Two Types of Novel DoS Attacks Against CDNs Based on HTTP/2 Flow Control Mechanism | SpringerLink
Skip to main content
Springer Nature Link
Log in

Two Types of Novel DoS Attacks Against CDNs Based on HTTP/2 Flow Control Mechanism

  • Conference paper
  • First Online:
Computer Security – ESORICS 2022 (ESORICS 2022)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13554))

Included in the following conference series:

  • 2621 Accesses

Abstract

Content Delivery Networks (CDNs) provide high availability and low latency for end users through their geographically distributed and high-performance edge servers. Compared to the HTTP/1.1 protocol, the HTTP/2 protocol greatly improves network transmission performance, and most CDN vendors have begun to support HTTP/2. However, in a CDN-mediated network path between a client and an origin server, most CDN vendors deploy HTTP/2 in the client-to-CDN connection while still using HTTP/1.1 for the CDN-to-origin connection. This asymmetric usage of two versions of the HTTP protocol may lead to new types of attacks.

In this paper, we present two types of novel Denial of Service (DoS) attacks against CDNs: the HTTP/2 Traffic Amplification (HTA) attack and the HTTP/2 Slow Rate (HSR) attack. The HTA attack allows malicious users to exhaust the bandwidth of the origin server. The HSR attack can be used to consume all available connections of the origin server. We examined the HTA attack and the HSR attack on 10 popular CDNs to evaluate the feasibility and real-world impacts. Our experiment results show that all these CDNs are vulnerable to the HTA attack, and four of them are vulnerable to the HSR attack. In the worst-case scenario, attackers could amplify the network traffic by 403092 times, which poses a great DoS threat to CDN services. We responsibly disclosed these security vulnerabilities to the affected CDN vendors and received positive feedback from them. Some of them even rewarded us with bug bounties. At the end of this paper, we propose some mitigation countermeasures against these attacks.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
¥17,985 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
JPY 3498
Price includes VAT (Japan)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
JPY 9723
Price includes VAT (Japan)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
JPY 12154
Price includes VAT (Japan)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Content Delivery Network Market Size, 2022–2030. https://www.grandviewresearch.com/industry-analysis/content-delivery-networks-cnd-market

  2. How to Measure Your CDN’s Cache Hit Ratio and Increase Cache Hits. https://blog.stackpath.com/cache-hit-ratio/

  3. HTTP/3. https://datatracker.ietf.org/doc/rfc9114/

  4. Improve your website availability with Amazon CloudFront. https://aws.amazon.com/blogs/networking-and-content-delivery/improve-your-website-availability-with-amazon-cloudfront/

  5. Slowloris DDoS attack. https://www.cloudflare.com/learning/ddos/ddos-attack-tools/slowloris/

  6. Understanding Query String Sort. https://support.cloudflare.com/hc/en-us/articles/206776797-Understanding-Query-String-Sort

  7. Usage statistics of HTTP/2 for websites. https://w3techs.com/technologies/details/

  8. what-is-http3. https://www.cloudflare.com/zh-cn/learning/performance/what-is-http3/

  9. Anagnostopoulos, M., Kambourakis, G., Kopanos, P., Louloudakis, G., Gritzalis, S.: DNS amplification attack revisited. Comput. Secur. 39, 475–485 (2013)

    Article  Google Scholar 

  10. Apache: Apache Core Features. https://httpd.apache.org/docs/2.2/mod/core.html

  11. Belshe, M., Peon, R., Thomson, M.: Hypertext transfer protocol version 2 (http/2) (2015)

    Google Scholar 

  12. Cambiaso, E., Chiola, G., Aiello, M.: Introducing the slowdrop attack. Comput. Netw. 150, 234–249 (2019)

    Article  Google Scholar 

  13. Cambiaso, E., Papaleo, G., Aiello, M.: Slowcomm: Design, development and performance evaluation of a new slow dos attack. J. Inf. Secur. Appl. 35, 23–31 (2017)

    Google Scholar 

  14. Giralte, L.C., Conde, C., De Diego, I.M., Cabello, E.: Detecting denial of service by modelling web-server behaviour. Comput. Electr. Eng. 39(7), 2252–2262 (2013)

    Article  Google Scholar 

  15. Guo, R., et al.: CDN judo: Breaking the CDN dos protection with itself. In: NDSS (2020)

    Google Scholar 

  16. Ko, E., Park, S., Kim, S., Son, K., Kim, H.: Sip amplification attack analysis and detection in volte service network. In: 2016 International Conference on Information Networking (ICOIN), pp. 334–336. IEEE (2016)

    Google Scholar 

  17. Kührer, M., Hupperich, T., Rossow, C., Holz, T.: Hell of a handshake: abusing \(\{\)TCP\(\}\) for reflective amplification \(\{\)DDoS\(\}\) attacks. In: 8th USENIX Workshop on Offensive Technologies (WOOT 2014) (2014)

    Google Scholar 

  18. Kuzmanovic, A., Knightly, E.W.: Low-rate TCP-targeted denial of service attacks and counter strategies. IEEE/ACM Trans. Networking 14(4), 683–696 (2006)

    Article  Google Scholar 

  19. Li, W., et al.: CDN backfired: amplification attacks based on http range requests. In: 2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN), pp. 14–25. IEEE (2020)

    Google Scholar 

  20. Mirkovic, J., Reiher, P.: A taxonomy of DDOS attack and DDOS defense mechanisms. ACM SIGCOMM Comput. Commun. Rev. 34(2), 39–53 (2004)

    Article  Google Scholar 

  21. Peon, R., Ruellan, H.: Hpack: Header compression for http/2. Internet Requests for Comments, RFC Editor, RFC 7541 (2015)

    Google Scholar 

  22. Safa, H., Chouman, M., Artail, H., Karam, M.: A collaborative defense mechanism against SYN flooding attacks in IP networks. J. Netw. Comput. Appl. 31(4), 509–534 (2008)

    Article  Google Scholar 

  23. Tripathi, N., Hubballi, N.: Slow rate denial of service attacks against http/2 and detection. Comput. Secur. 72, 255–272 (2018)

    Article  Google Scholar 

  24. Triukose, S., Al-Qudah, Z., Rabinovich, M.: Content delivery networks: protection or threat? In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 371–389. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-04444-1_23

    Chapter  Google Scholar 

  25. Wikipedia: HTTP/2. https://en.wikipedia.org/wiki/HTTP/2

  26. Zeng, Z., Zhang, H.: A study on cache strategy of CDN stream media. In: 2020 IEEE 9th Joint International Information Technology and Artificial Intelligence Conference (ITAIC), vol. 9, pp. 1424–1429. IEEE (2020)

    Google Scholar 

Download references

Acknowledgements

We thank the anonymous reviewers for their valuable comments. This work is supported by the Innovation Research Team for New Cyberspace Security Technology Project(Grant No. 2021RI01), and the Project of Industrial Internet Security Situation Awareness Platform of Yunnan Province.

Author information

Authors and Affiliations

  1. National Pilot School of Software, Yunnan University, Kunming, China

    Hengxian Song, Jing Liu, Jianing Yang, Xinyu Lei & Gang Xue

  2. Engineering Research Center of the Ministry of Education on Cross-border Cyberspace Security, Yunnan University, Kunming, China

    Jing Liu & Gang Xue

Authors
  1. Hengxian Song
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jing Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Jianing Yang
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Xinyu Lei
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Gang Xue
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Jing Liu .

Editor information

Editors and Affiliations

  1. Rutgers University, Newark, NJ, USA

    Vijayalakshmi Atluri

  2. Hamad Bin Khalifa University, Doha, Qatar

    Roberto Di Pietro

  3. Technical University of Denmark, Kongens Lyngby, Denmark

    Christian D. Jensen

  4. Technical University of Denmark, Kongens Lyngby, Denmark

    Weizhi Meng

Rights and permissions

Reprints and permissions

Copyright information

© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Song, H., Liu, J., Yang, J., Lei, X., Xue, G. (2022). Two Types of Novel DoS Attacks Against CDNs Based on HTTP/2 Flow Control Mechanism. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds) Computer Security – ESORICS 2022. ESORICS 2022. Lecture Notes in Computer Science, vol 13554. Springer, Cham. https://doi.org/10.1007/978-3-031-17140-6_23

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-17140-6_23

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-17139-0

  • Online ISBN: 978-3-031-17140-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation