A team of researchers from Peking University, Tsinghua University and the University of Texas at Dallas released information about your work done to be able to identify a new class of DoS attacks which they named "RangeAmp" and which are based on the use of the Range HTTP header to organize the amplification of traffic through the content delivery network (CDN).
The essence of the method is that, due to the quirk of processing Range headers on many CDNs, an attacker can request a byte from a large file via CDN, but the CDN will download the entire file or a significantly larger block of data from the destination server for caching.
The degree of traffic amplification during an attack of this type, according to the CDN, is 724 to 43330 times, which can be used to overload the incoming CDN traffic or reduce the bandwidth of the final communication channel to the site of the victim.
The Range header allows the client to determine the range of positions in the file which should be loaded instead of returning the entire file.
For example, the client can specify "Range: bytes = 0-1023" and the server will transmit only the first 1024 bytes of data. This feature is in high demand when downloading large files: the user can pause the download and then continue it from the interrupted position. When specifying "bytes = 0-0", the standard prescribes to give the first byte in the file, "bytes = -1" - the last, "bytes = 1-" - from 1 byte to the end of the file. You can pass multiple ranges in one header, for example "Range: bytes = 0-1023.8192-10240".
In addition, a second attack option was proposed (it's called RangeAmp Overlapping Byte Ranges (OBR) attack, designed to increase the network load when traffic is forwarded through another CDN, which is used as a proxy (for example, when Cloudflare acts as the frontend (FCDN) and Akamai acts as the backend (BCDN)). The method resembles the first attack, but is localized within CDNs and allows you to increase traffic when accessing through other CDNs, increasing the load on the infrastructure and reducing the quality of service.
The idea is that the attacker sends multiple ranges to the CDN range request, such as "bytes = 0-, 0-, 0 - ...", "bytes = 1-, 0-, 0 - ..." or "bytes = - 1024,0-, 0 -… «.
Requests contain a large number of "0-" ranges, which implies the return of the file from scratch to the end. Due to incorrect range parsing when the first CDN refers to the second, a complete file is returned to each "0-" band (ranges are not aggregated, but ordered sequentially) if range duplication and intersection are present in the attack request originally submitted. The degree of traffic amplification in such an attack ranges from 53 to 7432 times.
The study examined the behavior of 13 CDNs: Akamai, Alibaba Cloud, Azure, CDN77, CDNsun, Cloudflare, CloudFront, Fastly, G-Core Labs, Huawei Cloud, KeyCDN, StackPath, and Tencent Cloud.
"Unfortunately, although we emailed them multiple times and tried to contact their customer services, StackPath did not provide any feedback," said the research team.
“Overall, we have done our best to responsibly report vulnerabilities and provide mitigation solutions. Related CDN providers have had nearly seven months to implement mitigation techniques before this document was published. "
All CDNs reviewed allowed the first type of attack on the target server. The second version of the CDN attack turned out to be exposed to 6 services, of which four can act as an interface in the attack (CDN77, CDNsun, Cloudflare and StackPath) and three in the role of a back-end (Akamai, Azure and StackPath ).
The highest gain is achieved in Akamai and StackPath, which allow you to indicate more than 10 ranks in the Rank heading.
CDN owners were notified about of vulnerabilities about 7 months ago and at the time of public disclosure of information, 12 out of 13 CDNs resolved the problems identified or expressed their willingness to solve them.
Source: https://www.liubaojun.org