CPDoS (Cache-Poisoned Denial-of-Service) is a zero-day DoS attack that poisons the CDN cache. By manipulating certain header requests, the attacker forces the origin server to return a Bad Request error which is stored in the CDN’s cache. Thus, every request that comes after the attack will get an error page.
This attack has three main types:
- HTTP Header Oversize
- This attack relies on the fact that most web servers provide a request header size limit. (For example, Apache’s default limit is 8,190 bytes.) By targeting web applications that accept larger header sizes than the origin server, the attacker can successfully get an error message that is then stored in the cache.
- HTTP Meta Character
- In this attack, the attacker tries to bypass a cache by sending a request header containing malicious meta characters. While the cache might forward the request to the origin server, it will be recognized as a malicious request—which makes the origin server reply with an error.
- HTTP Method Override
- In this attack, the attacker relies on the rules of HTTP Standard which describe the most common methods of getting a response from web applications (such as GET, POST, etc.). By sending a request with an unsupported method (such as DELETE), the attacker compels the server to block the request, giving an error message that is stored in the cache.
These attacks are fairly easy to deploy, and they can bypass most security solutions today.