CDN Networks as a Weapon for DDoS

18
628

Early in my career, I worked for CacheFlow (now BlueCoat). I spent a fair amount of time exploring proxy systems and how to abuse them, often assisting the security research teams in re-creating real world attacks and investigating for our customers.

I was thinking about how I might be able to use Akamai, LimeLight or other Content Distribution Networks (CDN) providers as a weapon against people for a DDoS attack. Granted, I haven’t tested any of this live as it would be illegal for me to do so. With that said, it certainly works well in my lab with other proxy software(s) and hardware, the kinds used by CDN providers.

So what would happen if I googled “akamai proxy ip list”? I quickly found this link:

http://cecak.nc31.com/2009/10/all-list-of-ip-address-akamai-network/

Okay, working from those IP addresses, what would happen if I put together a quick script that used CURL (command line based URL http get tool) to do something like:

For x in (IP address of Akamai list)

CURL (x) GET <big page URL (y) >

If modified since: January 1, 2001

Pragma: no-cache

Host: myvictimsdomain.com

Granted, that’s not the actual code, so you’ll have to be more than a script kiddie to execute this, however, I believe you get the point of how easy it might be to put together a script that would use the CDN as a weapon against the companies that would hide behind the CDN.  The other thing that somebody creative could do would be to change the script from a big heavy URL page to say:

CURL (x) GET <Unique URL (y) >

That could cause the CDN to create a big 404 storm on the servers, or maybe some URL that would generate search, which could take down their database servers on the back end.   This could cause the investigation to have to dig through all of the CDN provider’s proxy logs to determine the source of the sweep storm and blocking it at Akamai or other CDN provider could prove to be tricky if launched from a botnet or other source of distributed DDoS attack tool.

Being that most CDN providers charge their customers based on volume, this could do a number of things:

    1. Take victim offline at the origin servers
    2. Cost them millions in Akamai charges, thus the new term “FDoS”, or Financial Denial of Service.
    3. Mask the attack traffic so that it’s impossible to block at the origin servers, as they must let their CDN provider load from the origin servers.
    4. Help hide the attacker’s traffic, making mitigation take exponentially longer and potentially impossible.

Granted, I realize that CDN’s are very popular these days, however, if you believe that using a CDN or other cloud based DDoS protection method to mitigate DDoS risks, you may be fooling yourself.  From the vantage of the new attack vectors we are seeing today, CDN is a liability to organizations, not a solution.

18 COMMENTS

  1. how to block this type of ddos? getting hit by DDOS from a CDN every day atleast 20 times a day, most of it is coming from IP’s belonging to Limestone Networks. Help please

  2. David Hobbs, kindly send me the same information by e-mail please, we are currently getting hit by 2 or 3 cdn providers a day.

  3. David, would you please send me the information also? I am being absolutely battered by Akamai addresses. Its not only ddos, its malicious attack traffic. I have spent hundreds of hours on vulnerability research and they just find another way in no matter what I close up. I can’t even get online with a live Linux distro and no hard drive whatsoever. If I use Windows 7 even fully patched, its full of shellcode in less than an hour. I would be very grateful for any help that you could give me.

  4. David, Could you send me the info on how to protect against CDN attacks? and how could I filter the good CDN ipaddress in my DDoS box?

  5. David, can you also send me the same information on how to protect against this kind of attack? Getting hit from CDNs on a regular basis and I would like to explore some solutions.

    Thanks!

  6. Dear David, my organization subscribes to Akamai as well. But somehow, we seemed to be receiving some malicious traffic , not exactly sure if it’s ddos.
    Would you be so kind to share the information – how can we mitigate or block such kind of ‘attacks’ that you’ve mentioned ? And is can the mitigation method be used for other kind or similar attacks as well ?
    Will be really grateful to hear any help/advice from you.

  7. Hi David,

    Thanks for your post. It would be really great if you could please email me with the possible mitigation process on the same. I am using Amazon Web Services CDN – CloudFront. So how to block such DDoS attacks or how to protect CloudFront from such DDoS attacks ? Kindly email me with the possible solution.

  8. Hi David,

    My organization is using one of the CDN and as per your post you saying that CDN can be used as weapon for DDOS attack for a host behind the CDN? Is this really possible. Can you show some demo or small script which can prove this with test host.

  9. Hallo David , I read your article about CDN and DDOS. I started a project with wordpress. How can I protect my site againgst ddos, because i dont want to use CDN. PLEASEEEE HEEEEELP

  10. Hallo David,

    thanks for your article. I am started a project with wordpress and i want to protect my wordpress site against DDOS. But i dont want to use a CDN. Can u send me some information how can i do that. I read a lot of artice that CDN can give solutions but i dont want to trust that kind of information. and there are also a lot of expansive ddos protection provider. PLS HEEEELP. p.s. your artice has meet my heart and my thinking

  11. David, I read your post with interest because we studied this type of attacks in detail at some point (see S. Triukose, Z. Al-Qudah, and M. Rabinovich. Content Delivery Networks: Protection or Threat? The 14th European Symp. on Research in Computer Security, 2009.) A quick question — in your attack, does myvictimsdomain.com need to be the CDN’s customer? In our study, we assumed it has to be, but if not, this adds another twist to the problem (and should be an easy fix for the CDNs, since they should not act as open proxies!).

LEAVE A REPLY

Please enter your comment!
Please enter your name here