eric Wustrow,et al.  ZMap: Fast Internet-wide Scanning and Its Security Applications , 2013, USENIX Security Symposium.

[21]  Srikanth V. Krishnamurthy,et al.  Your state is not mine: a closer look at evading stateful internet censorship , 2017, Internet Measurement Conference.

[22]  Christian Rossow,et al.  Going Wild: Large-Scale Classification of Open DNS Resolvers , 2015, Internet Measurement Conference.

[23]  Brad Cain,et al.  Known Content Network (CN) Request-Routing Mechanisms , 2003, RFC.

[24]  Ramesh K. Sitaraman,et al.  End-User Mapping: Next Generation Request Routing for Content Delivery , 2015, Comput. Commun. Rev..

[25]  Michael J. Freedman,et al.  Hiding Amongst the Clouds: A Proposal for Cloud-based Onion Routing , 2011, FOCI.

[26]  Vitaly Shmatikov,et al.  CloudTransport: Using Cloud Storage for Censorship-Resistant Networking , 2014, Privacy Enhancing Technologies.

[27]  Keith W. Ross,et al.  Measuring and Evaluating Large-Scale CDNs , 2008 .