CDN安全，DDoS攻击

CDN安全

主要内容：

"CDN Backfired: Amplification Attacks Based on HTTP Range Requests" DSN’2020，段海新

Range-based Amplification(RangeAmp) Attacks : Small Byte Range Attack, Overlapping Byte Range Attack
"CDN Judo: Breaking the CDN DoS Protection with Itself" NDSS’2020，段海新

HTTP/2 Bandwidth Amplifification Attack

Pre-POST Slow HTTP Attack

Degradation-of-Global-Availability Attack

CDN安全，DDoS攻击

CDN转发请求策略：Laziness, Deletion, Expansion

攻击条件：CDN 采取Deletion 或者 Expansion策略

CDN安全，DDoS攻击

攻击条件：FCDN采取laziness策略，并且BCDN不检查范围重叠就返回一个多部份的回应

CDN安全，DDoS攻击

攻击条件：HTTP/2和HTTP1.1的协议转换

POST-forwarding behaviors: 一个CDN接收到一个POST请求，CDN面临着一个选择，即什么时候给源网站转发POST请求。

CDN安全，DDoS攻击

CDN	SBR	OBR	HTTP/2 Bandwidth Amplifification Attack	Pre-POST Slow HTTP Attack	Degradation-of-Global-Availability Attack
Akamai	√	BCDN	none	none	none
Alibaba Cloud	√	×	none	none	none
Azure	√	BCDN	none	none	none
CDN77	√	FCDN	none	none	none
CDNsun	√	FCDN	√	×	×
CloudFlare	√	FCDN	√	×	90%
CloudFont	√	×	√	√	40%
Fastly	√	×	√	√	90%
G-Core Labs	√	×	none	none	none
Huawei Cloud	√	×	none	none	none
KeyCDN	√	×	√	×	×
StackPath	√	FCDN,BCDN	none	none	none
Tencent Cloud	√	×	none	none	none
MaxCDN	none	none	√	√	10%（accessing ratio）

Threat	Recommendation
SBR	Server side: Enforce local Dos defense
OBR	CDN side: Modify the specific implementation on range request
	Protocol side : Revise a well-defined and security-aware RFC
HTTP/2 Attack	opt out of the CDN HTTP/2 support, limit the CDN back-to-origin network traffic
Pre-POST Attack	limit the number of CDN back-to-origin connections, enforce strict store-then-forward mechanism
Global Availability Attack	apply unpredictable IP churning strategy