Researchers from the Technical University of Cologne (TH Koln) have detailed a new class of web cache poisoning attacks named ‘Cache-Poisoned Denial of Service (CPDoS)’ that impacts Content Delivery Networks (CDNs).
How does CPDoS work?
CPDoS attack can block and disable any web resource that is distributed through Content Distribution Networks (CDNs) via an HTTP request with a malicious header.
What are the different types of CPDoS?
Researchers have detected three variations of CPDoS, which include
What is the impact?
The researchers noted that the CDNs operate across large geographical locations and the error page generated by a CPDoS attack can reach multiple cache server locations. However, they determined that not all edge servers are affected by this threat and some clients will still receive the valid pages from the origin server.
During their research, an attack coordinated from Germany (Frankfurt) against a target in the same country (Cologne), impacted cache servers across Europe and some parts of Asia.
“A Web Application Firewalls (WAF) can also be deployed to mitigate CPDoS attacks. However, WAFs must be placed in front of the cache in order to block malicious content before they reach the origin server. WAFs that are placed in front of the origin server can be exploited to provoke error pages that get cached either,” researchers said.
TH Koln team has provided more details about the attack and mitigations in their research paper titled ‘Your Cache Has Fallen: Cache-Poisoned Denial-of-Service Attack’.