CPDoS Attack: Cache attacks can paralyze web pages


Knowledge Seeker
Oct 10, 2015
Cache attacks can paralyze websites

Some HTTP caches can be made to store server error messages that can be triggered by specific requests. This works, for example, with extra-long headers.

Two researchers from the Cologne University of Technology have introduced an attack on certain configurations of HTTP caches. This can temporarily disable websites, but only a single HTTP request from an attacker is necessary. The problem: Some caches store error messages that should not actually be kept in the cache. The attack was baptized by its discoverers Cache Poison Denial of Service (CPDoS).

A common setup of many websites is to have a cache before the actual web server. This can either be a system of a service provider, such as a content delivery network that operates globally distributed server and thus is often able to respond faster, or special caching software as part of their own infrastructure. In these setups, the cache stores responses from the actual server for a while, so that further requests for the same web page can be answered faster.

Cache saves error message and delivers it to the following user requests

The whole thing becomes problematic if the cache also stores error messages from the web server. For example, an attacker could send a request to the cache containing a huge header. Many web servers have a size limit for HTTP requests, such as the Apache web server blocking requests whose headers are larger than eight kilobytes in total. However, some caches let such requests through, so Amazon's cloud-front service allows requests up to 20 kilobytes.

An attacker can now send a request for a particular URL, sending a nonsensical, ten-kilobyte header. If the cache passes this, but the web server responds with an error message, that error is cached. In many cases this is an error with the HTTP code 400 (Bad Request). Any subsequent requests to the same URL will then result in an error message - as long as the cache stores them.

In addition to the variant with extra-large headers, the authors introduce two additional variants: attacks with specific special characters in the header and special headers that are intended to send unusual HTTP methods to servers where they are blocked by the cache.

Whether the attack works depends on the exact behavior of both the web server and the cache being used. From a table of the authors shows that especially Amazon's cloud front service was vulnerable here. This worked variants of the attack with almost all web servers. Cloudfront has responded and changed its caching behavior.

Caching HTTP 400 Errors Illegal

In general, the HTTP standard does not allow caches to store such errors. Only certain error messages may ever be stored by caches, the error type 400 frequently occurring in such requests is not included. The authors also point out that many web servers generate false error messages. If the request was too large, the error code should be 431, which indicates that the request was too large.

Web servers can also protect themselves against such problems by generally providing error messages with a header that prevents caching. But of course that reduces the effectiveness of the cache especially in attacks.

The interaction of HTTP caches and Web servers does not lead to security problems for the first time. For example, researchers from Portswigger recently presented an attack with a similar idea called HTTP Request Smuggling.

The discoverers of the CPDoS attack published a background paper on their website explaining the details. The paper will be officially released at the CCS conference in London in November and there will also be a presentation there.