Home Blog CDN Cache-Poisoned Denial-of-Service CDN Cache-Poisoned Denial-of-Service BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. In the early days of the internet, one of the primary architecture challenges was the domain name system, or DNS. DNS is the protocol that takes easy-to-remember domain names (espn.com, google.com, etc.) and translates them into hard-to-remember IP addresses that are needed for internetworking protocols to work. As more systems came online, more requests were being made to resolve domains to IP addresses. Industry leaders recognized this potential bottle-necking and incorporated DNS caching to resolve the problem. DNS caching is nothing more than having a number of relative subsystems that maintain temporary storage of information that has already been translated. As a result, each subsequent request does not have to access to the primary (authoritative) server responsible for that requested domain. This idea spawned the concept behind content delivery networks (CDNs). CDNs work much in the same way as DNS caching does. But, rather than having one (or a group) of servers in one geographical location serving content to the entire world, CDNs employ a network of distributed servers in different geographical locations that can singularly make requests to the primary server(s) and then “mirror” or cache that content for subsequent requests. CDNs increase content delivery speeds, guarantee limited service in case the primary server goes down, and provides protection from large surges in traffic. DNS caching became the target for cache-poisoning attacks, including DoS attacks. Threat actors are now targeting CDNs with the same attack methodology with CPDoS attacks. In these attacks, malformed requests are made that force a call back to the primary server for updated content that can be cached. These malformed requests generate a server error response (i.e. 400 Bad Request) that is then cached at the CDN server before it is ultimately served back to the attacker. The end result is that subsequent requests from other users for that same resource will now return the error response and the content could become inaccessible. This will continue to happen until either the CDN server is forced to update content from the primary server, or the cached content goes stale. CDNs operate across large geographical locations and the error page generated by a CPDoS attack can reach multiple cache server locations. However, not all edge servers are affected by this threat. Some clients still receive valid pages from the origin server. In addition, some of the methods used to generate server errors fall outside the bounds of HTTP standards, so as long as CDN providers adhere to these standards, several of the methods for this attack will be rendered unsuccessful. Share: Facebook Twitter LinkedIn Related reading Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more Why Bluevoyant BlueVoyant Research: Majority of Firms Have Suffered a Direct Cybersecurity Breach Caused by a Third-Party Vendor October 14, 2021 BlueVoyant commissioned its second annual insightful survey: “Global Insights – Managing Cyber Risk Across the Extended Vendor Ecosystem.” Read more
BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. In the early days of the internet, one of the primary architecture challenges was the domain name system, or DNS. DNS is the protocol that takes easy-to-remember domain names (espn.com, google.com, etc.) and translates them into hard-to-remember IP addresses that are needed for internetworking protocols to work. As more systems came online, more requests were being made to resolve domains to IP addresses. Industry leaders recognized this potential bottle-necking and incorporated DNS caching to resolve the problem. DNS caching is nothing more than having a number of relative subsystems that maintain temporary storage of information that has already been translated. As a result, each subsequent request does not have to access to the primary (authoritative) server responsible for that requested domain. This idea spawned the concept behind content delivery networks (CDNs). CDNs work much in the same way as DNS caching does. But, rather than having one (or a group) of servers in one geographical location serving content to the entire world, CDNs employ a network of distributed servers in different geographical locations that can singularly make requests to the primary server(s) and then “mirror” or cache that content for subsequent requests. CDNs increase content delivery speeds, guarantee limited service in case the primary server goes down, and provides protection from large surges in traffic. DNS caching became the target for cache-poisoning attacks, including DoS attacks. Threat actors are now targeting CDNs with the same attack methodology with CPDoS attacks. In these attacks, malformed requests are made that force a call back to the primary server for updated content that can be cached. These malformed requests generate a server error response (i.e. 400 Bad Request) that is then cached at the CDN server before it is ultimately served back to the attacker. The end result is that subsequent requests from other users for that same resource will now return the error response and the content could become inaccessible. This will continue to happen until either the CDN server is forced to update content from the primary server, or the cached content goes stale. CDNs operate across large geographical locations and the error page generated by a CPDoS attack can reach multiple cache server locations. However, not all edge servers are affected by this threat. Some clients still receive valid pages from the origin server. In addition, some of the methods used to generate server errors fall outside the bounds of HTTP standards, so as long as CDN providers adhere to these standards, several of the methods for this attack will be rendered unsuccessful. Share: Facebook Twitter LinkedIn Related reading Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more Why Bluevoyant BlueVoyant Research: Majority of Firms Have Suffered a Direct Cybersecurity Breach Caused by a Third-Party Vendor October 14, 2021 BlueVoyant commissioned its second annual insightful survey: “Global Insights – Managing Cyber Risk Across the Extended Vendor Ecosystem.” Read more
Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more
Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more
Why Bluevoyant BlueVoyant Research: Majority of Firms Have Suffered a Direct Cybersecurity Breach Caused by a Third-Party Vendor October 14, 2021 BlueVoyant commissioned its second annual insightful survey: “Global Insights – Managing Cyber Risk Across the Extended Vendor Ecosystem.” Read more
