RangeAMP: HTTP amplification attack using CDN+Range request

Others 2020-09-18 15:38:30 views: null

Starter: Hippo Safety Public Account, please help those who pass by~

https://mp.weixin.qq.com/s/Dp5214aBdQjb-uuxP7T4zg

I recently read "CDN Backfired: Amplification Attacks Based on HTTP Range Requests", the DSN2020 best paper led by Tsinghua University, and made a simple note.

This paper proposes two methods of using CDN to amplify attacks on the protected source sites, which are powerful, please test carefully.

Paper download address:

https://netsec.ccert.edu.cn/files/papers/cdn-backfire-dsn2020.pdf

Here are the authors of the paper, tql~

After writing this article, I saw this article "RangeAmp Attack: Turning a CDN into a DDoS Cannon" , which should have been written by the original author . It took a lot of detours, but this article only talks about SRB and not the ORB method.

basic concepts

The first is two concepts, you can skip it directly if you understand:

CDN (here mainly refers to the CDN of the HTTP protocol):

The full name of CDN is Content Delivery Network, that is, content delivery network . CDN is an intelligent virtual network built on the basis of the existing network, relying on edge servers deployed in various places, through the load balancing, content distribution, scheduling and other functional modules of the central platform, so that users can obtain the required content nearby and reduce network congestion. Improve user access response speed and hit rate. The key technologies of CDN mainly include content storage and distribution technology.

At present, the main form is reverse proxy. There are many CloudFlare and AWS CloudFront products; Alibaba Cloud and Tencent Cloud CDN products; Cloud WAF basically has CDN functions.

Let’s talk about CDN caching separately :

When the service is connected to the CDN and the resources cached locally in the browser expire, the browser does not directly request resources from the origin server, but instead requests resources from the CDN edge nodes. The CDN edge node caches the user's data. If the cache in the CDN also expires, the CDN edge node will send a back-to-origin request to the origin server to obtain the latest resources.

Some CDN caches can add request parameters, change request headers, etc., so that cached resources are considered uncached, and the CDN can be read back to the origin site.

HTTP Range request (HTTP range request):

The HTTP protocol scope request allows the server to send only part of the HTTP message to the client. The range request is very useful when transferring large media files or when used with the resume function of file download.

Therefore, the main purpose of Range request: large file block download, breakpoint resumable upload, multi-threaded download

You can use a HEAD request (GET is also possible, but the response content will be returned) to confirm whether the requested resource supports Range, as shown in the following figure, including Accept-Ranges as bytes for support:

Insert picture description here

If the Accept-Ranges header is not included, or if the Accept-Ranges value is none, it is unavailable (other values ​​are not excluded, currently only bytes and none).

When using a Range request, you need to add a Range header to the HTTP request header. There are two types of Range headers:

  • Single range:

    Range: bytes=0-1023

    Request to the request header with the return 0-1023 bytes, the server returns a status code of the response, the response content is content of 1024 bytes we requested.206 Partial Content

Insert picture description here

  • Multiple ranges, used to request multiple data blocks (ranges can overlap, the latter ORB technique is to use overlapping ranges to attack)

    Range: bytes=0-50, 100-150

    Multiple Range Range request with the request, the server returns a status code, use multipart file upload when multiple similar block as a response (Content-Type of multipart / byteranges), using the following boundary plurality of divided content.206 Partial Content

Insert picture description here

the whole idea

The paper sorts out the following three return-to-source strategies when CDN processes Range requests (see Table I/Table II in the original paper for details):

  • Lazy: Do not make any changes, directly forward the request with the Range header
  • Delete type: directly delete the Range header and then forward
  • Extended type: Extend the Range header to a relatively large range

Insert picture description here
(Directly steal the picture, this one is more clear)

Wherein 删除型and 扩展型is CDN caches to increase the cache hit rate is optimized to do, for the resources (files) of the Range request multiple requests as possible, so that the client need not request data requesting the CDN source station again subsequent block.

According to the way CDN handles Range, the number and order of CDN, two attack methods are proposed:

Insert picture description here

Small Byte Range (SBR) Attack (Small Byte Range (SBR) Attack)

The main purpose of this method is to use CDN to carry out Range amplification attacks to hit the target source site, without the need for general UDP reflection amplification attacks that require source address forgery.

Insert picture description here

(The original picture of the paper, take the visit to test.jpg as an example)

To put it simply, a CDN with a delete-type and extended back - to-origin strategy is used to request as much content as possible from the origin site, and the content in response to the client is still the small content expected by the Range header.

The magnification is approximately equal to the size of the accessed file / Range request + response packet size . The paper counts the case where test.jpg is 1MB, and the magnification varies from 724 times to 1707 times according to different CDNs (except for KeyCDN which is 724 times, the rest CDN is more than 1000 times).

(For example: the above figure 1+4 means the interaction message between the attacker and the CDN is 600 bytes, and the request test.jpg file size is 1MB, then 2+3 is the interaction between the CDN and the origin site. The message size is approximately equal to 1MB, 1MB/600B, and the magnification is close to 1700 times)

Theoretically, the magnification of a CDN using a deletion strategy can increase unlimitedly with the size of test.jpg . The maximum magnification in the paper can reach 4W+ times at 25MB (Memcached's reflection magnification attack is about 5W times).

For CDNs that use an extended strategy, there may be an upper limit on the size of the Range request, which limits the magnification, but the maximum magnification is also close to ten thousand times in the last case.

At this time, with some methods, every time the test.jpg is accessed, it will not hit the cache and return to the source to read the data, which will cause a stable amplification attack and continue to consume the source station's bandwidth resources.

The test result of the attack in the paper: The target resource is 10MB, and the client's bandwidth consumption is less than 500Kbps, which can make the current source station's 1000Mbps bandwidth close to full.

My own test: I used a foreign CDN to hit my Alibaba Cloud ECS host (the upper limit bandwidth is 100Mbps), the resource file is 10MB (actually not using such a large resource file), and 20 threads are directly filled
Insert picture description here

Iftop information consumes a lot of traffic and full bandwidth:

Insert picture description here
(Traffic consumption on the left and bandwidth consumption on the right)

Digression: This attack method is matched with the current home Gigabit broadband, multi-threaded, multi-CDN node, and multiple agents to make Range requests, which can easily amplify the upper T traffic, in theory. . . Theoretically. . .

Overlapping Byte Ranges (ORB) Attack (overlapping byte range attack)

The main purpose of this method is to use Range to amplify the attack and consume network resources inside the CDN.

Insert picture description here

(Continue to the original picture of the paper)

This method uses multiple ranges of Range headers, stacking the number of Range ranges (bytes=0-,0-,...,0-) (n 0-, the larger the number of n supported by the CDN, the greater the magnification, and the consumption between CDNs The traffic is equal to n times the size of the accessed file), which is suitable for the front CDN (FCDN) adopts a lazy strategy, and the rear CDN (BCDN) does not check whether the Range ranges overlap, and returns a block Range response; CDN combination situation.

At the same time, at the client, set a smaller TCP receiving window and disconnect in time to make the received data as small as possible.

This method can obtain the source site file size 50-6500 traffic amplification, a large consumption of FCDN, BCDN network resources.

The paper gives 6 CDN combinations, a total of 11 combinations are available. Compared with SRB, it is more difficult to use. Generally, multi-layer CDNs are rarely used.

This method cannot directly threaten the origin site.

solution

At the end of the paper, solutions for different roles are given:

Server side: 1. Enhance the local DDOS defense capability. 2. If the CDN is connected, determine whether the above problems exist.

CDN side: Modify the return-to-origin policy of the Range request, from the deletion type to the extension type, and to expand a smaller range (for example, extend 8KB based on the original range, so as not to waste too much resources).

Protocol side: Revise relevant RFC standards and include RangeAMP into consideration.

We also found that adding parameters after static resources makes CDN cache MISS a common Cache MISS technique. (In this case, visit /test.jpgand visit /test.jpg?xxwill be regarded as visits to different static resource files)

Therefore, if you confirm that you don't need parameters, you can directly turn on the ignore parameters for caching on the CDN to prevent static resources from repeatedly returning to the source and causing RangeAMP amplification attacks.

Insert picture description here

to sum up

SRB and ORB attack methods use CDN's caching strategy and Range request to carry out amplification attacks.

Using the CDN that should be used for anti-D to attack the source site and uselessly consume resources inside the CDN network, the protector becomes a saboteur.

Quoted content

  1. https://netsec.ccert.edu.cn/files/papers/cdn-backfire-dsn2020.pdf

  2. https://baike.baidu.com/item/CDN/420951

  3. https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Range_requests

  4. https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/Accept-Ranges

  5. https://www.jianshu.com/p/baf12d367fe7

  6. https://www.inforsec.org/wp/?p=3997

Guess you like

Origin blog.csdn.net/fnmsd/article/details/107580958
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com