Overview
Content Delivery Networks (CDNs) may in some scenarios be manipulated into a forwarding loop, which consumes server resources and causes a denial of service (DoS) on the network.
Description
CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion') Content Delivery Networks (CDNs) are used to improve website performance and scalability by connecting a user to geographically nearby server for content. CDNs typically operate in two modes, a "push" mode allowing a user to upload content to the CDN for later distribution, or a "pull" mode which effectively acts as a reverse proxy. |
Impact
A remote attacker may be able to create a denial of service condition in CDNs, preventing access to hosted content. |
Solution
The researchers and CERT have reached out to known affected CDNs to inform them of this attack. CDNs are implementing their own counter-measures to this attack. If you are an employee of a CDN, the CERT/CC encourages you to review the researcher's conference paper to determine if your CDN may be impacted. |
Vendor Information
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 7.1 | AV:N/AC:M/Au:N/C:N/I:N/A:C |
| Temporal | 6.1 | E:POC/RL:U/RC:UR |
| Environmental | 4.6 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND |
References
Acknowledgements
Thanks to Jianjun Chen and Jian Jiang for reporting this vulnerability.
This document was written by Garret Wassermann.
Other Information
| CVE IDs: | None |
| Date Public: | 2016-02-24 |
| Date First Published: | 2016-02-29 |
| Date Last Updated: | 2016-03-04 19:35 UTC |
| Document Revision: | 33 |