Unveiling the Bandwidth Nightmare: CDN Compression Format Conversion Attacks

• URL: http://arxiv.org/abs/2409.00712v1
• Date: Sun, 1 Sep 2024 13:03:47 GMT
• Title: Unveiling the Bandwidth Nightmare: CDN Compression Format Conversion Attacks
• Authors: Ziyu Lin, Zhiwei Lin, Ximeng Liu, Zuobing Ying, Cheng Chen,
• Abstract summary: We present a novel HTTP amplification attack, CDN Compression Format Convert (CDN-Convet) Attacks. It allows attackers to massively exhaust not only the outgoing bandwidth of the origin servers deployed behind CDNs but also the bandwidth of CDN surrogate nodes. We examined the CDN-Convet attacks on 11 popular CDNs to evaluate the feasibility and real-world impacts.
• Score: 20.374230089231766
• License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
• Abstract: Content Delivery Networks (CDNs) are designed to enhance network performance and protect against web attack traffic for their hosting websites. And the HTTP compression request mechanism primarily aims to reduce unnecessary network transfers. However, we find that the specification failed to consider the security risks introduced when CDNs meet compression requests. In this paper, we present a novel HTTP amplification attack, CDN Compression Format Convert (CDN-Convet) Attacks. It allows attackers to massively exhaust not only the outgoing bandwidth of the origin servers deployed behind CDNs but also the bandwidth of CDN surrogate nodes. We examined the CDN-Convet attacks on 11 popular CDNs to evaluate the feasibility and real-world impacts. Our experimental results show that all these CDNs are affected by the CDN-Convet attacks. We have also disclosed our findings to affected CDN providers and have received constructive feedback.

Related papers

• Detecting and Measuring Security Implications of Entangled Domain Verification in CDN [30.611196380526213]
  Absence of Domain Verification (DVA) is a significant security flaw in Content Delivery Networks (CDNs) We present DVAHunter, an automated system for detecting DVA vulnerabilities that can lead to domain abuse in CDNs.
  arXiv  Detail & Related papers  (2024-09-03T13:27:33Z)
• UniCompress: Enhancing Multi-Data Medical Image Compression with Knowledge Distillation [59.3877309501938]
  Implicit Neural Representation (INR) networks have shown remarkable versatility due to their flexible compression ratios. We introduce a codebook containing frequency domain information as a prior input to the INR network. This enhances the representational power of INR and provides distinctive conditioning for different image blocks.
  arXiv  Detail & Related papers  (2024-05-27T05:52:13Z)
• Off-Path TCP Hijacking in Wi-Fi Networks: A Packet-Size Side Channel Attack [33.68960337314623]
  We unveil a fundamental side channel in Wi-Fi networks, specifically the observable frame size, which can be exploited by attackers to conduct TCP hijacking attacks. We validate the effectiveness of this side channel attack through two case studies. We implement our attack in 80 real-world Wi-Fi networks and successfully hijack the victim's TCP connections in 75 (93.75%) evaluated Wi-Fi networks.
  arXiv  Detail & Related papers  (2024-02-20T04:56:48Z)
• Measuring CDNs susceptible to Domain Fronting [2.609441136025819]
  Domain fronting is a network communication technique that involves leveraging content delivery networks (CDNs) to disguise the final destination of network packets. This technique can be used for both benign and malicious purposes, such as circumventing censorship or hiding malware-related communications from network security systems. We propose a systematic approach to discover CDNs that are still prone to domain fronting.
  arXiv  Detail & Related papers  (2023-10-27T02:04:19Z)
• Client Error Clustering Approaches in Content Delivery Networks (CDN) [0.0]
  CDN operators face a significant challenge when analyzing billions of web server and proxy logs generated by their systems. This study was to analyze the applicability of various clustering methods in CDN error log analysis. Our experiments were run on a dataset consisting of proxy logs collected over a 7-day period from a single, physical CDN server.
  arXiv  Detail & Related papers  (2022-10-11T10:14:07Z)
• InviCloak: An End-to-End Approach to Privacy and Performance in Web Content Distribution [7.8017281332931665]
  InviCloak is a system that protects the confidentiality and integrity of a user and a website's private communications without changing TLS or upgrading a CDN. InviCloak builds a lightweight but secure and practical key distribution mechanism using the existing DNS infrastructure.
  arXiv  Detail & Related papers  (2022-09-04T06:38:27Z)
• Mixture GAN For Modulation Classification Resiliency Against Adversarial Attacks [55.92475932732775]
  We propose a novel generative adversarial network (GAN)-based countermeasure approach. GAN-based aims to eliminate the adversarial attack examples before feeding to the DNN-based classifier. Simulation results show the effectiveness of our proposed defense GAN so that it could enhance the accuracy of the DNN-based AMC under adversarial attacks to 81%, approximately.
  arXiv  Detail & Related papers  (2022-05-29T22:30:32Z)
• DDoSDet: An approach to Detect DDoS attacks using Neural Networks [0.0]
  In this research paper, we present the detection of DDoS attacks using neural networks. We compared and assessed our suggested system against current models in the field.
  arXiv  Detail & Related papers  (2022-01-24T08:16:16Z)
• Attribution Preservation in Network Compression for Reliable Network Interpretation [81.84564694303397]
  Neural networks embedded in safety-sensitive applications rely on input attribution for hindsight analysis and network compression to reduce its size for edge-computing. We show that these seemingly unrelated techniques conflict with each other as network compression deforms the produced attributions. This phenomenon arises due to the fact that conventional network compression methods only preserve the predictions of the network while ignoring the quality of the attributions.
  arXiv  Detail & Related papers  (2020-10-28T16:02:31Z)
• Improving Query Efficiency of Black-box Adversarial Attack [75.71530208862319]
  We propose a Neural Process based black-box adversarial attack (NP-Attack) NP-Attack could greatly decrease the query counts under the black-box setting.
  arXiv  Detail & Related papers  (2020-09-24T06:22:56Z)
• Practical Detection of Trojan Neural Networks: Data-Limited and Data-Free Cases [87.69818690239627]
  We study the problem of the Trojan network (TrojanNet) detection in the data-scarce regime. We propose a data-limited TrojanNet detector (TND), when only a few data samples are available for TrojanNet detection. In addition, we propose a data-free TND, which can detect a TrojanNet without accessing any data samples.
  arXiv  Detail & Related papers  (2020-07-31T02:00:38Z)
• AN-GCN: An Anonymous Graph Convolutional Network Defense Against Edge-Perturbing Attack [53.06334363586119]
  Recent studies have revealed the vulnerability of graph convolutional networks (GCNs) to edge-perturbing attacks. We first generalize the formulation of edge-perturbing attacks and strictly prove the vulnerability of GCNs to such attacks in node classification tasks. Following this, an anonymous graph convolutional network, named AN-GCN, is proposed to counter edge-perturbing attacks.
  arXiv  Detail & Related papers  (2020-05-06T08:15:24Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.