Run Guo,Weizhong Li,Baojun Liu,Shuang Hao,Jia Zhang,Haixin Duan,Kaiwen Sheng,Jianjun Chen,Ying Liu

DOI: https://doi.org/10.14722/ndss.2020.24411

2020-01-01

Abstract:A content delivery network (CDN) improves the accessing performance and availability of websites via its globally distributed network infrastructures, which contributes to the thriving of CDN-powered websites on the Internet. Because CDN-powered websites normally operate important businesses or critical services, attackers are mostly interested in taking down these high-value websites, to achieve severe damage with maximum influence. Because the CDN absorbs distributed attacking traffic with its massive bandwidth resources, it is commonly believed that CDN vendors provide effective DoS protection for the CDN-powered websites. However, we reveal that implementation or protocol weaknesses in the forwarding mechanisms of the CDN can be exploited to break this CDN protection. By sending crafted but legal requests, an attacker can launch an efficient DoS attack against the website origin behind it. In particular, we present three CDN threats in this study. By abusing the HTTP/2 request-converting behavior and HTTP pre-POST behavior of a CDN, an attacker can saturate the CDN-origin bandwidth and exhaust the connection limits of the origin. What is more concerning is that some CDN vendors use only a small set of traffic forwarding IPs with lower IP-churning rates to establish connections with the origin. This characteristic provides a great opportunity for an attacker to effectively degrade the global availability of a website just by cutting off specific CDN-origin connections. In this work, we examine the CDN request-forwarding behaviors across six well-known CDN vendors and perform real-world experiments to evaluate the severity of the threats. Because the threats are caused by flawed trade-offs made by the CDN vendors between usability and security, we discuss possible mitigation and received positive feedback after responsible disclosure to the aforementioned CDN vendors.

Run Guo,Jianjun Chen,Yihang Wang,Keran Mu,Baojun Liu,Xiang Li,Chao Zhang,Haixin Duan,Jianping Wu

2023-01-01

Abstract:As one cornerstone of Internet infrastructure, Content Delivery Networks (CDNs) work as a globally distributed proxy platform between clients and websites, providing the functionalities of speeding up content delivery, offloading web traffic, and DDoS protection. In this paper, however, we reveal that inherent nature of CDN forwarding network can be exploited to compromise service availability. We present a new class of pulsing denial of service attack, named CDN-Convex attack. We explore the possibility of exploiting the CDN infrastructure as a converging lens, and concentrating low-rate attacking requests into short, high-bandwidth pulse waves, resulting in a pulsing DDoS attack to saturate the targeted TCP services periodically. Through real-world experiments on five leading CDN vendors, we demonstrate that the CDN-Convex attack is practical and flexible. We show that attackers can use it to achieve peak bandwidths over 1000 times greater than their upload bandwidth, seriously degrading the performance and availability of target services. Following the responsible disclosure policy, we report our attack details to all affected CDN vendors and propose possible mitigation solutions.

Ziyu Lin,Zhiwei Lin,Ximeng Liu,Zuobing Ying,Cheng Chen

2024-09-01

Abstract:Content Delivery Networks (CDNs) are designed to enhance network performance and protect against web attack traffic for their hosting websites. And the HTTP compression request mechanism primarily aims to reduce unnecessary network transfers. However, we find that the specification failed to consider the security risks introduced when CDNs meet compression requests. In this paper, we present a novel HTTP amplification attack, CDN Compression Format Convert (CDN-Convet) Attacks. It allows attackers to massively exhaust not only the outgoing bandwidth of the origin servers deployed behind CDNs but also the bandwidth of CDN surrogate nodes. We examined the CDN-Convet attacks on 11 popular CDNs to evaluate the feasibility and real-world impacts. Our experimental results show that all these CDNs are affected by the CDN-Convet attacks. We have also disclosed our findings to affected CDN providers and have received constructive feedback.

Cryptography and Security

Weizhong Li,Kaiwen Shen,Run Guo,Baojun Liu,Jia Zhang,Haixin Duan,Shuang Hao,Xiarun Chen,Yao Wang

DOI: https://doi.org/10.1109/dsn48063.2020.00022

2020-01-01

Abstract:Content Delivery Networks (CDNs) aim to improve network performance and protect against web attack traffic for their hosting websites. And the HTTP range request mechanism is majorly designed to reduce unnecessary network transmission. However, we find the specifications failed to consider the security risks introduced when CDNs meet range requests. In this study, we present a novel class of HTTP amplification attack, Range-based Amplification (RangeAmp) Attacks. It allows attackers to massively exhaust not only the outgoing bandwidth of the origin servers deployed behind CDNs but also the bandwidth of CDN surrogate nodes. We examined the RangeAmp attacks on 13 popular CDNs to evaluate the feasibility and real-world impacts. Our experiment results show that all these CDNs are affected by the RangeAmp attacks. We also disclosed all security issues to affected CDN vendors and already received positive feedback from 12 vendors.

Ziyu Lin,Zhiwei Lin,Run Guo,Jianjun Chen,Mingming Zhang,Ximeng Liu,Tianhao Yang,Zhuoran Cao,Robert H. Deng

2024-09-03

Abstract:Content Delivery Networks (CDNs) offer a protection layer for enhancing the security of websites. However, a significant security flaw named Absence of Domain Verification (DVA) has become emerging recently. Although this threat is recognized, the current practices and security flaws of domain verification strategies in CDNs have not been thoroughly investigated. In this paper, we present DVAHunter, an automated system for detecting DVA vulnerabilities that can lead to domain abuse in CDNs. Our evaluation of 45 major CDN providers reveals the prevalence of DVA: most (39/45) providers do not perform any verification, and even those that do remain exploitable. Additionally, we used DVAHunter to conduct a large-scale measurement of 89M subdomains from Tranco's Top 1M sites hosted on the 45 CDNs under evaluation. Our focus was on two primary DVA exploitation scenarios: covert communication and domain hijacking. We identified over 332K subdomains vulnerable to domain abuse. This tool provides deeper insights into DVA exploitation and allows us to propose viable mitigation practices for CDN providers. To date, we have received vulnerability confirmations from 12 providers; 6 (e.g., Edgio, Kuocai) have implemented fixes, and 1 (ChinaNetCenter) are actively working on solutions based on our recommendations.

Cryptography and Security

Bo Zhou,Xuming Pan

DOI: https://doi.org/10.1109/ITAP.2011.6006202

2011-01-01

Abstract:The paper describes the principle of content delivery network (CDN) architecture and CDN's access control for security feature. It lists 4 methods to implement access control and designs one of these methods: cookie-based centralized authorization. To avoid the drawbacks of centralized authorization, it is improved using cookie-based edge authorization. The summary is made at the end of the paper. © 2011 IEEE.

Linkai Zheng,Xiang Li,Chuhan Wang,Run Guo,Haixin Duan,Jianjun Chen,Chao Zhang,Kaiwen Shen

DOI: https://doi.org/10.14722/ndss.2024.24031

2024-01-01

Abstract:Content Delivery Networks (CDNs) are ubiquitous middleboxes designed to enhance the performance of hosted websites and shield them from various attacks.Numerous notable studies show that CDNs modify a client's request when forwarding it to the original server.Multiple inconsistencies in this forwarding operation have been found to potentially result in security vulnerabilities like DoS attacks.Nonetheless, existing research lacks a systematic approach to studying CDN forwarding request inconsistencies.In this work, we present REQSMINER, an innovative fuzzing framework developed to discover previously unexamined inconsistencies in CDN forwarding requests.The framework uses techniques derived from reinforcement learning to generate valid test cases, even with minimal feedback, and incorporates real field values into the grammar-based fuzzer.With the help of REQSMINER, we comprehensively test 22 major CDN providers and uncover a wealth of hitherto unstudied CDN forwarding request inconsistencies.Moreover, the application of specialized analyzers enables REQSMINER to extend its capabilities, evolving into a framework capable of detecting specific types of attacks.By extension, our work further identifies three novel types of HTTP amplification DoS attacks and uncovers 74 new potential DoS vulnerabilities with an amplification factor that can reach up to 2,000 generally, and even 1,920,000 under specific conditions.The vulnerabilities detected were responsibly disclosed to the affected CDN vendors, and mitigation suggestions were proposed.Our work contributes to fortifying CDN security, thereby enhancing their resilience against malicious attacks and preventing misuse.

Fenglu Zhang,Baojun Liu,Eihal Alowaisheq,Jianjun Chen,Chaoyi Lu,Linjian Song,Yong Ma,Ying Liu,Haixin Duan,Min Yang

DOI: https://doi.org/10.1145/3576915.3616647

2023-01-01

Abstract:Authoritative nameservers are delegated to provide the final resource record. Since the security and robustness of DNS are critical to the general operation of the Internet, domain owners are required to deploy multiple candidate nameservers for load balancing. Once the load balancing mechanism is compromised, an adversary can manipulate a large number of legitimate DNS requests to a specified candidate nameserver. As a result, it may bypass the defense mechanisms used to filter malicious traffic that can overload the victim nameserver, or lower the bar for DNS traffic hijacking and cache poisoning attacks. In this study, we report on a class of DNS vulnerabilities and present a novel attack, named Disablance, that targets the domains with different NS records severing to multiple sites of authoritative servers. The attack is made possible by a misconfiguration of nameservers that ignores domains outside their authority, combined with recursive resolvers that use a globally shared status for nameserver selection. By targeting authoritative nameservers configured by a large number of domains, Disablance allows adversaries to stealthily sabotage the DNS load balancing for authoritative nameservers at a low cost. Through simply configuring the DNS records for a domain under their control to point to the targeted nameservers and performing a handful of requests, adversaries can temporarily manipulate a given DNS resolver to overload a specific authoritative server. Therefore, Disablance can redirect benign DNS requests for all hosted domains to the specific nameserver and disrupts the load balancing mechanism. Our extensive study proves the security threat of Disablance is realistic and prevalent. First, we demonstrated that mainstream DNS implementations, including BIND9, PowerDNS, and Microsoft DNS, are vulnerable to Disablance. Second, we developed a measurement framework to measure vulnerable authoritative servers in the wild. 22.24% of top 1M FQDNs and 3.94% of top 1M SLDs were proven can be the victims of Disablance. Our measurement results also show that 37.88% of stable open resolvers and 10 of 14 popular public DNS services can be exploited to conduct Disablance, including Cloudflare and Quad9. Furthermore, the critical security threats of Disablance were observed and acknowledged through in-depth discussion with a world-leading DNS service provider. We have reported discovered vulnerabilities and provided recommendations to the affected vendors. Until now, Tencent Cloud (DNSPod) and Amazon have taken action to fix this issue according to our suggestions.

Karthika Subramani,Roberto Perdisci,Pierros Skafidas

2023-11-14

Abstract:Domain fronting is a network communication technique that involves leveraging (or abusing) content delivery networks (CDNs) to disguise the final destination of network packets by presenting them as if they were intended for a different domain than their actual endpoint. This technique can be used for both benign and malicious purposes, such as circumventing censorship or hiding malware-related communications from network security systems. Since domain fronting has been known for a few years, some popular CDN providers have implemented traffic filtering approaches to curb its use at their CDN infrastructure. However, it remains unclear to what extent domain fronting has been mitigated. To better understand whether domain fronting can still be effectively used, we propose a systematic approach to discover CDNs that are still prone to domain fronting. To this end, we leverage passive and active DNS traffic analysis to pinpoint domain names served by CDNs and build an automated tool that can be used to discover CDNs that allow domain fronting in their infrastructure. Our results reveal that domain fronting is feasible in 22 out of 30 CDNs that we tested, including some major CDN providers like Akamai and Fastly. This indicates that domain fronting remains widely available and can be easily abused for malicious purposes.

Cryptography and Security,Networking and Internet Architecture

Jinjin Liang,Jian Jiang,Haixin Duan,Kang Li

DOI: https://doi.org/10.1109/SP.2014.12

2014-01-01

Security and Privacy

Abstract:Content Delivery Network (CDN) and Hypertext Transfer Protocol Secure (HTTPS) are two popular but independent web technologies, each of which has been well studied individually and independently. This paper provides a systematic study on how these two work together. We examined 20 popular CDN providers and 10,721 of their customer web sites using HTTPS. Our study reveals various problems with the current HTTPS practice adopted by CDN providers, such as widespread use of invalid certificates, private key sharing, neglected revocation of stale certificates, and insecure back-end communication. While some of those problems are operational issues only, others are rooted in the fundamental semantic conflict between the end-to-end nature of HTTPS and the man-in-the-middle nature of CDN involving multiple parties in a delegated service. To address the delegation problem when HTTPS meets CDN, we proposed and implemented a lightweight solution based on DANE (DNS-based Authentication of Named Entities), an emerging IETF protocol complementing the current Web PKI model. Our implementation demonstrates that it is feasible for HTTPS to work with CDN securely and efficiently. This paper intends to provide a context for future discussion within security and CDN community on more preferable solutions.

Milad Ghaznavi,Elaheh Jalalpour,Mohammad A. Salahuddin,Raouf Boutaba,Daniel Migault,Stere Preda

DOI: https://doi.org/10.1109/comst.2021.3093492

2021-01-01

Abstract:A content delivery network (CDN) is a distributed infrastructure to deliver digital contents to end users with high performance. CDNs are critical to provide and protect the availability of Internet contents. However, adversaries can not only evade the CDN protection but also weaponize CDN resources to mount more sophisticated attacks. In this paper, we provide the first survey on CDN security. We categorize CDN security challenges per CDN infrastructure components, discuss possible countermeasures and their effectiveness, and delineate future research directions. This paper aims to highlight the state of CDN security and identify important research challenges in this area.

computer science, information systems,telecommunications

Hao Yin,Bo Qiao,Yan Luo,Chen Tian,Y. Richard Yang

DOI: https://doi.org/10.1002/cpe.3464

2015-01-01

Abstract:SummaryOver the past decade, content delivery networks (CDNs) have attracted substantial Internet traffic and improved quality of experience for Internet users. However, the evolution of the Internet ecosystem, which is driven by underlying economic incentives and ever emerging technologies, posts great challenges to the existing commercial CDNs (CCDNs). Thoroughly understanding the CDN industry from different aspects including market choice, technology, performance, tendency and infrastructure is indispensable to future Internet. In this paper, we conduct the first comprehensive study of China's CDNs using continuous, at‐scale, content‐driven measurements. Based on the massive amount of measurement data with multidimensional properties, we demystify the CCDNs in China and answer two important questions: (1) what is the development trend of CCDNs in China and (2) what are their unique characteristics. The answers to these questions have significant implications on CDN providers and users. Copyright © 2015 John Wiley & Sons, Ltd.

Xiang Li,Chaoyi Lu,Baojun Liu Fi,Qifan Zhang,Zhou Li,Haixin Duan,Qi Li

2023-01-01

Abstract:In this paper, we report MAGINOTDNS, a powerful cache poisoning attack against DNS servers that simultaneously act as recursive resolvers and forwarders (termed as CDNS). The attack is made possible through exploiting vulnerabilities in the bailiwick checking algorithms, one of the cornerstones of DNS security since the 1990s, and affects multiple versions of popular DNS software, including BIND and Microsoft DNS. Through field tests, we find that the attack is potent, allowing attackers to take over entire DNS zones, even including Top-Level Domains (e.g.,.com and.net). Through a large-scale measurement study, we also confirm the extensive usage of CDNSes in real-world networks (up to 41.8% of our probed open DNS servers) and find that at least 35.5% of all CDNSes are vulnerable to MAGINOTDNS. After interviews with ISPs, we show a wide range of CDNS use cases and real-world attacks. We have reported all the discovered vulnerabilities to DNS software vendors and received acknowledgments from all of them. 3 CVE-ids have been published, and 2 vendors have fixed their software. Our study brings attention to the implementation inconsistency of security checking logic in different DNS software and server modes (i.e., recursive resolvers and forwarders), and we call for standardization and agreements among software vendors.

Jiachen Chen,Haoyuan Xu,Shashikanth Penugonde,Yanyong Zhang,Dipankar Raychaudhuri

DOI: https://doi.org/10.1109/HotWeb.2016.11

2016-01-01

Abstract:The Content Delivery Network (CDN) has become an important element in the Internet, which uses applicationlayer caches to improve user experience and reduce network/server load. However, CDNs face efficiency issues due to the following two reasons: 1) they are not aware of the network status, and 2) the underlying location-centric network (IP) does not understand content. At the same time, the Information-Centric Network (ICN) has been developed to address these issues: they use content identities as routing labels and support functions such as multi-source, multicast and in-network caching. While these in-network caches can help improve the content delivery performance, they are unaware of applicationspecific characteristics like policy and popularity. As a result, we believe application-layer CDN solutions are still beneficial in ICN. They can take advantage of ICN content delivery capabilities while having access to application-level details, therefore getting the best from both worlds. In this paper, we propose a CDN architecture over Mobility-First - a representative example of ICN - to show the benefit of such a design. The solution uses self-certifying names that can enable efficient content validation in CDNs, an applicationlayer CDN design that can maximize the utility of caches, and a pushing mechanism that allows content providers cache content proactively. Through a prototype, we show the feasibility and efficiency of the architecture.

Han Qin,Jiaming Weng,Dong Liu,Donglian Qi,Yufei Wang

DOI: https://doi.org/10.17775/cseejpes.2020.04550

IF: 6.014

2024-01-01

CSEE Journal of Power and Energy Systems

Abstract:With the help of advanced information technology, real-time monitoring and control levels of cyber-physical distribution systems (CPDS) have been significantly improved. However due to the deep integration of cyber and physical systems, attackers could still threaten the stable operation of CPDS by launching cyber-attacks, such as denial-of-service (DoS) attacks. Thus, it is necessary to study the CPDS risk assessment and defense resource allocation methods under DoS attacks. This paper analyzes the impact of DoS attacks on the physical system based on the CPDS fault self-healing control. Then, considering attacker and defender strategies and attack damage, a CPDS risk assessment framework is established. Furthermore, risk assessment and defense resource allocation methods, based on the Stackelberg dynamic game model, are proposed under conditions in which the cyber and physical systems are launched simultaneously. Finally, a simulation based on an actual CPDS is performed, and the calculation results verify the effectiveness of the algorithm.

Rui Xin,Shihan Lin,Xiaowei Yang

DOI: https://doi.org/10.48550/arXiv.2301.03690

2023-02-01

Abstract:Web services commonly employ Content Distribution Networks (CDNs) for performance and security. As web traffic is becoming 100% HTTPS, more and more websites allow CDNs to terminate their HTTPS connections. This practice may expose a website's user sensitive information such as a user's login password to a third-party CDN. In this paper, we measure and quantify the extent of user password exposure to third-party CDNs. We find that among Alexa top 50K websites, at least 12,451 of them use CDNs and contain user login entrances. Among those websites, 33% of them expose users' passwords to the CDNs, and a popular CDN may observe passwords from more than 40% of its customers. This result suggests that if a CDN infrastructure has a vulnerability or an insider attack, many users' accounts will be at risk. If we assume the attacker is a passive eavesdropper, a website can avoid this vulnerability by encrypting users' passwords in HTTPS connections. Our measurement shows that less than 17% of the websites adopt this countermeasure.

Cryptography and Security,Networking and Internet Architecture

Dawei Wang,Shuzhuang Zhang,Yibo Xue,Yingfei Dong

DOI: https://doi.org/10.1109/ICCNC.2018.8390370

2018-01-01

Abstract:Content Distribution Networks (CDNs) manage their own caching or routing overlay networks to provide reliable and efficient content delivery services. Currently, CDNs have become one of the most important tools on the Internet. They have been responsible for the majority of today's Internet traffic. The performance of CDNs directly influences the experiences of end users. In this paper, we develop several analyses to figure out the key factors influencing the overall performance of a CDN. The primary results demonstrate that the caching overlays and the routing overlays both have their own influential factors affecting CDN performance. Our results also show that the transmission latency between a surrogate and a content owner is a critical factor determining the overall performance of routing overlays. Furthermore, we argue that the surrogate assignment policy of a routing overlay need to seriously take this latency into account. Our analysis results provide a context for the CDN community on preferable surrogate assignment solutions.

Shui Yu,Yonghong Tian,Song Guo,Dapeng Oliver Wu

2013-01-01

Abstract:DDoS attacks aim to exhaust the resources of victims, such as network bandwidth, computing power and operating system data structures. Early DDoS attacks emerged around the year 2000, and well-known web sites, such as CNN, Amazon and Yahoo, have been the targets of hackers since then. The purpose of early attacks was mainly for fun and curiosity about the technique. However, recently we have witnessed an explosive increase in cyber attacks due to the huge financial or political rewards available to cyber attackers [1]. Botnets are the engines behind major DDoS attacks. Hackers exploit the vulnerability of computers connected to the Internet, and establish an overlay network of compromised computers to commit malicious activities, such as DDoS attacks or information phishing. This kind of malicious network is what we call a botnet [2], [3]. A DDoS attack can be carried out in various forms, such as flooding packets or synchronization attacks [2]. Flooding packets is the most common and effective DDoS attack strategy amongst all the available attack weapons. It is critical for defenders to understand the size of botnets, which helps us to estimate the possible attack volume. There has been plenty of work completed on this issue, such as [1] and [4]. Rajab et al. [5] found the number of active bots a botmaster could manipulate was usually at the hundreds or a few thousands level. This means the resources a botnet owner can use is limited. Based on this fact, Yu et al. [6] proposed a similarity based DDoS detection method to beat flash crowd mimicking attacks. Traditionally, a potential victim would be vulnerable if they were left to deal with a DDoS flooding attack by themselves. As nature of the Internet is anarchical, potential victims, such as popular web sites, are usually left

Mingxuan Liu,Yiming Zhang,Xiang Li,Chaoyi Lu,Baojun Liu,Haixin Duan,Xiaofeng Zheng

DOI: https://doi.org/10.14722/ndss.2024.24782

2024-01-01

Abstract:Domain names are often registered and abused for harmful and illegal Internet activities.To mitigate such threats, as an emerging security service, Protective DNS (PDNS) blocks access to harmful content by proactively offering rewritten DNS responses, which resolve malicious domains to controlled hosts.While it has become an effective tool against cybercrime, given their implementation divergence, little has been done from the security community in understanding the deployment, operational status and security policies of PDNS services.In this paper, we present a large-scale measurement study of the deployment and security implications of open PDNS services.We first perform empirical analysis over 28 popular PDNS providers and summarize major formats of DNS rewriting policies.Then, powered by the derived rules, we design a methodology that identifies intentional DNS rewriting enforced by open PDNS servers in the wild.Our findings are multi-faceted.On the plus side, the deployment of PDNS is now starting to scale: we identify 17,601 DNS servers (9.1% of all probed) offering such service.For DNS clients, switching from regular DNS to PDNS induces negligible query latency, despite additional steps (e.g., checking against threat intelligence and rewriting DNS response) being required from the server side.However, we also find flaws and vulnerabilities within PDNS implementation, including evasion of blocking policies and denial of service.Through responsible vulnerability disclosure, we have received 12 audit assessment results of high-risk vulnerabilities.Our study calls for proper guidance and best practices for secure PDNS operation.