In previous articles, we’ve reviewed content delivery networks (CDNs) from a variety of security perspectives – from how hackers have used them as weapons of DDoS to how bad actors can use free services to create astronomical billing issues. CDNs are often used as a mask, to levy API abuse and web reflector attacks that plague the Internet via bots and scrapers. Today, it is estimated that 65% of the traffic on the Internet is from such abuse. If you were to reflect on that idea, would you think that a CDN can protect you? That is the falsehood that is often believed.
At a recent Black Hat security conference, researchers demonstrated how easy it is to bypass CDN security. One of the attacks demonstrated that by simply uploading an avatar to a forum one could unmask the IP of the origin servers. Another attack showed how a fake DCMA takedown – when content is removed from a website at the request of the content owner – could force the ISP or cloud provider to unmask the origin server.
Hackers these days are clever and have adapted to make use of your technology as a weapon. Firsthand knowledge from the Radware Emergency Response Team, which has extensive experience in dealing with attacks, noticed that in some of the datacenters we’ve worked with, there is a trend. The aspirin being consumed to cure a headache … was the case of the headache. By this I mean that attackers are learning to use your security tools as a weapon against you.
Some datacenters use netflow sampling to detect attacks, which samples one out of every 10,000 requests to a customer’s servers. Upon the detection of an attack, the cloud or CDN provider can then divert your traffic into a scrubbing or mitigation center on their network. With this approach, attackers can now detect that the path to your network is no longer 10 “hops” away. It may now be in theory only 13-15 hops away. Once it is detected that the path to your servers has changed, attackers can then be able to spoof your server’s IP and send corrupt packets to the server directly and avoid the flow-based mitigation equipment. So in essence, the defense tool can become the weapon that reflects the attack. At Radware, we’ve seen this attack happen many times and sometimes it is too difficult for the service provider to figure out that their tools could be the cause of the outage. This can wreak havoc on even the most well-defended technology companies.
In a defense effort, some CDN providers implement open source tools into their networks. There are a few things to be aware of and questions one may ask regarding this approach. For instance: How long does it take for a new rule to be implemented into my configuration? Some providers have a 45 minute service level agreement (SLA); others are up to 24 hours. In the case of new vulnerabilities such as GHOST or ShellShock, do you think a 45 minute to 24 hour window is adequate protection?
The creativity of hackers doesn’t stop at their name. The Lizard Squad hacking group claimed that they hacked and controlled over 250,000 home routers. If you were to ask your CDN provider to block those 250,000 hacked routers, how many of them might actually be your customer? If you based your defense on IP block lists, you’d potentially be blocking your own legitimate customers. Can a cloud or CDN detect and differentiate whether the requests coming through their network are legitimate users or their weaponized router?
Our customers share with us the pain of their challenges and we’ve had to create new and innovate ways to deal with these issues. CDNs can be very beneficial to the online experience and effectively improve speed and performance issues. The importance of performance should not be understated. It is a force that can affect user experience, search page rank, conversion rate and revenue. You have choices in the defense and performance of your network and a well thought out strategy can and should deliver the best of both.
Read more about how CDNs are being used for attacks:
CDNs as a Weapon for DDoS
Lesson Learned: ISPs & CDNs Aren’t Enough for Anti-DDoS
Using Spreadsheets as a DDoS Weapon
More Bots and Aggressive API Abuse
Is Your Home Network Haunted? The Threats of the Ghost Vulnerability and the IoT