Unveiling the Bandwidth Nightmare: CDN Compression Format Conversion Attacks

TL;DR

This paper uncovers a new security vulnerability in CDNs where format conversion attacks can cause significant bandwidth exhaustion, affecting multiple major CDN providers.

Contribution

It introduces the CDN Convet attack, a novel HTTP amplification method exploiting compression format conversion, and evaluates its impact on 11 popular CDNs.

Findings

All tested CDNs are vulnerable to CDN Convet attacks.

The attack can exhaust both origin server and CDN surrogate bandwidth.

Disclosed findings led to constructive feedback from CDN providers.

Abstract

Content Delivery Networks (CDNs) are designed to enhance network performance and protect against web attack traffic for their hosting websites. And the HTTP compression request mechanism primarily aims to reduce unnecessary network transfers. However, we find that the specification failed to consider the security risks introduced when CDNs meet compression requests. In this paper, we present a novel HTTP amplification attack, CDN Compression Format Convert (CDN-Convet) Attacks. It allows attackers to massively exhaust not only the outgoing bandwidth of the origin servers deployed behind CDNs but also the bandwidth of CDN surrogate nodes. We examined the CDN-Convet attacks on 11 popular CDNs to evaluate the feasibility and real-world impacts. Our experimental results show that all these CDNs are affected by the CDN-Convet attacks. We have also disclosed our findings to affected CDN providers and have received constructive feedback.