RSS
Логотип
Баннер в шапке 1
Баннер в шапке 2
2013/03/25 16:27:08

DoS-attacks on content delivery networks, CDN Content Delivery Network

Thanks to capability considerably to increase network performance, content delivery networks (Content Delivery Network, CDN) quickly gained popularity, controlling increasing number of traffic on the Internet. CDN networks work by preserving of static content in a cache memory of own servers and placement it is closer to users worldwide that allows to accelerate access. Possibly because the majority of data are kept on servers of CDN network, users began to believe that CDN networks, in addition, provide protection against the DoS/DDoS-attacks.

Content

Really, the CDN network can absorb the large-scale attacks, turning an overload of a data processing center of CDN networks into a difficult task. The network completely controls the saved data and access for users to them. Data are also protected by tests for recognition of people and machines (Captcha) or other user authentication methods.

Unfortunately, such measures create false feeling of security. CDN networks are not called and not equipped for security blanket from the DoS/DDoS-attacks, and are capable to protect only those data which are stored in limits of such networks; and data in DPC of clients remain unprotected. In difficult DDoS attacks several vectors of the attacks are used to direct the attack directly to vulnerabilities of DPC of the client bypassing CDN network. Here several examples of how it can occur.

Spaces in security of CDN networks which can be used for the organization of the DoS-attacks

Dynamic data – are stored in CDN networks only static data. All dynamic data, such as market quotations, the current weather conditions, headings of the latest news and others, are stored in DPC of the client. In practice requests for a dynamic content make a detour of CDN network and go directly to DPC of the client. On it the DoS-attacks are based, bypassing CDN networks and the systems of protection. The malefactor can also get access to a dynamic content, changing parameters of recursive requests and forcing CDN network "raise a curtain" and send an inquiry directly to DPC.

Directives of a system of caching of data – directives of a system of caching represent special parameters of the HTTP header which instruct CDN network to transfer a request to the database server or to send the answer, using a cache memory. The Radware ERT command witnessed a set of situations when malefactors used directives of a system of caching, such as "cache-control: No-cache" or similar to them instructions "Pragma: no cache" using these directives malefactors bypass the protective level of CDN network even for static data.

Especially distributed attacks – the attacks distributed substantially do not reach large volume on any of nodes of CDN network, and their power increases only on reaching the attacked DPC, bypassing CDN network vyzvy failure in service. The large-scale network CDN is not capable to synchronize in real time data and statistics in all its points that prevents to monitor effectively distributed attack of large or small volume.

Examples of such vulnerabilities show clearly that though the CDN network gives reliable protection against many vectors of the attacks, it, nevertheless, cannot provide security blanket from the DoS/DDoS-attacks. The principle 80/20 cannot be applied in the context of security as hackers always use open "holes" or weak points of a system, effectively using those a vector of the attacks which do not become covered by the system of protection.

The analysis of an example of DDoS attacks on CDN network

Let's analyze an attack to large corporation which we will call BCDN. BCDN placed some part of the content on servers of large CDN provider, however dynamic data were stored in DPC of the company. In the course of the DDoS attack aimed at BCDN, hackers used three different vectors of the attacks.

On the first vector the packets distorted by TCP went to the public IP address of BCDN while on the second vector "garbage" UDP packets went to port 53 (DNS port). The BCDN company used the proper system of protection thanks to which the first two vectors of the attacks were successfully stopped.

Hackers were informed that BCDN stores data in CDN network, and used the third vector of the attacks. This vector – the simple attack like HTTP flood – could be easily blocked if the system of protection would not be located behind CDN network. Anyway, the equipment of a bypass of CDN – departure of requests for access to dynamic data of DPC was used here. Such tactics led to the fact that CDN passed hackers to DPC.

As this vector passed through CDN network, the IP address of a source of all requests represented the IP address of CDN and was recognized legal. Servers of CDN network and also any legal user outside CDN, easily underwent testing a request answer sent by the system of reflection of the attacks. In the context of security, after passing of all checks the IP address is marked as "safe" (temporarily added to the white list) and access to servers is allowed to it. As soon as CDN IP was marked as safe, all requests, both legitimate, and sent by malefactors, reached DPC, having caused failure in service.

An attempt to limit traffic was made, having set a threshold value. However selectively it was impossible to block certain clients, and restriction was set for all CDN connections. As the most part of connections belonged to the attack, the legitimate users located behind CDN network could not get access to servers of BCDN company. This method of reflection of the attack was inefficient and did not help to stop the DoS-attack as both legitimate traffic, and traffic of malefactors proceeded from the same IP address.

The only place where the actual IP address of the user contained, the heading XFF (X-Forwarded-For) of a HTTP packet was. To block the attack, on the basis of XFF of data the analysis of the IP addresses attacking was made offline. As soon as the IP addresses were identified, blocked them by check of XFF to the IP addresses of malefactors. This example clearly demonstrates the fact that reflection of the attack which takes place bypassing CDN is a difficult task for which solution it is required to interfere manually that takes a lot of time.

See Also