DOCSLIB.ORG

Forwarding-Loop Attacks in Content Delivery Networks

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Forwarding-Loop Attacks in Content Delivery Networks Forwarding-Loop Attacks in Content Delivery Networks Jianjun Chen∗yz, Jian Jiangx, Xiaofeng Zheng∗yz, Haixin Duanyz{, Jinjin Liang∗yz, Kang Lik, Tao Wan∗∗, Vern Paxsonx{, ∗Department of Computer Science and Technology, Tsinghua University yInstitute for Network Science and Cyberspace, Tsinghua University zTsinghua National Laboratory for Information Science and Technology fchenjj13, zhengxf12, [email protected], [email protected] xUniversity of California, Berkeley [email protected] {International Computer Science Institute [email protected] kDepartment of Computer Science, University of Georgia [email protected] ∗∗Huawei Canada [email protected] Abstract—We describe how malicious customers can attack In this work we present “forwarding-loop” attacks, which the availability of Content Delivery Networks (CDNs) by creating allow malicious CDN customers to attack CDN availability forwarding loops inside one CDN or across multiple CDNs. Such by creating looping requests within a single CDN or across forwarding loops cause one request to be processed repeatedly or multiple CDNs. Forwarding-loop attacks allow attackers to even indefinitely, resulting in undesired resource consumption and massively consume CDN resources by building up a large potential Denial-of-Service attacks. To evaluate the practicality number of requests (or responses) circling between CDN of such forwarding-loop attacks, we examined 16 popular CDN providers and found all of them are vulnerable to some form of nodes. The impact can become more severe in the (common) such attacks. While some CDNs appear to be aware of this threat case where attackers can manipulate DNS records to dynami- and have adopted specific forwarding-loop detection mechanisms, cally control a loop’s IP-level routing on a fine-grained basis. we discovered that they can all be bypassed with new attack tech- niques. Although conceptually simple, a comprehensive defense Although many CDN providers have internal mechanisms requires collaboration among all CDNs. Given that hurdle, we (such as appending custom HTTP headers like CloudFlare’s also discuss other mitigations that individual CDN can implement CF-Connecting-IP [19]) to detect repeated requests when immediately. At a higher level, our work underscores the hazards they circle back, we find that an attacker can bypass such that can arise when a networked system provides users with defense mechanisms by using features offered by some control over forwarding, particularly in a context that lacks a other CDNs to filter HTTP headers. Our experiments with single point of administrative control. 16 commercial CDNs show that all of them are vulnerable to forwarding-loop attacks, even with their existing defense mechanisms. I. INTRODUCTION We also examine the threat of stealthy forwarding-loop Content Delivery Networks (CDNs) are widely used in the attacks. In the Dam Flooding Attack, an attacker secretly Internet to improve the performance, scalability and security and gradually accumulates a large number of pending CDN of websites. A CDN enhances performance for its customers’ requests over a lengthy period (hours). They then trigger a huge websites by redirecting web requests from browsers to ge- volume of cascading traffic by suddenly providing bandwidth- ographically distributed CDN surrogate nodes. A surrogate consuming responses and controlling all responses to arrive serves the content directly if cached, or forwards requests to the simultaneously. Worse, we find that internal CDN features— origin site otherwise. To improve availability, surrogates absorb such as automatic server probing (Azure China), forwarding distributed denial-of-service (DDoS) attacks by distributing the retries (Akamai and CloudFront), and proactive decompression attack traffic across many data centers. Some CDN providers of gzip’d responses (Akamai, Baidu and CloudFlare)—can also provide WAF (Web Application Firewall) services to amplify the DoS effect of forwarding-loop attacks and further normalize traffic and filter intrusions to their customer’s web exacerbate the load on the CDN. sites. Overall, we make the following contributions: Permission to freely reproduce all or part of this paper for noncommercial 1) We describe forwarding-loop attacks that broadly purposes is granted provided that copies bear this notice and the full citation on the first page. Reproduction for commercial purposes is strictly prohibited threaten CDN providers. Our study shows that the without the prior written consent of the Internet Society, the first-named author amplification attacks are severe and can consume (for reproduction of an entire paper only), and the author’s employer if the a huge volume of resources in commercial CDNs paper was prepared within the scope of employment. at low cost. The attacks can potentially undermine NDSS ’16, 21-24 February 2016, San Diego, CA, USA Copyright 2016 Internet Society, ISBN 1-891562-41-X the security provided by CDNs, which are usually http://dx.doi.org/10.14722/ndss.2016.23442 considered robust against DoS attacks. 2) We performed controlled tests on 16 popular CDN Request Forwarding providers to verify the practicality of such attacks. example.com Server IP Although some CDN providers implemented defense HTTP GET/POST HTTP GET/POST mechanisms for mitigating forwarding loops, we http://example.com http://example.com Web Site Browser CDN Node show that those defenses can be bypassed. (example.com) 3) We present the Dam Flooding attack, a highly dam- aging type of forwarding-loop attack. 4) We propose four approaches to preventing or mit- Fig. 1. Normal CDN forwarding behavior. igating forwarding-loop attacks, and discuss their advantages and limitations. a CDN’s performance. The higher the ratio, the more requests We organize the rest of this paper as follows. Section II that the CDN answers out of its cache, significantly reducing describes CDN operation, especially forwarding and filtering response latency and as well as the load imposed on the origin techniques. In Section III we present various forwarding- website. However, a user can force requests to come from the loop attacks and analyze the factors affecting them. We also origin website instead of the CDN’s cache. First, adding a described our experiments to construct loops within and across no-cache request header will make the CDN re-validate the CDNs, and the “Dam Flooding” attack leveraging streaming response from the origin server [6]. Second, POST requests HTTP responses. We discuss possible defenses to prevent or usually will write through to the origin server [7], [16]. In mitigate forwarding-loop attacks in Section IV and related addition, most CDNs provide ways for customers to configure research regarding forwarding loops and CDN security in the CDN to not cache certain URLs. Section V. We conclude in Section VI. Typical commercial CDNs usually have massive bandwidth and computational resources distributed around the Internet, II. BACKGROUND making them much more resilient to DDoS attacks than most of websites. DDoS traffic targeting a CDN-protected website CDNs are distributed systems with large numbers of servers will be directed to CDN servers distributed across data centers deployed across the Internet. Initially created to improve with ample bandwidth, and then absorbed or blocked before website performance and scalability, many CDNs also provide arriving the original website. Indeed, capacity for mitigating security features such as DDoS protection and Web Appli- DDoS attacks has become a “selling point” for today’s com- cation Firewalls (WAFs) for websites. CDNs have evolved mercial CDNs. to become important Internet infrastructure. For example, the leading CDN provider Akamai claims that it alone delivers Many CDNs also provide an additional security service 15–30% of all Web traffic [1]. called content filtering, or WAF. A WAF applies a set of rules to each HTTP request and response. Generally, these Web access involving a CDN includes two steps: first, rules cover common attacks such as cross-site scripting (XSS) a user’s request is directed to a CDN server geographically and SQL injection. By customizing WAF rules, customers can close to the user; second, the CDN server obtains the content have their CDNs examine HTTP requests and filter out some for the responding to the request. The first step is called suspicious traffic before it reaches the origin website. request routing [2]. Commonly used request-routing techniques include URL rewriting and DNS-based request routing [2]. III. FORWARDING-LOOP ATTACKS URL rewriting requires website owners to change website URLs to use CDN-assigned subdomains that resolve to CDN Malicious customers of CDNs can deliberately manipulate servers. DNS-based request routing instead works by chang- the forwarding process (in the pull mode) to create forwarding ing the DNS resolution of website domains, either directly loops inside CDNs. Forwarding loops can cause CDNs to mapping to CDN server IP addresses, or using CNAMEs to process one client request repetitively or even indefinitely. The chain to CDN subdomains. These request-routing techniques consequent amplification effect allows malicious customers to usually determine the selection of edge (entry) server, but launch, with little resources and cost, resource-consuming DoS users can also override a CDN’s selection by directly con- attacks against CDNs. necting to a desired edge server using its IP address rather In general, as shown in Figure 1, before a CDN node than hostname [22]. Users can obtain CDN IP addresses forwards an HTTP request from a client, it checks the Host by resolving CDN subdomains via public platforms such as header of the request to look up any customer-specified for- PlanetLab [20]. We verified that this technique for overriding warding destination. The node then connects to the forwarding a CDN’s selection works for all CDNs in our study. destination and relays the request. In the benign case, the forwarding destination returns a response that is further relayed The second step, i.e., how the CDN server obtains the by the CDN node to the client. However, if an attacker requested content, also has two different modes: push and pull.
Load more

Recommended publications
  • Global Glitch: Swaths of Internet Go Down After Cloud Outage 8 June 2021, by Kelvin Chan
    Global glitch: Swaths of internet go down after cloud outage 8 June 2021, by Kelvin Chan The company said in an emailed statement that it was a "technical issue" and "not related to a cyber attack." Still, major futures markets in the U.S. dipped sharply minutes after the outage, which came a month after hackers forced the shutdown of the biggest fuel pipeline in the U.S. Fastly is a content-delivery network, or CDN. It provides vital but behind-the-scenes cloud computing "edge servers" to many of the web's popular sites. These servers store, or "cache," content such as images and video in places around the world so that it is closer to users, allowing them to fetch it more quickly and smoothly. This Jan. 17, 2001 file photo shows people entering CNN Center, the headquarters for CNN, in downtown Atlanta. Numerous websites were unavailable on Fastly says its services mean that a European user Tuesday June 8, 2021, after an apparent widespread going to an American website can get the content outage at cloud service company Fastly. Dozens of high- 200 to 500 milliseconds faster. traffic websites including the New York Times, CNN, Twitch and the U.K. government's home page, could not be reached. Credit: AP Photo/Ric Feld, File Dozens of websites went down briefly around the globe Tuesday, including CNN, The New York Times and Britain's government home page, after an outage at the cloud computing service Fastly, illustrating how vital a small number of behind-the- scenes companies have become to running the internet.
    [Show full text]
  • 1. Run Nslookup to Obtain the IP Address of a Web Server in Europe
    1. Run nslookup to obtain the IP address of a Web server in Europe. frigate:Desktop drb$ nslookup home.web.cern.ch Server: 130.215.32.18 Address: 130.215.32.18#53 Non-authoritative answer: home.web.cern.ch canonical name = drupalprod.cern.ch. Name: drupalprod.cern.ch Address: 137.138.76.28 Note that the #53 denotes the DNS service is running on port 53. 2. Run nslookup to determine the authoritative DNS servers for a university in Asia. frigate:Desktop drb$ nslookup -type=NS tsinghua.edu.cn Server: 130.215.32.18 Address: 130.215.32.18#53 Non-authoritative answer: tsinghua.edu.cn nameserver = dns2.tsinghua.edu.cn. tsinghua.edu.cn nameserver = dns.tsinghua.edu.cn. tsinghua.edu.cn nameserver = dns2.edu.cn. tsinghua.edu.cn nameserver = ns2.cuhk.edu.hk. Authoritative answers can be found from: dns2.tsinghua.edu.cn internet address = 166.111.8.31 ns2.cuhk.edu.hk internet address = 137.189.6.21 ns2.cuhk.edu.hk has AAAA address 2405:3000:3:6::15 dns2.edu.cn internet address = 202.112.0.13 dns.tsinghua.edu.cn internet address = 166.111.8.30 Note that there can be multiple authoritative servers. The response we got back was from a cached record. To confirm the authoritative DNS servers, we perform the same DNS query of one of the servers that can provide authoritative answers. frigate:Desktop drb$ nslookup -type=NS tsinghua.edu.cn dns.tsinghua.edu.cn Server: dns.tsinghua.edu.cn Address: 166.111.8.30#53 tsinghua.edu.cn nameserver = dns2.edu.cn.
    [Show full text]
  • Public Company Analysis 6
    MOBILE SMART FUNDAMENTALS MMA MEMBERS EDITION NOVEMBER 2014 messaging . advertising . apps . mcommerce www.mmaglobal.com NEW YORK • LONDON • SINGAPORE • SÃO PAULO MOBILE MARKETING ASSOCIATION NOVEMBER 2014 REPORT Measurement & Creativity Thoughts for 2015 Very simply, mobile marketing will continue to present the highest growth opportunities for marketers faced with increasing profitability as well as reaching and engaging customers around the world. Widely acknowledged to be the channel that gets you the closest to your consumers, those marketers that leverage this uniqueness of mobile will gain competitive footholds in their vertical markets, as well as use mobile to transform their marketing and their business. The MMA will be focused on two cores issues which we believe will present the biggest opportunities and challenges for marketers and the mobile industry in 2015: Measurement and Creativity. On the measurement side, understanding the effectiveness of mobile: the ROI of a dollar spent and the optimized level for mobile in the marketing mix will become more and more critical as increased budgets are being allocated towards mobile. MMA’s SMoX (cross media optimization research) will provide the first-ever look into this. Additionally, attribution and understanding which mobile execution (apps, video, messaging, location etc…) is working for which mobile objective will be critical as marketers expand their mobile strategies. On the Creative side, gaining a deeper understanding of creative effectiveness cross-screen and having access to case studies from marketers that are executing some beautiful campaigns will help inspire innovation and further concentration on creating an enhanced consumer experience specific to screen size. We hope you’ve had a successful 2014 and we look forward to being a valuable resource to you again in 2015.
    [Show full text]
  • Economic and Social Impacts of Google Cloud September 2018 Economic and Social Impacts of Google Cloud |
    Economic and social impacts of Google Cloud September 2018 Economic and social impacts of Google Cloud | Contents Executive Summary 03 Introduction 10 Productivity impacts 15 Social and other impacts 29 Barriers to Cloud adoption and use 38 Policy actions to support Cloud adoption 42 Appendix 1. Country Sections 48 Appendix 2. Methodology 105 This final report (the “Final Report”) has been prepared by Deloitte Financial Advisory, S.L.U. (“Deloitte”) for Google in accordance with the contract with them dated 23rd February 2018 (“the Contract”) and on the basis of the scope and limitations set out below. The Final Report has been prepared solely for the purposes of assessment of the economic and social impacts of Google Cloud as set out in the Contract. It should not be used for any other purposes or in any other context, and Deloitte accepts no responsibility for its use in either regard. The Final Report is provided exclusively for Google’s use under the terms of the Contract. No party other than Google is entitled to rely on the Final Report for any purpose whatsoever and Deloitte accepts no responsibility or liability or duty of care to any party other than Google in respect of the Final Report and any of its contents. As set out in the Contract, the scope of our work has been limited by the time, information and explanations made available to us. The information contained in the Final Report has been obtained from Google and third party sources that are clearly referenced in the appropriate sections of the Final Report.
    [Show full text]
  • A View from the Edge: a Stub-AS Perspective of Traffic Localization
    A View From the Edge: A Stub-AS Perspective of Traffic Localization and its Implications Bahador Yeganeh Reza Rejaie Walter Willinger University of Oregon University of Oregon NIKSUN, Inc. [email protected] [email protected] [email protected] Abstract—Serving user requests from near-by caches or servers to implement their business model for getting content closer has been a powerful technique for localizing Internet traffic with to the end users. For example, while Akamai [1] operates and the intent of providing lower delay and higher throughput to maintains a global infrastructure consisting of more then 200K end users while also lowering the cost for network operators. This basic concept has led to the deployment of different types of servers located in more than 1.5K different ASes to bring the infrastructures of varying degrees of complexity that large CDNs, requested content by its customers closer to the edge of the ISPs, and content providers operate to localize their user traffic. network where this content is consumed, other CDNs such Prior measurement studies in this area have focused mainly on as Limelight or EdgeCast rely on existing infrastructure in revealing these deployed infrastructures, reverse-engineering the the form of large IXPs to achieve this task [2]. Similar to techniques used by these companies to map end users to close- by caches or servers, or evaluating the performance benefits that Akamai but smaller in scale, major CPs such as Google and “typical” end users experience from well-localized traffic. Netflix negotiate with third-party networks to deploy their own To our knowledge, there has been no empirical study that caches or servers that are then used to serve exclusively the assesses the nature and implications of traffic localization as CP’s own content.
    [Show full text]
  • Proxysg Log Fields and Substitutions
    ProxySG Log Fields and Substitutions Version 6.5.x through 7.3.x Guide Revision: 12/10/2020 Symantec Corporation - SGOS 6.x and 7.x Legal Notice Broadcom, the pulse logo, Connecting everything, and Symantec are among the trademarks of Broadcom. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. Copyright © 2020 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries. For more information, please visit www.broadcom.com. Broadcom reserves the right to make changes without further notice to any products or data herein to improve reliability, function, or design. Information furnished by Broadcom is believed to be accurate and reliable. However, Broadcom does not assume any liability arising out of the application or use of this information, nor the application or use of any product or circuit described herein, neither does it convey any license under its patent rights nor the rights of others. Thursday, December 10, 2020 2 of 182 sample-title Table of Contents "About this Document" on the next page Commonly Used Fields: n "Client/Server Bytes" on page 6 n "Connection Details" on page 9 n "DNS" on page 26 n "HTTP" on page 28 n "Request Headers" on page 29 n "Response Headers" on page 63 n "Request/Response Status" on page 102 n "SSL " on page 116 n "Time" on page 123 n "URL" on page 134 n "User Authentication" on page 145 n "WAF" on page 152 Additional Fields: n "CIFS " on page 155 n "MAPI and Office 365" on page 160 n "P2P Connections" on page 163 n "Special Characters" on page 164 n "Streaming Media" on page 167 n "WebEx Proxy" on page 175 "Substitution Modifiers" on page 176 n "Timestamp Modifiers" on page 177 n "String Modifiers " on page 179 n "Host Modifiers" on page 182 3 of 182 Symantec Corporation - SGOS 6.x and 7.x About this Document This document lists all valid ELFF and CPL substitutions for ELFF log formats, and some custom values for custom log formats.
    [Show full text]
  • In the Paper
    SIDN Labs https://sidnlabs.nl February 5th, 2021 Peer-reviewed Publication Title: Fragmentation, truncation, and timeouts: are large DNS messages falling to bits? Authors: Giovane C. M. Moura, Moritz M¨uller,Marco Davids, Maarten Wullink, Cristian Hesselman Venue: In Proceedings of the 2021 Passive and Active Measurement Conference (PAM2021), Virtual Conference. DOI: TBD Conference dates: Late March 2021 (TBA) Citation: • Giovane C. M. Moura, Moritz M¨uller,Marco Davids, Maarten Wullink, Cristian Hesselman. Fragmentation, truncation, and timeouts: are large DNS messages falling to bits? Proceed- ings of the 2021 Passive and Active Measurement Conference (PAM2021). Virtual Conference, March. 2021 • Bibtex: @inproceedings{Moura21c, author = {Moura, Giovane C. M. and Mueller, Moritz and Davids, Marco and Wullink, Maarten and Hesselman, Cristian}, title = {{ Fragmentation, truncation, and timeouts: are large DNS messages falling to bits?}}, booktitle = {Proceedings of the 2021 Passive and Active Measurement Conference (PAM2021)}, year = {2021}, address = {Virtual Conference}, } 1 Fragmentation, truncation, and timeouts: are large DNS messages falling to bits? Giovane C. M. Moura1, Moritz M¨uller1;2, Marco Davids1, Maarten Wullink1, and Cristian Hesselman1;2 1 SIDN Labs, Arnhem, The Netherlands 2 University of Twente, Enschede, The Netherlands [email protected] Abstract. The DNS provides one of the core services of the Internet, mapping applications and services to hosts. DNS employs both UDP and TCP as a transport protocol, and currently most DNS queries are sent over UDP. The problem with UDP is that large responses run the risk of not arriving at their destinations { which can ultimately lead to unreach- ability. However, it remains unclear how much of a problem these large DNS responses over UDP are in the wild.
    [Show full text]
  • On the Impact of Internet Naming Evolution: Deployment, Performance, and Security Implications
    W&M ScholarWorks Dissertations, Theses, and Masters Projects Theses, Dissertations, & Master Projects Summer 2017 On The Impact of Internet Naming Evolution: Deployment, Performance, and Security Implications Shuai Hao College of William and Mary - Arts & Sciences, [email protected] Follow this and additional works at: https://scholarworks.wm.edu/etd Part of the Computer Sciences Commons Recommended Citation Hao, Shuai, "On The Impact of Internet Naming Evolution: Deployment, Performance, and Security Implications" (2017). Dissertations, Theses, and Masters Projects. Paper 1530192350. http://dx.doi.org/10.21220/s2-d0nn-d249 This Dissertation is brought to you for free and open access by the Theses, Dissertations, & Master Projects at W&M ScholarWorks. It has been accepted for inclusion in Dissertations, Theses, and Masters Projects by an authorized administrator of W&M ScholarWorks. For more information, please contact [email protected]. On the Impact of Internet Naming Evolution: Deployment, Performance, and Security Implications Shuai Hao Tianjin, China Master of Science, Beijing University of Posts and Telecommunications, 2010 Master of Science, London South Bank University, 2008 Bachelor of Engineering, North China Electric Power University, 2007 ADissertationpresentedtotheGraduateFaculty of The College of William & Mary in Candidacy for the Degree of Doctor of Philosophy Department of Computer Science College of William & Mary January 2018 © Copyright by Shuai Hao 2018 ABSTRACT As one of the most critical components of the Internet, the Domain Name System (DNS) provides naming services for Internet users, who rely on DNS to perform the translation between the domain names and network entities before establishing an Internet connection. In this dissertation, we present our studies on di↵erent aspects of the naming infrastructure in today’s Internet, including DNS itself and the network services based on the naming infrastructure such as Content Delivery Networks (CDNs).
    [Show full text]
  • BG95&BG77 HTTP(S) Application Note
    BG95&BG77 HTTP(S) Application Note LPWA Module Series Rev. BG95&BG77_HTTP(S)_Application_Note_V1.0 Date: 2019-08-12 Status: Released www.quectel.com LPWA Module Series BG95&BG77 HTTP(S) Application Note Our aim is to provide customers with timely and comprehensive service. For any assistance, please contact our company headquarters: Quectel Wireless Solutions Co., Ltd. Building 5, Shanghai Business Park Phase III (Area B), No.1016 Tianlin Road, Minhang District, Shanghai, China 200233 Tel: +86 21 5108 6236 Email: [email protected] Or our local office. For more information, please visit: http://www.quectel.com/support/sales.htm For technical support, or to report documentation errors, please visit: http://www.quectel.com/support/technical.htm Or email to: [email protected] GENERAL NOTES QUECTEL OFFERS THE INFORMATION AS A SERVICE TO ITS CUSTOMERS. THE INFORMATION PROVIDED IS BASED UPON CUSTOMERS’ REQUIREMENTS. QUECTEL MAKES EVERY EFFORT TO ENSURE THE QUALITY OF THE INFORMATION IT MAKES AVAILABLE. QUECTEL DOES NOT MAKE ANY WARRANTY AS TO THE INFORMATION CONTAINED HEREIN, AND DOES NOT ACCEPT ANY LIABILITY FOR ANY INJURY, LOSS OR DAMAGE OF ANY KIND INCURRED BY USE OF OR RELIANCE UPON THE INFORMATION. ALL INFORMATION SUPPLIED HEREIN IS SUBJECT TO CHANGE WITHOUT PRIOR NOTICE. COPYRIGHT THE INFORMATION CONTAINED HERE IS PROPRIETARY TECHNICAL INFORMATION OF QUECTEL WIRELESS SOLUTIONS CO., LTD. TRANSMITTING, REPRODUCTION, DISSEMINATION AND EDITING OF THIS DOCUMENT AS WELL AS UTILIZATION OF THE CONTENT ARE FORBIDDEN WITHOUT PERMISSION. OFFENDERS WILL BE HELD LIABLE FOR PAYMENT OF DAMAGES. ALL RIGHTS ARE RESERVED IN THE EVENT OF A PATENT GRANT OR REGISTRATION OF A UTILITY MODEL OR DESIGN.
    [Show full text]
  • Character Encoding Issues for Web Passwords
    and ÆÆÆ码码码 ,סיסמאות! ˜,Of contrasenas Character encoding issues for web passwords Joseph Bonneau Rubin Xu Computer Laboratory Computer Laboratory University of Cambridge University of Cambridge [email protected] [email protected] Abstract—Password authentication remains ubiquitous on of that wording. This process is prone to failure and usability the web, primarily because of its low cost and compatibility studies suggest that a significant number of users will be un- with any device which allows a user to input text. Yet text is not able to use a password they remember conceptually because universal. Computers must use a character encoding system to convert human-comprehensible writing into bits. We examine they cannot reproduce the precise representation [33]. for the first time the lingering effects of character encoding A further conversion must take place to convert the on the password ecosystem. We report a number of bugs at abstract concept of “text” into a sequence of bits suitable large websites which reveal that non-ASCII passwords are often for computer manipulation. For example, the letter m at the poorly supported, even by websites otherwise correctly sup- beginning of the password above is commonly represented porting the recommended Unicode/UTF-8 character encoding system. We also study user behaviour through several leaked using the eight bits 01101101. This process is known as data sets of passwords chosen by English, Chinese, Hebrew character encoding and, despite decades of work towards and Spanish speakers as case studies. Our findings suggest a universal standard, there remain dozens of schemes in that most users still actively avoid using characters outside of widespread use to map characters into sequences of bits.
    [Show full text]
  • Introduction
    HTTP Request Smuggling in 2020 – New Variants, New Defenses and New Challenges Amit Klein SafeBreach Labs Introduction HTTP Request Smuggling (AKA HTTP Desyncing) is an attack technique that exploits different interpretations of a stream of non-standard HTTP requests among various HTTP devices between the client (attacker) and the server (including the server itself). Specifically, the attacker manipulates the way various HTTP devices split the stream into individual HTTP requests. By doing this, the attacker can “smuggle” a malicious HTTP request through an HTTP device to the server abusing the discrepancy in the interpretation of the stream of requests and desyncing between the server’s view of the HTTP request (and response) stream and the intermediary HTTP device’s view of these streams. In this way, for example, the malicious HTTP request can be "smuggled" as a part of the previous HTTP request. HTTP Request Smuggling was invented in 2005, and recently, additional research cropped up. This research field is still not fully explored, especially when considering open source defense systems such as mod_security’s community rule-set (CRS). These HTTP Request Smuggling defenses are rudimentary and not always effective. My Contribution My contribution is three-fold. I explore new attacks and defense mechanisms, and I provide some “challenges”. 1. New attacks: I provide some new HTTP Request Smuggling variants and show how they work against various proxy-server (or proxy-proxy) combinations. I also found a bypass for mod_security CRS (assuming HTTP Request Smuggling is possible without it). An attack demonstration script implementing my payloads is available in SafeBreach Labs’ GitHub repository (https://github.com/SafeBreach-Labs/HRS).
    [Show full text]
  • Domain Shadowing: Leveraging Content Delivery Networks for Robust Blocking-Resistant Communications
    Domain Shadowing: Leveraging Content Delivery Networks for Robust Blocking-Resistant Communications Mingkui Wei Cybersecurity Engineering George Mason University, Fairfax, VA, 22030 Abstract according to the Host header but have the TLS connection still appear to belong to the allowed domain. The blocking- We debut domain shadowing, a novel censorship evasion resistance of domain fronting derives from the significant technique leveraging content delivery networks (CDNs). Do- “collateral damage”, i.e., to disable domain fronting, the censor main shadowing exploits the fact that CDNs allow their cus- needs to block users from accessing the entire CDN, resulting tomers to claim arbitrary domains as the back-end. By set- in all domains on the CDN inaccessible. Because today’s ting the front-end of a CDN service as an allowed domain Internet relies heavily on web caches and many high-profile and the back-end a blocked one, a censored user can access websites also use CDNs to distribute their content, completely resources of the blocked domain with all “indicators”, includ- blocking access to a particular CDN may not be a feasible ing the connecting URL, the SNI of the TLS connection, and option for the censor. Because of its strong blocking-resistant the Host header of the HTTP(S) request, appear to belong power, domain fronting has been adopted by many censorship to the allowed domain. Furthermore, we demonstrate that evasion systems since it has been proposed [24, 28, 34, 36]. domain shadowing can be proliferated by domain fronting, In the last two years, however, many CDNs began to disable a censorship evasion technique popularly used a few years domain fronting by enforcing the match between the SNI and ago, making it even more difficult to block.
    [Show full text]