Get best of the week

RangeAmp - a new vulnerability allows DDoS attacks with an amplification factor of tens of thousands

Just a few days ago, a group of Chinese scientists discovered a vulnerability that allows for DDoS attacks with amplification. The authors managed to carry out an attack with a factor of 43,000! A new attack can not only deplete the resources of the outgoing channel of the target web server, but also the channels of the CDN nodes. Vulnerable were all 13 of the 13 largest proven CDN providers, including Akamai, Fastly, and Cloudflare. Under the cut, consider the attack mechanism and the measures proposed by the authors.


Thumb


, , Range-based Amplification ttack RangeAmp. CDN range request HTTP, - . — . , , Akamai ~15-30% - . RFC range request , CDN . .



13 CDN : Akamai, Alibaba Cloud, Azure, CDN77, CDNsun, Cloudflare, CloudFront, Fastly, G-Core Labs, Huawei Cloud, KeyCDN, StackPath Tencent Cloud.


- Linux c 2.4GHz CPU, 16G DDR 1000 Mbps .


- Apache/2.4.18 . CDN .


Range request


range request -. . , .


, Range. , . , . , Accept-Ranges "bytes".


range CDN - Range. :


  1. Laziness () — .
  2. Deletion () — .
  3. Expansion () — , .

CDN 2 3. , , , , .


, ? RFC7233 , range . , 4 13 CDN .


, — . .. , ! .



Deletion Expansion CDN , , CDN . . Range, CDN - . Small Byte Range Attack SBR RangeAmp. DDoS-, . , , , "" CDN, .., CDN .


SBR


, . 25 MB Akamai 43000!


AMP_SBR


13 CDN : Akamai, Alibaba Cloud, Azure, CDN77, CDNsun, Cloudflare, CloudFront, Fastly, G-Core Labs, Huawei Cloud, KeyCDN, StackPath Tencent Cloud.


CDN


, . CDN, CDN , Frontend CDN FCDN. CDN, -, Backend CDN (. ).


Obr


, :


  1. FCDN Laziness Range " ".
  2. BCDN , Range .

, n , BCDN n * ( ). , . TCP Receive Window, .


, , . .. Range.


, RFC , , 4 : CloudFlare, CDN77, CDNsun, StackPath. 1KB (, n — ):


AMP_OBR


?


, . - (SBR RangeAmp), — CDN (OBR RangeAmp) HTTP/1.1, HTTP/2.


CDN RFC.


CDN :


  • , , RFC7233 .
  • Range Laziness , Expansion, .

Source:
CDN Backfired: Amplification Attacks Based on HTTP Range Requests, Weizhong Li, Kaiwen Shen, Run Guo, Baojun Liu, Jia Zhang, Haixin Duan, Shuang Hao, Xiarun Chen, Yao Wan.


.


P.S.


CloudFlare , , , .


"They thought that the SBR attack relies on constantly triggering a cache-miss and a customer can add a page rule to ignore query strings. But this does not solve the problem fundamentally. The malicious customers and some normal customers will not follow this suggestion. Unfortunately, they won’t implement our mitigation solutions because Cloudflare does not want to cache partial responses of certain resources."

More articles:


All Articles