New RangeAmp Attacks Threaten Major CDN Providers

It has been recently identified that the HTTP protocol can be abused to amplify web traffic and bring down websites and content delivery networks (CDNs).

Key findings

RangeAmp is a new Denial-of-Service (DoS) technique that exploits the incorrect implementations of the HTTP "Range Requests" attribute.
  • Two different variations of RangeAmp attacks were discovered - RangeAmp Small Byte Range (SBR) attack and RangeAmp Overlapping Byte Ranges (OBR) attack.
  • For the SBR attack, an attacker can send a malformed HTTP Range Request to a CDN provider, which amplifies the traffic towards the destination server, eventually crashing the targeted site.
  • Alternatively, for the OBR attack, the attacker can send the malformed HTTP Range Request to the CDN provider, and when the traffic is funneled through other CDN servers, it gets amplified, crashing the CDN servers and rendering both the CDNs and many other destination sites inaccessible.
  • The attackers could use the SBR attack to inflate traffic from 724 to 43,330 times the original traffic. The OBR attack could be used to inflate traffic inside a CDN network with amplification factors of up to nearly 7,500 times the initial packet size.

Impact of the attack

In May 2020, a team of Chinese academics has found this new amplification attack by testing 13 CDN providers.
  • The impacted vendors include Akamai, Alibaba Cloud, Azure, Cloudflare, CloudFront, CDNsun, CDN77, Fastly, G-Core Labs, Huawei Cloud, KeyCDN, and Tencent Cloud.
  • All 13 vendors have been found to be vulnerable to the RangeAmp SBR attack, and six are also vulnerable to the OBR variant when used in certain combinations.

Earlier attacks on CDN networks

CDN servers, containing cached information, can be hijacked and exploited in a variety of ways, as it had happened in several earlier cases.
  • In April 2020, traffic meant for more than 200 of the world's largest CDNs and cloud hosting providers such as Google, Amazon, Facebook, Akamai, Cloudflare, GoDaddy, Digital Ocean, Joyent, LeaseWeb, Hetzner, Linode, and etc. was suspiciously redirected through Rostelecom, Russian telecommunications provider, due to some cyber incident.
  • In February 2020, fraudsters distributed a credit card skimmer with a fake content delivery network and used a local web server exposed to the Internet via the free Ngrok service to collect the stolen data.

Stay safe

The vendors have released updates to their HTTP Range Request implementation. So updating to the latest version can help websites avoid this issue. At the same time, users should use a web application firewall in conjunction with CDNs. Users should also have an SSL certificate in addition to a CDN.