Yet Another Traffic Black Hole: Amplifying CDN Fetching Traffic with RangeFragAmp Attacks

Content Delivery Network (CDN) has been widely used nowadays as an important network infrastructure to provide fast and robust distribution of content over the Internet. However, an inherent weakness of CDN involved network service is its content fetching amplification issue, that is, the network traffic among the origin server and CDN surrogate nodes is maliciously amplified due to some crafted requests. Such requests can be multiplied by the forwarding of the CDN, posing a serious performance threat to the origin server. Particularly, when the HTTP range request mechanism, which allows the server to respond only a portion of the HTTP message to the request of client, is used, the risk of content fetching amplification is significantly increased. Therefore, defenses against such kinds of traffic amplification have been deployed to protect CDN users from being over charged.

In this paper, we revisited HTTP range request cased content fetching amplification issue and evaluated the deployed defenses of mainstream CDN providers. Specifically, we proposed Range Fragment Amplification (RangeFragAmp) attacks, a new variation of CDN content fetching attack related to HTTP range request mechanism. The proposedRangeFragAmpattacks have concealment and bandwidth consumption capability. Our pentests against five CDN providers with more than 2.5 million users demonstrated that all of their CDNs were vulnerable toRangeFragAmpattacks. Particularly,S-RFAattack, one of the two types ofRangeFragAmpattacks, can achieve an amplification factor of 11345 onBaidu AI Cloud. We have reported the issues to the involved CDN providers, and expected our study could help CDN designers and developers build more robust systems.