Run Guo,Jianjun Chen,Baojun Liu,Jia Zhang,Chao Zhang,Haixin Duan,Tao Wan,Jian Jiang,Shuang Hao,Yaoqi Jia

DOI: https://doi.org/10.1109/srds.2018.00011

2018-01-01

Abstract:Content Delivery Networks (CDNs) are critical Internet infrastructure. Besides high availability and high performance, CDNs also provide security services such as anti-DoS and Web Application Firewalls to CDN-powered websites. However, the massive resources of CDNs may also be leveraged by attackers exploiting their architectural, implementation, or operational weaknesses. In this paper, we show that today's CDN operation is overly loose in customer-controlled forwarding policy and the lack of origin validation leads to a wide range of abuse cases such as DoS attack and stealthy port scan. We systematically study these abuse cases and demonstrate their feasibility in popular CDNs. Further, we evaluate the impact of these abuses by discovering that there are millions of CDN edge servers, and a substantial fraction of them can be abused. Lastly, we propose mitigation solutions against such abuses and discuss their feasibility.

Karthika Subramani,Roberto Perdisci,Pierros Skafidas

2023-11-14

Abstract:Domain fronting is a network communication technique that involves leveraging (or abusing) content delivery networks (CDNs) to disguise the final destination of network packets by presenting them as if they were intended for a different domain than their actual endpoint. This technique can be used for both benign and malicious purposes, such as circumventing censorship or hiding malware-related communications from network security systems. Since domain fronting has been known for a few years, some popular CDN providers have implemented traffic filtering approaches to curb its use at their CDN infrastructure. However, it remains unclear to what extent domain fronting has been mitigated. To better understand whether domain fronting can still be effectively used, we propose a systematic approach to discover CDNs that are still prone to domain fronting. To this end, we leverage passive and active DNS traffic analysis to pinpoint domain names served by CDNs and build an automated tool that can be used to discover CDNs that allow domain fronting in their infrastructure. Our results reveal that domain fronting is feasible in 22 out of 30 CDNs that we tested, including some major CDN providers like Akamai and Fastly. This indicates that domain fronting remains widely available and can be easily abused for malicious purposes.

Cryptography and Security,Networking and Internet Architecture

Mingming Zhang,Xiang Li,Baojun Liu,Jianyu Lu,Yiming Zhang,Jianjun Chen,Haixin Duan,Shuang Hao,Xiaofeng Zheng

DOI: https://doi.org/10.1145/3579440

2023-01-01

ACM SIGMETRICS Performance Evaluation Review

Abstract:Public hosting services offer a convenient and secure option for creating web applications. However, adversaries can take over a domain by exploiting released service endpoints, leading to hosting-based domain takeover. This threat has affected numerous popular websites, including the subdomains of microsoft.com. However, no effective detection system for identifying vulnerable domains at scale exists to date. This paper fills the research gap by presenting a novel framework, HostingChecker, for detecting domain takeovers. HostingChecker expands detection scope and improves efficiency compared to previous work by: (i) identifying vulnerable hosting services using a semi-automated method; and (ii) detecting vulnerable domains through passive reconstruction of domain dependency chains. The framework enables us to detect the subdomains of Tranco sites on a daily basis. It discovers 10,351 vulnerable subdomains under Tranco Top-1M apex domains, which is over 8× more than previous findings, demonstrating its effectiveness. Furthermore, we conduct an in-depth security analysis on the affected vendors (e.g., Amazon, Alibaba) and gain a suite of new insights, including flawed domain ownership validation implementation. In the end, we have reported the issues to the security response centers of affected vendors, and some (e.g., Baidu and Tencent) have adopted our mitigation. The full paper is provided in [2].

Jinjin Liang,Jian Jiang,Haixin Duan,Kang Li

DOI: https://doi.org/10.1109/SP.2014.12

2014-01-01

Security and Privacy

Abstract:Content Delivery Network (CDN) and Hypertext Transfer Protocol Secure (HTTPS) are two popular but independent web technologies, each of which has been well studied individually and independently. This paper provides a systematic study on how these two work together. We examined 20 popular CDN providers and 10,721 of their customer web sites using HTTPS. Our study reveals various problems with the current HTTPS practice adopted by CDN providers, such as widespread use of invalid certificates, private key sharing, neglected revocation of stale certificates, and insecure back-end communication. While some of those problems are operational issues only, others are rooted in the fundamental semantic conflict between the end-to-end nature of HTTPS and the man-in-the-middle nature of CDN involving multiple parties in a delegated service. To address the delegation problem when HTTPS meets CDN, we proposed and implemented a lightweight solution based on DANE (DNS-based Authentication of Named Entities), an emerging IETF protocol complementing the current Web PKI model. Our implementation demonstrates that it is feasible for HTTPS to work with CDN securely and efficiently. This paper intends to provide a context for future discussion within security and CDN community on more preferable solutions.

Minyuan Zhou,Jiaqi Zheng,Guihai Chen,Wanchun Dou

DOI: https://doi.org/10.1145/3603165.3607455

2023-01-01

Abstract:As the use of Content Delivery Networks (CDNs) continues to grow, it has become increasingly difficult to accurately identify which CDNs are being used by a particular website or domain. In this paper, we propose a new method for detecting CDNs, including multiple-CDN deployments, behind domains using a combination of DNS and HTTP-based measurements. Our key observation is that using a few vantage points can detect nearly all CDN(s) behind the websites. Thus, we first design a heuristic algorithm to select representative vantage points and retrieve DNS and HTTP(S) information to identify patterns that are indicative of the use of CDNs. We run our method on the top 10k websites in tranco list and detect 6,392 domains hosted on CDNs, of which 200 are hosted on multiple-CDN, accounting for 2.0% of the total.

Milad Ghaznavi,Elaheh Jalalpour,Mohammad A. Salahuddin,Raouf Boutaba,Daniel Migault,Stere Preda

DOI: https://doi.org/10.1109/comst.2021.3093492

2021-01-01

Abstract:A content delivery network (CDN) is a distributed infrastructure to deliver digital contents to end users with high performance. CDNs are critical to provide and protect the availability of Internet contents. However, adversaries can not only evade the CDN protection but also weaponize CDN resources to mount more sophisticated attacks. In this paper, we provide the first survey on CDN security. We categorize CDN security challenges per CDN infrastructure components, discuss possible countermeasures and their effectiveness, and delineate future research directions. This paper aims to highlight the state of CDN security and identify important research challenges in this area.

computer science, information systems,telecommunications

Run Guo,Weizhong Li,Baojun Liu,Shuang Hao,Jia Zhang,Haixin Duan,Kaiwen Sheng,Jianjun Chen,Ying Liu

DOI: https://doi.org/10.14722/ndss.2020.24411

2020-01-01

Abstract:A content delivery network (CDN) improves the accessing performance and availability of websites via its globally distributed network infrastructures, which contributes to the thriving of CDN-powered websites on the Internet. Because CDN-powered websites normally operate important businesses or critical services, attackers are mostly interested in taking down these high-value websites, to achieve severe damage with maximum influence. Because the CDN absorbs distributed attacking traffic with its massive bandwidth resources, it is commonly believed that CDN vendors provide effective DoS protection for the CDN-powered websites. However, we reveal that implementation or protocol weaknesses in the forwarding mechanisms of the CDN can be exploited to break this CDN protection. By sending crafted but legal requests, an attacker can launch an efficient DoS attack against the website origin behind it. In particular, we present three CDN threats in this study. By abusing the HTTP/2 request-converting behavior and HTTP pre-POST behavior of a CDN, an attacker can saturate the CDN-origin bandwidth and exhaust the connection limits of the origin. What is more concerning is that some CDN vendors use only a small set of traffic forwarding IPs with lower IP-churning rates to establish connections with the origin. This characteristic provides a great opportunity for an attacker to effectively degrade the global availability of a website just by cutting off specific CDN-origin connections. In this work, we examine the CDN request-forwarding behaviors across six well-known CDN vendors and perform real-world experiments to evaluate the severity of the threats. Because the threats are caused by flawed trade-offs made by the CDN vendors between usability and security, we discuss possible mitigation and received positive feedback after responsible disclosure to the aforementioned CDN vendors.

Ziyu Lin,Zhiwei Lin,Ximeng Liu,Zuobing Ying,Cheng Chen

2024-09-01

Abstract:Content Delivery Networks (CDNs) are designed to enhance network performance and protect against web attack traffic for their hosting websites. And the HTTP compression request mechanism primarily aims to reduce unnecessary network transfers. However, we find that the specification failed to consider the security risks introduced when CDNs meet compression requests. In this paper, we present a novel HTTP amplification attack, CDN Compression Format Convert (CDN-Convet) Attacks. It allows attackers to massively exhaust not only the outgoing bandwidth of the origin servers deployed behind CDNs but also the bandwidth of CDN surrogate nodes. We examined the CDN-Convet attacks on 11 popular CDNs to evaluate the feasibility and real-world impacts. Our experimental results show that all these CDNs are affected by the CDN-Convet attacks. We have also disclosed our findings to affected CDN providers and have received constructive feedback.

Cryptography and Security

Rui Xin,Shihan Lin,Xiaowei Yang

DOI: https://doi.org/10.48550/arXiv.2301.03690

2023-02-01

Abstract:Web services commonly employ Content Distribution Networks (CDNs) for performance and security. As web traffic is becoming 100% HTTPS, more and more websites allow CDNs to terminate their HTTPS connections. This practice may expose a website's user sensitive information such as a user's login password to a third-party CDN. In this paper, we measure and quantify the extent of user password exposure to third-party CDNs. We find that among Alexa top 50K websites, at least 12,451 of them use CDNs and contain user login entrances. Among those websites, 33% of them expose users' passwords to the CDNs, and a popular CDN may observe passwords from more than 40% of its customers. This result suggests that if a CDN infrastructure has a vulnerability or an insider attack, many users' accounts will be at risk. If we assume the attacker is a passive eavesdropper, a website can avoid this vulnerability by encrypting users' passwords in HTTPS connections. Our measurement shows that less than 17% of the websites adopt this countermeasure.

Cryptography and Security,Networking and Internet Architecture

Li Yang,Abdallah Moubayed,Abdallah Shami,Parisa Heidari,Amine Boukhtouta,Adel Larabi,Richard Brunner,Stere Preda,Daniel Migault

DOI: https://doi.org/10.1109/TNSM.2021.3100308

2021-07-24

Abstract:Content delivery networks (CDNs) provide efficient content distribution over the Internet. CDNs improve the connectivity and efficiency of global communications, but their caching mechanisms may be breached by cyber-attackers. Among the security mechanisms, effective anomaly detection forms an important part of CDN security enhancement. In this work, we propose a multi-perspective unsupervised learning framework for anomaly detection in CDNs. In the proposed framework, a multi-perspective feature engineering approach, an optimized unsupervised anomaly detection model that utilizes an isolation forest and a Gaussian mixture model, and a multi-perspective validation method, are developed to detect abnormal behaviors in CDNs mainly from the client Internet Protocol (IP) and node perspectives, therefore to identify the denial of service (DoS) and cache pollution attack (CPA) patterns. Experimental results are presented based on the analytics of eight days of real-world CDN log data provided by a major CDN operator. Through experiments, the abnormal contents, compromised nodes, malicious IPs, as well as their corresponding attack types, are identified effectively by the proposed framework and validated by multiple cybersecurity experts. This shows the effectiveness of the proposed method when applied to real-world CDN data.

Cryptography and Security,Artificial Intelligence,Machine Learning,Networking and Internet Architecture

Shigang Liu,Guanjun Lin,Lizhen Qu,Jun Zhang,Olivier De Vel,Paul Montague,Yang Xiang

DOI: https://doi.org/10.1109/tdsc.2020.2984505

2022-01-01

Abstract:A major cause of security incidents such as cyber attacks is rooted in software vulnerabilities. These vulnerabilities should ideally be found and fixed before the code gets deployed. Machine learning-based approaches achieve state-of-the-art performance in capturing vulnerabilities. These methods are predominantly supervised. Their prediction models are trained on a set of ground truth data where the training data and test data are assumed to be drawn from the same probability distribution. However, in practice, the test data often differs from the training data in terms of distribution because they are from different projects or they differ in the types of vulnerability. In this article, we present a new system for C ross D omain Software Vul nerability D iscovery ( CD-VulD ) using deep learning (DL) and domain adaptation (DA). We employ DL because it has the capacity of automatically constructing high-level abstract feature representations of programs, which are likely of more cross-domain useful than the handcrafted features driven by domain knowledge. The divergence between distributions is reduced by learning cross-domain representations. First, given software program representations, CD-VulD converts them into token sequences and learns the token embeddings for generalization across tokens. Next, CD-VulD employs a deep feature model to build abstract high-level presentations based on those sequences. Then, the metric transfer learning framework (MTLF) technique is employed to learn cross-domain representations by minimizing the distribution divergence between the source domain and the target domain. Finally, the cross-domain representations are used to build a classifier for vulnerability detection. Experimental results show that CD-VulD outperforms the state-of-the-art vulnerability detection approaches by a wide margin. We make the new datasets publicly available so that our work is replicable and can be further improved.

Linkai Zheng,Xiang Li,Chuhan Wang,Run Guo,Haixin Duan,Jianjun Chen,Chao Zhang,Kaiwen Shen

DOI: https://doi.org/10.14722/ndss.2024.24031

2024-01-01

Abstract:Content Delivery Networks (CDNs) are ubiquitous middleboxes designed to enhance the performance of hosted websites and shield them from various attacks.Numerous notable studies show that CDNs modify a client's request when forwarding it to the original server.Multiple inconsistencies in this forwarding operation have been found to potentially result in security vulnerabilities like DoS attacks.Nonetheless, existing research lacks a systematic approach to studying CDN forwarding request inconsistencies.In this work, we present REQSMINER, an innovative fuzzing framework developed to discover previously unexamined inconsistencies in CDN forwarding requests.The framework uses techniques derived from reinforcement learning to generate valid test cases, even with minimal feedback, and incorporates real field values into the grammar-based fuzzer.With the help of REQSMINER, we comprehensively test 22 major CDN providers and uncover a wealth of hitherto unstudied CDN forwarding request inconsistencies.Moreover, the application of specialized analyzers enables REQSMINER to extend its capabilities, evolving into a framework capable of detecting specific types of attacks.By extension, our work further identifies three novel types of HTTP amplification DoS attacks and uncovers 74 new potential DoS vulnerabilities with an amplification factor that can reach up to 2,000 generally, and even 1,920,000 under specific conditions.The vulnerabilities detected were responsibly disclosed to the affected CDN vendors, and mitigation suggestions were proposed.Our work contributes to fortifying CDN security, thereby enhancing their resilience against malicious attacks and preventing misuse.

Fenglu Zhang,Yunyi Zhang,Baojun Liu,Eihal Alowaisheq,Lingyun Ying,Xiang Li,Zaifeng Zhang,Ying Liu,Haixin Duan,Min Zhang

DOI: https://doi.org/10.1145/3618257.3624839

2023-01-01

Abstract:Leveraging DNS for covert communications is appealing since most networks allow DNS traffic, especially the ones directed toward renowned DNS hosting services. Unfortunately, most DNS hosting services overlook domain ownership verification, enabling miscreants to host undelegated DNS records of a domain they do not own. Consequently, miscreants can conduct covert communication through such undelegated records for whitelisted domains on reputable hosting providers. In this paper, we shed light on the emerging threat posed by undelegated records and demonstrate their exploitation in the wild. To the best of our knowledge, this security risk has not been studied before. We conducted a comprehensive measurement to reveal the prevalence of the risk. In total, we observed 1,580,925 unique undelegated records that are potentially abused. We further observed that a considerable portion of these records are associated with malicious behaviors. By utilizing threat intelligence and malicious traffic collected by malware sandbox, we extracted malicious IP addresses from 25.41% of these records, spanning 1,369 Tranco top 2K domains and 248 DNS hosting providers, including Cloudflare and Amazon. Furthermore, we discovered that the majority of the identified malicious activities are Trojan-related. Moreover, we conducted case studies on two malware families (Dark.IOT and Specter) that exploit undelegated records to obtain C2 servers, in addition to the masquerading SPF records to conceal SMTP-based covert communication. Also, we provided mitigation options for different entities. As a result of our disclosure, several popular hosting providers have taken action to address this issue.

Fenglu Zhang,Baojun Liu,Eihal Alowaisheq,Jianjun Chen,Chaoyi Lu,Linjian Song,Yong Ma,Ying Liu,Haixin Duan,Min Yang

DOI: https://doi.org/10.1145/3576915.3616647

2023-01-01

Abstract:Authoritative nameservers are delegated to provide the final resource record. Since the security and robustness of DNS are critical to the general operation of the Internet, domain owners are required to deploy multiple candidate nameservers for load balancing. Once the load balancing mechanism is compromised, an adversary can manipulate a large number of legitimate DNS requests to a specified candidate nameserver. As a result, it may bypass the defense mechanisms used to filter malicious traffic that can overload the victim nameserver, or lower the bar for DNS traffic hijacking and cache poisoning attacks. In this study, we report on a class of DNS vulnerabilities and present a novel attack, named Disablance, that targets the domains with different NS records severing to multiple sites of authoritative servers. The attack is made possible by a misconfiguration of nameservers that ignores domains outside their authority, combined with recursive resolvers that use a globally shared status for nameserver selection. By targeting authoritative nameservers configured by a large number of domains, Disablance allows adversaries to stealthily sabotage the DNS load balancing for authoritative nameservers at a low cost. Through simply configuring the DNS records for a domain under their control to point to the targeted nameservers and performing a handful of requests, adversaries can temporarily manipulate a given DNS resolver to overload a specific authoritative server. Therefore, Disablance can redirect benign DNS requests for all hosted domains to the specific nameserver and disrupts the load balancing mechanism. Our extensive study proves the security threat of Disablance is realistic and prevalent. First, we demonstrated that mainstream DNS implementations, including BIND9, PowerDNS, and Microsoft DNS, are vulnerable to Disablance. Second, we developed a measurement framework to measure vulnerable authoritative servers in the wild. 22.24% of top 1M FQDNs and 3.94% of top 1M SLDs were proven can be the victims of Disablance. Our measurement results also show that 37.88% of stable open resolvers and 10 of 14 popular public DNS services can be exploited to conduct Disablance, including Cloudflare and Quad9. Furthermore, the critical security threats of Disablance were observed and acknowledged through in-depth discussion with a world-leading DNS service provider. We have reported discovered vulnerabilities and provided recommendations to the affected vendors. Until now, Tencent Cloud (DNSPod) and Amazon have taken action to fix this issue according to our suggestions.

Shuhan Zhang,Shuai Wang,Dan Li

DOI: https://doi.org/10.1109/infocom52122.2024.10621098

2024-01-01

Abstract:DNS relies on domain delegation for good scalability, where domains delegate their resolution service to authoritative nameservers. However, such delegations lead to complex interdependencies between DNS zones. While a complex dependency might improve the robustness of domain resolution, it could also introduce security risks unexpectedly. In this work, we perform a large-scale measurement on nearly 217M domains to analyze their resolution dependencies at both zone level and infrastructure level. According to our analysis, domains under country-code TLDs and new generic TLDs generally present more complicated dependency relationships. For robustness consideration, popular domains prefer to configure more complex dependencies. However, the centralization of nameserver hosting and the silent outsourcing of DNS providers could lead to severe false redundancy at infrastructure level. Worse, considerable domain configurations in the wild are "not robust but risky": a more complex dependency may also indicate more vulnerabilities, e.g., domains with a 2x higher dependency complexity have a 2.87x larger proportion suffering from the hijacking risk brought by lame delegation.

Xiang Li,Chaoyi Lu,Baojun Liu Fi,Qifan Zhang,Zhou Li,Haixin Duan,Qi Li

2023-01-01

Abstract:In this paper, we report MAGINOTDNS, a powerful cache poisoning attack against DNS servers that simultaneously act as recursive resolvers and forwarders (termed as CDNS). The attack is made possible through exploiting vulnerabilities in the bailiwick checking algorithms, one of the cornerstones of DNS security since the 1990s, and affects multiple versions of popular DNS software, including BIND and Microsoft DNS. Through field tests, we find that the attack is potent, allowing attackers to take over entire DNS zones, even including Top-Level Domains (e.g.,.com and.net). Through a large-scale measurement study, we also confirm the extensive usage of CDNSes in real-world networks (up to 41.8% of our probed open DNS servers) and find that at least 35.5% of all CDNSes are vulnerable to MAGINOTDNS. After interviews with ISPs, we show a wide range of CDNS use cases and real-world attacks. We have reported all the discovered vulnerabilities to DNS software vendors and received acknowledgments from all of them. 3 CVE-ids have been published, and 2 vendors have fixed their software. Our study brings attention to the implementation inconsistency of security checking logic in different DNS software and server modes (i.e., recursive resolvers and forwarders), and we call for standardization and agreements among software vendors.

Weizhong Li,Kaiwen Shen,Run Guo,Baojun Liu,Jia Zhang,Haixin Duan,Shuang Hao,Xiarun Chen,Yao Wang

DOI: https://doi.org/10.1109/dsn48063.2020.00022

2020-01-01

Abstract:Content Delivery Networks (CDNs) aim to improve network performance and protect against web attack traffic for their hosting websites. And the HTTP range request mechanism is majorly designed to reduce unnecessary network transmission. However, we find the specifications failed to consider the security risks introduced when CDNs meet range requests. In this study, we present a novel class of HTTP amplification attack, Range-based Amplification (RangeAmp) Attacks. It allows attackers to massively exhaust not only the outgoing bandwidth of the origin servers deployed behind CDNs but also the bandwidth of CDN surrogate nodes. We examined the RangeAmp attacks on 13 popular CDNs to evaluate the feasibility and real-world impacts. Our experiment results show that all these CDNs are affected by the RangeAmp attacks. We also disclosed all security issues to affected CDN vendors and already received positive feedback from 12 vendors.

Mingkai Tong,Xiaoqing Sun,Jiahai Yang,Hui Zhang,Shuang Zhu,Xinran Liu,Heng Liu

DOI: https://doi.org/10.1007/978-3-030-29551-6_41

2019-01-01

Abstract:Modern malware typically uses domain generation algorithm (DGA) to avoid blacklists. However, it still leaks trace by causing excessive Non-existent domain responses when trying to contact with the command and control (C&C) servers. In this paper, we propose a novel system named D3N to detect DGA domains by analyzing NXDomains with deep learning methods. The experiments show that D3N yields 99.7% TPR and 1.9% FPR, outperforming FANCI in both accuracy and efficiency. Besides, our real-world evaluation in a large-scale network demonstrates that D3N is robust in different networks.

Xiang Li,Baojun Liu,Xuesong Bai,Mingming Zhang,Qifan Zhang,Zhou Li,Haixin Duan,Qi Li

DOI: https://doi.org/10.14722/ndss.2023.23005

2023-01-01

Abstract:In this paper, we propose PHOENIX DOMAIN, a general and novel attack that allows adversaries to maintain the revoked malicious domain continuously resolvable at scale, which enables an old, mitigated attack, Ghost Domain.PHOENIX DOMAIN has two variations and affects all mainstream DNS software and public DNS resolvers overall because it does not violate any DNS specifications and best security practices.The attack is made possible through systematically "reverse engineer" the cache operations of 8 DNS implementations, and new attack surfaces are revealed in the domain name delegation processes.We select 41 well-known public DNS resolvers and prove that all surveyed DNS services are vulnerable to PHOENIX DOMAIN, including Google Public DNS and Cloudflare DNS.Extensive measurement studies are performed with 210k stable and distributed DNS recursive resolvers, and results show that even after one month from domain name revocation and cache expiration, more than 25% of recursive resolvers can still resolve it.The proposed attack provides an opportunity for adversaries to evade the security practices of malicious domain take-down.We have reported discovered vulnerabilities to all affected vendors and suggested 6 types of mitigation approaches to them.Until now, 7 DNS software providers and 15 resolver vendors, including BIND, Unbound, Google, and Cloudflare, have confirmed the vulnerabilities, and some of them are implementing and publishing mitigation patches according to our suggestions.In addition, 9 CVE numbers have been assigned.The study calls for standardization to address the issue of how to revoke domain names securely and maintain cache consistency.

Haifeng Gu,Jianning Zhang,Tian Liu,Ming Hu,Junlong Zhou,Tongquan Wei,Mingsong Chen

DOI: https://doi.org/10.1109/tr.2019.2925415

IF: 5.883

2020-01-01

IEEE Transactions on Reliability

Abstract:SQL injection attack (SQLIA) is among the most common security threats to web-based services that are deployed on cloud. By exploiting web software vulnerabilities, SQL injection attackers can run arbitrary malicious code on target databases to acquire or compromise sensitive data. Although web application firewalls (WAFs) are offered by most cloud service providers, tenants are reluctant to pay for them, since there are few approaches that can report accurate SQLIA statistics for their deployed services. Traditional WAFs focus on blocking suspicious SQL requests. Few of them can accurately decide whether an attack is really harmful and quickly answer how severe the attack is. To raise the tenants' awareness of the seriousness of SQLIAs, in this paper, we introduce a novel traffic-based SQLIA detection and vulnerability analysis framework named DIAVA, which can proactively send warnings to tenants promptly. By analyzing the bidirectional network traffic of SQL operations and applying our proposed multilevel regular expression model, DIAVA can accurately identify successful SQLIAs among all the suspects. Meanwhile, the severity of such SQLIAs and the vulnerabilities of the corresponding leaked data can be quickly evaluated by DIAVA based on its GPU-based dictionary attack analysis engine. Experimental results show that DIAVA not only outperforms state-of-the-art WAFs in detecting SQLAs from the perspectives of precision and recall, but also enables real-time vulnerability evaluation of leaked data caused by SQL injection.