针对互联网缓存和CDN的攻击

1、针对互联网缓存和CDN的攻击目录HTTP/HTTPS协议及中间节点透明缓存的污染攻击绕过加密协议HTTPS的攻击针对CDN的拒绝服务攻击结论1HTTP最初的设计与应用场景HTTP设计之初是端到端的协议网络只是传输转发的透明管道没有身份认证、保密性、完整性保护网络攻击者：假冒、窃听、注入、重放GET /path/urlHTTP/假冒、窃听、 重放、注入攻击者HTTPS： 认证、加密、完整性HTTPS: HTTP/SSL 或HTTP/TLSWeb 服务器的标识与认证内容的保密性（Confidentiality）内容的完整性（Integrity）攻击者2中间盒子的兴起与HTTPS同步发展起来的还有各

2、种中间盒子HTTP 客户端代理、防病毒软件、广告软件等服务器端代理、负载均衡设备透明缓存和CDN服务协议转换设备，v4-v6CDNIDS/IPSNAT可以通过攻破中间网络窃听 通信、注入恶意代码通过攻击中间节点阻止通信目录HTTP/HTTPS协议及中间节点透明缓存的污染攻击绕过加密协议HTTPS的攻击针对CDN的拒绝服务攻击结论3标准的歧义Cache or ProxiesCDNGET nonhttp:/ Host: Host: 多个 Host headers8ClientGET / HTTP/1.1Host: Host: GET / HTTP/1.1Host: Host: Downstream

3、 Host: Upstream Host: HTTP standard(HTTP/1.1)RFC 2616(superseded standard), implicitly requires rejection.RFC 7230(latest standard), explicitly requires rejection.4各种主流的HTTP实现9实现处理方式实现处理方式实现处理方式ServerApacheConcatenateCDNAkamaiFirstFirewallBitdefenderFirstIISRejectAlibabaFirstESETLastNginxFirstAzureR

4、ejectHuaweiFirstTomcatFirstCloudFlareFirstKasperskyFirstTransparent cacheATSFirstCloudFrontFirstOS XConcatenateSquidFirstFastlyRejectPANFirstReverse ProxyNginxFirstLevel 3FirstWindowsFirstVarnishRejectTencentLast主流的HTTP实现各不相同几乎所有的实现都不遵守 RFC723010优先选择不认识的协议RFC 2616Absolute-URINot specifiedRFC 7230Abs

5、olute-URINot specified标准规定绝对路径优先，然而现实中HTTP 标准规定：主流的CDN实现中，大多数实现遵守了RFC最大的CDN厂商Akamai不遵守，但世界35%流量5NSA.GOV缓存污染攻击(CCS 2016)Cache/ProxyCDNHTTP Request:GET http:/NSA.GOV/path HTTP/1.1 Host: ATTACKER.comMiddle box Confused: NSA or ATTACKER ?如何攻破 NSA.GOV126可能被攻击的场景（上下游组合）13202 different combinations that co

6、uld be exploited.影响到的产品/系统14798% 缓存服务器可能受到攻击通过购买广告， 把Flash 代码 展示在世界各 地的浏览器上15目录HTTP/HTTPS协议及中间节点透明缓存的污染攻击绕过加密协议HTTPS的攻击针对CDN的拒绝服务攻击结论8CDN已成为互联网重要的基础设施全球 ，根据最大的CDN厂商Akamai统计：全球Web流量的15-30%每秒30T每天2万亿次交互200,000服务器、100国家中国，根据工信部CDN白皮书2014统计Alexa排名前100：91%，Alexa排名前546：72.5%工作原理：基于域名的重定向CDNDelegationUser

7、BrowserWebsite9银行也在用CDNWhen HTTPS Meets CDN从两方通信变成了三方通信我们可以看到前端使用了HTTPS，但是后端呢？UserWebsiteCDNFrontendBackend10HTTPS in CDN的安全问题(Security&Privacy14)UserCDNWebsite后端HTTP或不安全的HTTPS前端HTTPSCDNProvider后端协议CDN77HTTPCDN.NETHTTPCloudFlareHTTPS, not validate certificateIncapsulaHTTPS, not validate certificateC

8、loudFrontHTTPS, not validate CNApple & Akamai 受攻击事件,2014/4/1511来自工业界的反馈Akamai/ CloudFlare/Amazon等积极反馈CloudFlare 在1个月内推出Strict SSL 服务/introducing-strict-ssl-protecting-against-a-man-in-the- middle-attack-on-origin-traffic12TLS还有很多中间人BrowserwebsiteCA1TLS劫持 代理CDNTLS 会话1TLS 会话2TLS 会话3CA2CA313目录HTTP/HTTP

9、S协议及中间节点透明缓存的污染攻击绕过加密协议HTTPS的攻击针对CDN的拒绝服务攻击结论28CDN的功能分担负载、降低延迟安全过滤(WAF), 提高可用性(anti-DDoS)ClientWebsiteCDN1429CDN的功能分担负载、降低延迟安全过滤(WAF), 提高可用性(anti-DDoS)ClientAttackerWebsiteCDN30CDN的功能分担负载、降低延迟安全过滤(WAF), 提高可用性(anti-DDoS)CDN 本身也是可以被 攻击的ClientAttackerWebsiteCDN15正常的CDN转发流程31POST /Host: POST /Host: CDN

10、AClientWebsite D正常用户 - D用户控制着CDN转发规则转发循环攻击的概念32CDN ACDN BCDN CPOSTPOSTPOST - BPOST /Host: - C - AAttacker恶意用户Malicious customers can manipulate forwarding rules to create loopAmplification - consume resource - potentially DoS16受到影响的CDN厂商BaiduCDN内部采用的循环检测机制Current DefensesUse headers to tag processed

11、 requestsAttackerExtends forwarding loops across multiplecountermeasureCDNsCDN A2CDN A3POST /Host:Header: Loop-Detection-Tag - AttackerPOST /Host:IP of A2Authority DNS CDN A117CDN内部采用的循环检测机制Current DefensesUse headers to tag processed requestsAttackerExtends forwarding loops across multiplecounterme

12、asureCDNsCDN A2CDN A3POST /Host: Header: Loop-Detection- Tag - AttackerPOST /Host:IP of A2Authority DNS CDN A1不同厂商用于循环检测的Header是不一样的RFC 7230 recommends to use Via header for loopdetectionCDN ProviderLoop Detection HeaderCDNProviderLoop Detection HeaderAkamaiAkamai-Origin- HopCloudFlareX-Forwarded-Fo

13、r CF-Connecting-IPAlibabaViaCloudFrontViaAzure(China)FastlyFastly-FFBaiduX-Forwarded-For CF-Connecting- IPIncapsulaIncap-Proxy-IDCDN77KeyCDNCDNlionLevel3ViaCDN.netMaxCDNCDNsunTencentX-Daa-Tunnel1837如何绕过CDN的循环检测Chain loop-aware CDNs to other CDNs that can be abused to disrupt loop-detection headersAb

14、usive features provided by CDNs:CDN ProviderResetFilterCDN77ViaCDNlionViaCDN.netViaCDNsunViaFastlyNo-self-definedMaxCDNAny跨多个CDN厂商的循环38POST /Host:CloudFrontPOST /Host: Via: 1.1 abcd (CloudFront)POST /Host: Via: 1.1 abcd (CloudFront)Akamai-Origin-Hop:1AkamaiPOST /Host: Via: 1.1 abcd(CloudFront) Akama

15、i-Origin-Hop:1Filter rules: 1.Remove Via2.Remove Akamai-Origin-HopMaxCDNAttacker19大坝攻击(Dam Flooding): streaming 中增加响应39Attackers website DCDN ACDN BCDN C - A - CPOST - POSTAttackerIIPP ooff DBAuthority DNS 增加gzip炸弹增强Streaming的效果CDN BCDN CAuthority DNS - A - C - POST /Host:Accept-Encoding:identityGzip bombAttackers websiteCDN AUnzip3 CDNs can be used to uncompress gzip bombsTotal Amplification Factor = Loop Amplification * Gzip Bomb Amplification(