How to prevent a Cache Poisoning DoS Attack?

Cache poisoning is when an attacker uses an HTTP request tricks a web server into responding to a malicious resource. This resource will be contaminated and have the same cache key as a regular request. This resource will then get cached and served to users trying to access the resource.

What is DOS Attack? 

A denial of service attack occurs when an attacker aims to make a machine or network resource unavailable to users by disrupting the services of a host connected to a network. DoS attacks flood the target with unintended traffic that results in crashes. 

Cache Poisoning DoS (CPDoS) Attack

In a cache poisoning DoS attack, the attacker targets an intermediate cache proxy server, which resides between the client (victim) and web server with malicious HTTP requests and configures the cache response with error-related code (e.g. 400 bad Request), halting access to the requesting web sources causing a DOS attack. 

CPDoS attack poses an increased risk and results in a high probability of success with minimum or zero risk of being detected. Mission Critical websites like educational, government, online banking and medical websites can be disabled from accessing the necessary resources. 

Working of a CPDOS attack:

• An attacker dispatches an HTTP request with a malicious header to the web server and tries to target the victim's resources.

• An intermediate cache server processes the HTTP request while the malicious header remains discreet, and the intermediate cache server forwards it to the origin server.

• Once forwarded, the origin server determines the malicious requests and responds with an error message.

• An error response is returned and is stored by the cache server instead of the requested resources.

• Consequently, a response to the attacker is delivered containing the error response, alerting the attacker that the attack was successful.

• The next time a legitimate user initiates the request to the web resource, they will receive the cached error message as a response.

Different Types of CPDoS

1. HTTP Header Oversize (HHO): A request header contains crucial information for the intermediate cache server and origin server to interpret within an HTTP request. An HTTP standard does not enforce a size constraint on HTTP request headers. HHO CPDoS attacks work where a web application utilizes a cache that accepts a larger header size limit than the origin server. An attacker sends a GET Request larger than the size backed by the origin server but smaller than the size supported by the intermediate cache.

2. HTTP Meta Character (HMC): This attack tries the insert malicious meta characters within the HTTP request and bypasses the cache. Meta Characters such as (\n -> linebreak), (\r -> linefeed), (\a -> bell). These requests may be classified as malicious by the origin server as they contain unwanted meta characters and therefore return an error message.

3. HTTP Method Override (HMO): Most modern firewalls, proxies, and load-balancers support the GET and POST requests, eliminating the need for DELETE & PUT and blocking it. Rest-based API uses X-HTTP-Method-Override, X-HTTP-Method, and X-Method-Override to circumvent these constraints to tunnel blocked HTTP requests. A way HMO can be used is to bypass the security policy that prohibits DELETE requests by using the X-HTTP-Method-Override header. The POST request can be interpreted as a DELETE request. A user trying to access a web resource would not be able to as the override method instructs the server to replace the HTTP method, creating an error response.

How To Protect Against CPDoS Attacks?

1. Caching the error message should be based on the HTTP standard policies. Error codes such as "404 Not Found, 405 Method Not Allowed, 410 Gone, and 501 Not Implemented" should be applied.

2. CDNs should be appropriately configured. For instance, 400 Bad Request, used by many HTTP implementations to declare a large header, is not a suitable status code. IIS even uses 404 Not Found when a specific header is exceeded. The correct error code for a large request header is 431 Request Header Fields Too Large.

3. A mitigation technique against HHO & HMC is to exclude error pages from caching. Adding the header Cache-Control: no-store to each error page

4. A WAF (Web Application Firewall) is an effective countermeasure against CPDoS attacks and is deployed to block malicious requests before reaching the origin server. Finding a WAF with a secure CDN, DoS protection, SSL integration, intelligent caching, solid customer support, and other customization options would prove priceless.