main

Attack MitigationDDoS AttacksSecurity

CDN Networks as a Weapon for DDoS

January 27, 2012 — by David Hobbs17

Early in my career, I worked for CacheFlow (now BlueCoat). I spent a fair amount of time exploring proxy systems and how to abuse them, often assisting the security research teams in re-creating real world attacks and investigating for our customers.

I was thinking about how I might be able to use Akamai, LimeLight or other Content Distribution Networks (CDN) providers as a weapon against people for a DDoS attack. Granted, I haven’t tested any of this live as it would be illegal for me to do so. With that said, it certainly works well in my lab with other proxy software(s) and hardware, the kinds used by CDN providers.

So what would happen if I googled “akamai proxy ip list”? I quickly found this link:

http://cecak.nc31.com/2009/10/all-list-of-ip-address-akamai-network/

Okay, working from those IP addresses, what would happen if I put together a quick script that used CURL (command line based URL http get tool) to do something like:

For x in (IP address of Akamai list)

CURL (x) GET <big page URL (y) >

If modified since: January 1, 2001

Pragma: no-cache

Host: myvictimsdomain.com

Granted, that’s not the actual code, so you’ll have to be more than a script kiddie to execute this, however, I believe you get the point of how easy it might be to put together a script that would use the CDN as a weapon against the companies that would hide behind the CDN.  The other thing that somebody creative could do would be to change the script from a big heavy URL page to say:

CURL (x) GET <Unique URL (y) >

That could cause the CDN to create a big 404 storm on the servers, or maybe some URL that would generate search, which could take down their database servers on the back end.   This could cause the investigation to have to dig through all of the CDN provider’s proxy logs to determine the source of the sweep storm and blocking it at Akamai or other CDN provider could prove to be tricky if launched from a botnet or other source of distributed DDoS attack tool.

Being that most CDN providers charge their customers based on volume, this could do a number of things:

    1. Take victim offline at the origin servers
    2. Cost them millions in Akamai charges, thus the new term “FDoS”, or Financial Denial of Service.
    3. Mask the attack traffic so that it’s impossible to block at the origin servers, as they must let their CDN provider load from the origin servers.
    4. Help hide the attacker’s traffic, making mitigation take exponentially longer and potentially impossible.

Granted, I realize that CDN’s are very popular these days, however, if you believe that using a CDN or other cloud based DDoS protection method to mitigate DDoS risks, you may be fooling yourself.  From the vantage of the new attack vectors we are seeing today, CDN is a liability to organizations, not a solution.

David Hobbs

As Director of Security Solutions, David Hobbs is responsible for developing, managing, and increasing the company’s security practice in APAC. Before joining Radware, David was at one of the leading Breach Investigation Firms in the US. David has worked in the Security and Engineering arena for over 20 years and during this time has helped various government agencies and world governments in various cyber security issues across all sectors.

17 comments

  • Izra Leavy

    November 8, 2012 at 4:43 pm

    how to block this type of ddos? getting hit by DDOS from a CDN every day atleast 20 times a day, most of it is coming from IP’s belonging to Limestone Networks. Help please

    Reply

  • David Hobbs

    November 9, 2012 at 5:06 pm

    I sent you an e-mail that you registered to post that comment with. I hope that we may be of assistance.

    Reply

  • Silviu Sebruski

    December 3, 2012 at 8:27 am

    David Hobbs, kindly send me the same information by e-mail please, we are currently getting hit by 2 or 3 cdn providers a day.

    Reply

  • June

    January 21, 2013 at 9:37 pm

    David, would you please send me the information also? I am being absolutely battered by Akamai addresses. Its not only ddos, its malicious attack traffic. I have spent hundreds of hours on vulnerability research and they just find another way in no matter what I close up. I can’t even get online with a live Linux distro and no hard drive whatsoever. If I use Windows 7 even fully patched, its full of shellcode in less than an hour. I would be very grateful for any help that you could give me.

    Reply

    • David Hobbs

      January 22, 2013 at 4:20 pm

      June,

      I sent you an e-mail. When you get a chance, check your e-mail.

      David

      Reply

  • tharun224run

    March 8, 2013 at 10:40 pm

    David Hobbs, kindly send me the same information by e-mail please, we are currently getting hit by 4 or 5 cdn providers a day.

    Reply

  • Ferdinand

    April 8, 2013 at 11:51 am

    David,

    Could you send me the info on how to protect against CDN attacks?!
    Many thanks!

    Reply

  • Alex Hayes

    February 17, 2014 at 7:33 pm

    David, Could you send me the info on how to protect against CDN attacks? and how could I filter the good CDN ipaddress in my DDoS box?

    Reply

  • Carolina

    August 24, 2014 at 12:16 pm

    David, can you also send me the same information on how to protect against this kind of attack? Getting hit from CDNs on a regular basis and I would like to explore some solutions.

    Thanks!

    Reply

  • Roei

    August 24, 2014 at 9:11 pm

    Hi
    we have Cloud solution for DDoS & WAF with or without CDn’s

    Reply

  • Angel

    February 11, 2015 at 1:02 am

    Dear David, my organization subscribes to Akamai as well. But somehow, we seemed to be receiving some malicious traffic , not exactly sure if it’s ddos.
    Would you be so kind to share the information – how can we mitigate or block such kind of ‘attacks’ that you’ve mentioned ? And is can the mitigation method be used for other kind or similar attacks as well ?
    Will be really grateful to hear any help/advice from you.

    Reply

  • P R Das

    February 11, 2015 at 7:24 am

    Hi David,

    Thanks for your post. It would be really great if you could please email me with the possible mitigation process on the same. I am using Amazon Web Services CDN – CloudFront. So how to block such DDoS attacks or how to protect CloudFront from such DDoS attacks ? Kindly email me with the possible solution.

    Reply

  • Pingback: Can a CDN Stop Cyber-Attacks? - zeax blog (ze-ax.com)

  • Amit

    November 6, 2015 at 7:47 am

    Hi David,

    My organization is using one of the CDN and as per your post you saying that CDN can be used as weapon for DDOS attack for a host behind the CDN? Is this really possible. Can you show some demo or small script which can prove this with test host.

    Reply

  • Tahsin

    February 28, 2016 at 4:07 pm

    Hallo David , I read your article about CDN and DDOS. I started a project with wordpress. How can I protect my site againgst ddos, because i dont want to use CDN. PLEASEEEE HEEEEELP

    Reply

  • Tahsin

    February 28, 2016 at 4:12 pm

    Hallo David,

    thanks for your article. I am started a project with wordpress and i want to protect my wordpress site against DDOS. But i dont want to use a CDN. Can u send me some information how can i do that. I read a lot of artice that CDN can give solutions but i dont want to trust that kind of information. and there are also a lot of expansive ddos protection provider. PLS HEEEELP. p.s. your artice has meet my heart and my thinking

    Reply

  • Tien Dinh

    April 27, 2016 at 6:17 pm

    Hi David,
    It is really helpful article, hope to get your email about deny ddos attach documents.

    Thank so mush

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *