cdn judo breaking the cdn dos protection with itself
play

CDN Judo : Breaking the CDN DoS Protection with Itself Run Guo, - PowerPoint PPT Presentation

Sep 24, 2022 •30 likes •680 views

CDN Judo : Breaking the CDN DoS Protection with Itself Run Guo, Weizhong Li, Baojun Liu, Shuang Hao, Jia Zhang, Haixin Duan, Kaiwen Shen , Jianjun Chen, Ying Liu Content Delivery Network Infrastructure for access acceleration and DDoS defence

  1. CDN Judo : Breaking the CDN DoS Protection with Itself Run Guo, Weizhong Li, Baojun Liu, Shuang Hao, Jia Zhang, Haixin Duan, Kaiwen Shen , Jianjun Chen, Ying Liu

  2. Content Delivery Network ❖ Infrastructure for access acceleration and DDoS defence ➢ 14.85% of top 1M, 38.98% of top 10K websites [Your Remnant Tells Secret, DSN ’18] ➢ We find CDN itself can be abuse to break its DDoS protection CDN Origin 2

  3. CDN Forwarding Process end-to-end connection frontend and backend connections CDN GET /index.php Host: demo.com frontend backend Ingress Egress Origin 3

  4. Previous Works CDN Internal security Front-end connection security [Forwarding loop attack, NDSS ’16] [HTTPS meet CDN, IEEE S&P ’14] [TLS private key sharing, CCS ’16] Backend connection security [Host of trouble, CCS ’16] [Protection or Threat, ESORICS ’09] [Cache fallen, CCS ’19] [End user maneuvered, USENIX security ’18] [Cached and Confused, USENIX security ’20] Origin IP Expose [CloudPiercer, CCS ’15] [Residual Resolution, DSN ’18] Our work: abuse CDN-forwarded requests to attack the origin. 4

  5. Our Work ❖ Exploiting request-forwarding flaws Attack-1 HTTP/2 bandwidth amplification attack Attack-2 Pre-POST slow HTTP attack Attack-3 Egress IP blocking attack ❖ Performed realworld evaluations on six vendors 5

  6. Request-forwarding Features Could be Abused Attack-1 Protocol converting: HTTP/2 -> HTTP/1.1 Maximum compatibility Attack-2 Pre-POST forwarding: speed up request-forwarding Access Acceleration Attack-3 Origin shield: reduce backend connections Traffic offloading Request Forwarded Request Origin Client CDN 6

  7. Attack-1 HTTP/2 Bandwidth Amplification Attack

  8. HTTP/2 Protocol ❖ RFC7540, released in 2015 ➢ Binary message framing ➢ Streams and multiplexing Multiple HTTP requests and responses can be transferred in the same TCP connection in parallel and staggered. ➢ HPACK: header compression Avoid repeatedly transferring headers that do not change frequently. Deployment: Over 43.2% of Alexa top 1M websites (w3techs.com, 12 Feb 2020) ❏ 8

  9. HTTP/2-1.1 Amplification on CDN ❖ Our study ➢ Identify that HTTP/2-1.1 conversion of CDN will cause amplification attack. ➢ Improve the attack with the feature of Huffman encoding. ➢ Real-world measurement and evaluation. Protocol conversion one http request HTTP/2 HTTP/1.1 Attacker Origin CDN [HTTP/2 Tsunami Attack, EST ’17] ❏ Show an amplification attack in HTTP/2-1.1 proxies built with Nginx and Nghttp2. 9

  10. CDN Vendors Claim to Support HTTP/2 ❖ HTTP/2 is supported by most major CDNs ❖ The backend connection still uses HTTP/1.1 CloudFront Cloudflare CDNSun Fastly KeyCDN MaxCDN Frontend Default on Default off Default on Default on Default on Default on Connection Configurable Configurable Configurable Backend Still use HTTP/1.1 Connection 10

  11. Attack-1.1: Using HPACK Static Table ❖ Referencing an indexed static table of common header fields to encode request headers. Raw Request Encoded Data Static Table 82 84 41 86 90 b4 9d 72 :method: GET 1 :authority 1e 9f 87 :path: / :authority: demo.com 2 :method GET 11 Bytes :scheme: https 3 :method POST 2 4 :path / 4 54 Bytes ... ... ... 1 H(“demo.com”) 7 :scheme https 7 ... ... ... 61 www-authenticate 11

  12. Attack-1.1: Using HPACK Static Table ❖ HTTP/2-1.1 conversion of CDN causes a bandwidth amplification. 11 Bytes 49 Bytes 82 84 41 86 90 b4 9d 72 GET / HTTP/1.1 1e 9f 87 host: demo.com scheme: https HTTP/2 HTTP/1.1 Attacker CDN Origin Bandwidth amplification factor: 49B / 11B = 4.45 12

  13. Attack-1.2: Using HPACK Dynamic Table ❖ Use an indexed dynamic table of previously seen headers to avoid repeatedly transferring headers in the table. ➢ The firstly seen headers will be inserted into the dynamic table. Request 1 Encoded Data Static Table 82 84 ... fc (3999B) :method: GET ... ... ... 2 :path: / 3999 Bytes :authority: demo.com 61 www-authenticate 4 :scheme: https 1 H(“demo.com”) cookie1: X..X(2000B) Dynamic Table 7 cookie2: X..X(1968B) H(“cookie1”) H(“X...X”) 4042 Bytes H(“cookie2”) H(“X...X”) 13

  14. Attack-1.2: Using HPACK Dynamic Table ❖ Use an indexed dynamic table of previously seen headers to avoid repeatedly transferring headers in the table. ➢ The subsequently repeated headers will be substituted as an index. Request 2 Encoded Data Static Table 82 84 c0 87 bf be :method: GET ... ... ... 2 :path: / 6 Bytes :authority: demo.com 61 www-authenticate 4 :scheme: https 62 :authority demo.com 62 cookie1: X..X(2000B) 63 cookie1 X...X (2000B) 7 cookie2: X..X(1968B) 64 cookie2 X...X (1968B) 63 4042 Bytes Dynamic Table 14

  15. Attack-1.2: Using HPACK Dynamic Table ❖ The dynamic table enhances this kind of bandwidth amplification. 4039 Bytes 3999 Bytes × 1 82 84 ... fc (3999B) GET / HTTP/1.1 host: demo.com × (N+1) scheme: https 6 Bytes cookie1: X...X (2000B) cookie2: X...X (1968B) × N 82 84 c0 87 bf be HTTP/2 HTTP/1.1 Attacker CDN Origin 4039 + 4039 N Bandwidth amplification factor: 4039B × (N+1) / 3999B + 6B × N = 3999 + 6N For example, when N is 100, the factor is 88.70. 15

  16. Attack-1.3: Improve with Huffman Encoding ❖ The shorter the Huffman encoding, the shorter the encoded data. ➢ The Huffman encoding of ‘X’ is 8 bits in length. ➢ Characters {0, 1, 2, a, c, e, i, o, s, t} have the shortest Huffman encoding (5 bits). :method: GET :method: GET :path: / :path: / :authority: demo.com :authority: demo.com Request 1 :scheme: https :scheme: https cookie1: X..X(2000B) cookie1: a..a(2000B) cookie2: X..X(1968B) cookie2: a..a(1968B) Encoded Data 82 84 ... fc (3999B) 82 84 ... 63 (2511B) 16

  17. Attack-1.3: Improve with Huffman Encoding ❖ The shorter the Huffman encoding, the larger the amplification factor. Huffman Encoding Amplification Factor Length 4039 + 4039 N 88.70 Character ‘X’ 8 bits when N is 100 3999 + 6N 4039 + 4039 N 131.13 Character ‘a’ 5 bits when N is 100 2511 + 6N Note: N is the concurrent requests in the same HTTP/2 connection. 17

  18. Amplification Evaluation ❖ Create multiple concurrent requests in one HTTP/2 connection. ➢ The amplification factor grows with the number of concurrent requests. ➢ The max factor is got at the position of the max concurrent streams. Max concurrent stream 18

  19. Further improvement ❖ Our work achieved larger amplification factors than previous work. Max Streams 100 128 256 Evaluation MaxCDN Fastly CDNsun CloudFront KeyCDN Cloudflare Platform Our Attack Amplification 94.7 97.9 118.7 116.9 105.5 166.1 Factor Evaluation HTTP/2 Proxies built with Nginx and Nghttp2 HTTP/2 Tsunami Platform Attack Amplification 79.2 94.4 140.6 Factor 19

  20. Attack-2 Pre-POST Slow HTTP Attack

  21. CDN POST-Forwarding strategy ❖ Two POST-forwarding strategies ➢ Full-Forwarding: receive both header and the full message body, then forward ➢ Pre-Forwarding: receive the header, then forward request header backend frontend message body Origin Client CDN ← Full-Forwarding ← Pre-Forwarding 21

  22. HTTP/1.1 Pre-POST Forwarding Attack ❖ Pre-Forwarding strategy can be abused to perform DDoS attack ➢ Frontend connections: send POST messages slowly. ➢ Backend connections: maintain for a long time. ➢ However, the attacker has to consume TCP connections as much as the origin. Send POST msg slowly Connection resources exhausted Attacker HTTP/1.1 CDN HTTP/1.1 Origin 22

  23. HTTP/2 Enhances the Attack ❖ CDN converts concurrent streams in one HTTP/2 connection to multiple HTTP/1.1 connections when forwarding. ➢ The attacker consumes TCP connections much less than the origin. HTTP/2 CDN Attacker HTTP/1.1 Origin CloudFront Cloudflare CDNSun Fastly KeyCDN MaxCDN Max concurrent streams 128 256 128 100 128 100 per HTTP/2 connection 23

  24. Pre-POST Forwarding Attack ❖ Pre-Forwarding strategy can be abused to perform DDoS attack ❖ concurrent streams in one HTTP/2 connection → multiple HTTP/1.1 connections Send POST msg slowly Connection resources exhausted HTTP/2 CDN Attacker HTTP/1.1 Origin CloudFront Cloudflare CDNSun Fastly KeyCDN MaxCDN Max concurrent streams 128 256 128 100 128 100 per HTTP/2 connection 24

  25. Real-world POST-forwarding Behaviors ❖ Some CDNs adopts Pre-Forwarding strategy to process POST request. ➢ Step 1: send POST message slowly in 300 seconds. ➢ Step 2: observe how long the backend connection maintains. ➢ Conclusion: The attacker can control the survival time of backend connections. ➢ Similar results were obtained using HTTP/1.1 or HTTP/2. CloudFront Cloudflare CDNSun Fastly KeyCDN MaxCDN Request Receiving 0.87s 300.29s 299.92s 0.55s 299.79s 0.74s Time in Origin Connection Keep-alive 298.89s 0.12s 0.34s 299.32s 0.37s 15.01s Time in Origin Vulnerable - - Vulnerable - Vulnerable 25

  26. Proof of Concept ❖ Origin: max connections = 1000 504 ❖ Attacker: send msg slowly for 300s ❖ Norml User: access website every 5s ❖ Result - the Origin is deny of service ➢ CloudFront, HTTP 504 gateway timeout 503 Fastly, HTTP 503 service unavailable ➢ ➢ MaxCDN, A QoS attack 26

  27. Attack-3 Egress IP Blocking Attack

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CDN Judo : Breaking the CDN DoS Protection with Itself Run Guo, Weizhong Li, Baojun Liu, Shuang

CDN Judo : Breaking the CDN DoS Protection with Itself Run Guo, Weizhong Li, Baojun Liu, Shuang

CDN Judo : Breaking the CDN DoS Protection with Itself Run Guo, Weizhong Li, Baojun Liu, Shuang Hao, Jia Zhang, Haixin Duan, Kaiwen Shen , Jianjun Chen, Ying Liu Content Delivery Network Infrastructure for access acceleration and DoS defense

487 views • 29 slides
VERBAL JUDO VERBAL JUDO The Gentle Art of Persuasion THE CONTENT OF THIS PRESENTATION IS

VERBAL JUDO VERBAL JUDO The Gentle Art of Persuasion THE CONTENT OF THIS PRESENTATION IS

VERBAL JUDO VERBAL JUDO The Gentle Art of Persuasion THE CONTENT OF THIS PRESENTATION IS ACCREDITED TO THE BOOK: VERBAL JUDO: THE GENTLE ART OF PERSUASION WRITTEN BY DR. GEORGE THOMPSON [PH.D.] AND FIRST PUBLISHED IN 1994 IT IS BASED

296 views • 16 slides
IBSA Judo presentation Ab o ut b lind judo Sho rt histo ry E ye c la ssific

IBSA Judo presentation Ab o ut b lind judo Sho rt histo ry E ye c la ssific

APPENDIX 17 08/09/2015 Content IBSA Judo presentation Ab o ut b lind judo Sho rt histo ry E ye c la ssific atio n Ge ne ra l de ve lo pme nt Co a c h a nd re fe re e e duc a tio n Org a niza tio nal de ve lo pme

231 views • 3 slides
St Albans Judo Club Dr Rodney Day, Former Chairman Mr Matthew Lish, Chairman St Albans Judo Club

St Albans Judo Club Dr Rodney Day, Former Chairman Mr Matthew Lish, Chairman St Albans Judo Club

St Albans Judo Club Dr Rodney Day, Former Chairman Mr Matthew Lish, Chairman St Albans Judo Club Mr Bob Cleevely, Trustee & Former Chairman Mr Ian Wasey, Trustee Mr Andrew Wilesmith, British Judo Association Eastern Regional Development Officer

1.3k views • 10 slides
WHAT DO JUDO TEACHERS TELL US ABOUT THE INCLUSION OF SPORT EDUCATORS IN THE DIGITAL WORLD?

WHAT DO JUDO TEACHERS TELL US ABOUT THE INCLUSION OF SPORT EDUCATORS IN THE DIGITAL WORLD?

WHAT DO JUDO TEACHERS TELL US ABOUT THE INCLUSION OF SPORT EDUCATORS IN THE DIGITAL WORLD? Philippe GABRIEL LIRDEF (EA 3749, Universit de Montpellier & Universit Paul-Valry) Physical Education and Sport (PES) Judo Judo as

1.11k views • 31 slides
JUDO OPEN INTERNATIONAL VISE BELGIUM-2016 JUDO OPEN INTERNATIONAL VISE BELGIUM-2016 DATE

JUDO OPEN INTERNATIONAL VISE BELGIUM-2016 JUDO OPEN INTERNATIONAL VISE BELGIUM-2016 DATE

JUDO OPEN INTERNATIONAL VISE BELGIUM-2016 30-31 JANUARY 2016 34rd edition of the INTERNATIONAL OPEN JUDO OF BELGIUM VISE 2016 SINCE 1983 Dear Madam, Dear Sir, Dear participants, organizers and guests, Since 34 years, the Judo Open that

131 views • 10 slides
CISM SPORT COMMITTEE JUDO LtCol Fred Sijnhorst (NLD) CISM Sport Committee Judo CSC members

CISM SPORT COMMITTEE JUDO LtCol Fred Sijnhorst (NLD) CISM Sport Committee Judo CSC members

CISM SPORT COMMITTEE JUDO LtCol Fred Sijnhorst (NLD) CISM Sport Committee Judo CSC members Colonel (Ret)Josue Morisson de Moraes (BRA) Lieutenant-Colonel Eric Ponsot (FRA) Lieutenant-Colonel Mellouk Choufaik (ALG) Major Franz Linecker (AUT)

474 views • 9 slides
RETURN TO JUDO Monday 20th July. We are currently in the RED PHASE of the Welsh Government

RETURN TO JUDO Monday 20th July. We are currently in the RED PHASE of the Welsh Government

1 COVID-19 RETURN TO JUDO Monday 20th July. We are currently in the RED PHASE of the Welsh Government traffic light system. 2 COVID-19 RETURNING TO JUDO FRAMEWORK: TRAFFIC LIGHTS LOCKDOWN AMBER PHASE RED PHASE GREEN PHASE Exercise once

271 views • 7 slides
Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Dr Nick Saville Breaking out of the box Understanding rela5onships between learning and assessment Breaking out of the box - a metaphor for thinking about rela5onships and interpreta5ons breaking out breaking out of the box of the

895 views • 68 slides
in Bus Busines iness s / Lif / Life e in by Gary S. Goltz, MBA, 8 th Degree Black Belt

in Bus Busines iness s / Lif / Life e in by Gary S. Goltz, MBA, 8 th Degree Black Belt

Principles of Judo in Bus Busines iness s / Lif / Life e in by Gary S. Goltz, MBA, 8 th Degree Black Belt Principal - Goltz Business Development Group Vice President - Nuzuna Zone Fitness Founder - Goltz Judo, LLC Owner -

301 views • 26 slides
Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD

Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD

Parsing OSM XML iD OSMCha To-Fix Frontend Developer kepta kushan2020 Breaking down iD Breaking down iD 15% Rendering Painting 21% Javascript 64% HTML A sample of what iD is doing behind the scenes Breaking down JS 13% Draw Vector

426 views • 27 slides
THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING

THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING

THE MSSM FROM SS BREAKING MARIANO QUIROS, ICREA/IFAE HEP 2006 THE MSSM FROM SS BREAKING p.1/31 OUTLINE Introduction Higgs sector Tree-level masses EWSB and fine-tuning Supersymmetric spectrum Dark

361 views • 34 slides
Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier

Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier

Breaking Up Breaking Up Is Is Hard Hard To Do (But It Might To Do (But It Might Be Be Easier with a Prenup) Easier with a Prenup) Gregory S. Gregory S. William Williams, , Esq. Esq. Carr rruthe uthers & rs & Roth, P.A.

170 views • 6 slides
That's me BENCHMARK STATURE Badminton Basketball Cycling Fencing Gymnastics Handball Judo

That's me BENCHMARK STATURE Badminton Basketball Cycling Fencing Gymnastics Handball Judo

That's me BENCHMARK STATURE Badminton Basketball Cycling Fencing Gymnastics Handball Judo Ski Soccer Taekwondo Table tennis Tennis Triathlon Volleyball SMALL TALL Quotient BENCHMARK STATURE Badminton Basketball Cycling

767 views • 60 slides
The Benefit of the Doubt The Swedish Legal System Why Breaking the Law? Judas Priest Breaking

The Benefit of the Doubt The Swedish Legal System Why Breaking the Law? Judas Priest Breaking

The Benefit of the Doubt The Swedish Legal System Why Breaking the Law? Judas Priest Breaking The Law Lyrics There I was completely wasting, out of work and down All inside it's so frustrating as I drift from town to town Feel as though

269 views • 10 slides
Transitions in Place Leonard Hock, D.O., M.A.C.O.I., CMD Breaking Bad News Goals and Objectives

Transitions in Place Leonard Hock, D.O., M.A.C.O.I., CMD Breaking Bad News Goals and Objectives

3/22/2012 Transitions in Place Leonard Hock, D.O., M.A.C.O.I., CMD Breaking Bad News Goals and Objectives Understand and use the key steps in breaking bad news. Confirm and be able to use effective methods of communication in breaking

245 views • 8 slides
Eastern Virginia Marissa J. Levine, MD MPH State Health Commissioner Intentional Design: A

Eastern Virginia Marissa J. Levine, MD MPH State Health Commissioner Intentional Design: A

Intentionally Designing Health & Well-Being in Eastern Virginia Marissa J. Levine, MD MPH State Health Commissioner Intentional Design: A Population Health Approach 2 Key Points/Assumptions Health and well-being matter to all

450 views • 33 slides
Medicaid Benchmark Advocates Perspective DHCS Stakeholder Advisory Committee July 23, 2012

Medicaid Benchmark Advocates Perspective DHCS Stakeholder Advisory Committee July 23, 2012

Medicaid Benchmark Advocates Perspective DHCS Stakeholder Advisory Committee July 23, 2012 Securing Health Rights for Those in Need National Health Law Program National public interest law firm working to advance access to quality

149 views • 13 slides
Illinois Data-Driven Health & Justice Superutilizers: Opportunities to Improve

Illinois Data-Driven Health & Justice Superutilizers: Opportunities to Improve

Illinois Data-Driven Health & Justice Superutilizers: Opportunities to Improve Outcomes & Reduce Costs JOHN MAKI, ILLINOIS CRIMINAL JUSTICE INFORMATION AUTHORITY STEPHEN BROWN, UNIVERSITY OF ILLINOIS HOSPITAL AND HEALTH SCIENCES

450 views • 8 slides
Cequel Communications Holdings I First Quarter 2015 Results May 1, 2015 Cautionary Statement

Cequel Communications Holdings I First Quarter 2015 Results May 1, 2015 Cautionary Statement

Cequel Communications Holdings I First Quarter 2015 Results May 1, 2015 Cautionary Statement Regarding Forward-Looking Statements and Other Matters This presentation includes forward-looking statements within the meaning of Section 27A of

704 views • 26 slides
President Bachrach Health Strategies LLC April 26, 2010 1965 - afterthought to Medicare; tied

President Bachrach Health Strategies LLC April 26, 2010 1965 - afterthought to Medicare; tied

Deborah Bachrach, JD President Bachrach Health Strategies LLC April 26, 2010 1965 - afterthought to Medicare; tied to welfare 1996 - welfare reform delinks Medicaid and cash assistance 2010 - most Medicaid beneficiaries work or are

332 views • 15 slides
Interim Results 13 November 2012 Chairman 2 Chief Executive 3 Best net adds performance in

Interim Results 13 November 2012 Chairman 2 Chief Executive 3 Best net adds performance in

A brighter place for everyone Interim Results 13 November 2012 Chairman 2 Chief Executive 3 Best net adds performance in two years Continuing success in upsell 44% growth in Plus base 1.1m customers, 29% of on-net base +32,000

954 views • 39 slides
or Instruments on international trade in legal services and their applicability in Asia Dr.

or Instruments on international trade in legal services and their applicability in Asia Dr.

GLOBALISING YOUR PRACTICE - OPPORTUNITIES AND CHALLENGES CHURNING OF THE OCEAN OF MILK or Instruments on international trade in legal services and their applicability in Asia Dr. Pter Kves 1st November 2018 Siem Reap, Cambodia

498 views • 15 slides
UNION COUNTY DIVISION OF SOCIAL SERVICES FNS PERFORMANCE What it feels like to work at DSS

UNION COUNTY DIVISION OF SOCIAL SERVICES FNS PERFORMANCE What it feels like to work at DSS

UNION COUNTY DIVISION OF SOCIAL SERVICES FNS PERFORMANCE What it feels like to work at DSS (sometimes) Team Members Rae Alepa, Director, Division of Social Services Mary Causebrook, Human Service Evaluator Earl Ford, Program

295 views • 15 slides

More recommend