Just when we thought we had seen it all, something new comes along. A new zero-day denial of service attack is making CDN content unavailable to web users.
This attack is known as CPDoS (Cache-Poisoned Denial-of-Service) because it poisons the CDN cache. By manipulating certain header requests, the attacker forces the origin server to return a Bad Request error which is stored in the CDN’s cache. Thus, every request that comes after the attack will get an error page.
This attack has three main types:
- HTTP Header Oversize
- HTTP Meta Character
- HTTP Method Override
In the first type, the attack relies on the fact that most web servers provide a request header size limit. (For example, Apache’s default limit is 8,190 bytes.) By targeting web applications that accept larger header sizes than the origin server, the attacker can successfully get an error message that is then stored in the cache.
In the second type, the attacker tries to bypass a cache by sending a request header containing malicious meta characters. While the cache might forward the request to the origin server, it will be recognized as a malicious request—which makes the origin server reply with an error.
In the third type, the attacker relies on the rules of HTTP Standard which describe the most common methods of getting a response from web applications (such as GET, POST, etc.). By sending a request with an unsupported method (such as DELETE), the attacker compels the server to block the request, giving an error message that is stored in the cache.
As you can see, these attacks are fairly easy to deploy, and they can bypass most security solutions today.
Reblaze’s web security platform includes a WAF solution that blocks these types of attacks by default. It deploys in minutes, and can be tried with no risk (it can be added to your current solution as an additional layer of security). To learn more about how to protect your organization from these attacks, contact us today.