Early in my career, I worked for CacheFlow (now BlueCoat). I spent a fair amount of time exploring proxy systems and how to abuse them, often assisting the security research teams in re-creating real world attacks and investigating for our customers.
I was thinking about how I might be able to use Akamai, LimeLight or other Content Distribution Networks (CDN) providers as a weapon against people for a DDoS attack. Granted, I haven’t tested any of this live as it would be illegal for me to do so. With that said, it certainly works well in my lab with other proxy software(s) and hardware, the kinds used by CDN providers.
So what would happen if I googled “akamai proxy ip list”? I quickly found this link:
Okay, working from those IP addresses, what would happen if I put together a quick script that used CURL (command line based URL http get tool) to do something like:
For x in (IP address of Akamai list)
CURL (x) GET <big page URL (y) >
If modified since: January 1, 2001
Granted, that’s not the actual code, so you’ll have to be more than a script kiddie to execute this, however, I believe you get the point of how easy it might be to put together a script that would use the CDN as a weapon against the companies that would hide behind the CDN. The other thing that somebody creative could do would be to change the script from a big heavy URL page to say:
CURL (x) GET <Unique URL (y) >
That could cause the CDN to create a big 404 storm on the servers, or maybe some URL that would generate search, which could take down their database servers on the back end. This could cause the investigation to have to dig through all of the CDN provider’s proxy logs to determine the source of the sweep storm and blocking it at Akamai or other CDN provider could prove to be tricky if launched from a botnet or other source of distributed DDoS attack tool.
Being that most CDN providers charge their customers based on volume, this could do a number of things:
- Take victim offline at the origin servers
- Cost them millions in Akamai charges, thus the new term “FDoS”, or Financial Denial of Service.
- Mask the attack traffic so that it’s impossible to block at the origin servers, as they must let their CDN provider load from the origin servers.
- Help hide the attacker’s traffic, making mitigation take exponentially longer and potentially impossible.
Granted, I realize that CDN’s are very popular these days, however, if you believe that using a CDN or other cloud based DDoS protection method to mitigate DDoS risks, you may be fooling yourself. From the vantage of the new attack vectors we are seeing today, CDN is a liability to organizations, not a solution.