Temporal CDN-Convex Lens: A CDN-Assisted Practical Pulsing DDoS Attack

Abstract

As one cornerstone of Internet infrastructure, Content Delivery Networks (CDNs) work as a globally distributed proxy platform between clients and websites, providing the functionalities of speeding up content delivery, offloading web traffic, and DDoS protection. In this paper, however, we reveal that inherent nature of CDN forwarding network can be exploited to compromise service availability. We present a new class of pulsing denial of service attacks, named CDN-Convex attack. We explore the possibility of exploiting the CDN infrastructure as a converging lens, and concentrating low-rate attacking requests into short, high-bandwidth pulse waves, resulting in a pulsing DoS attack to saturate the targeted TCP services periodically. Through real-world experiments on five leading CDN vendors, we demonstrate that CDN-Convex is practical and flexible. We show that attackers can use it to achieve peak bandwidths over 1000 times greater than their upload bandwidth, seriously degrading the performance and availability of target services. Following the responsible disclosure policy, we have reported our attack details to all affected CDN vendors and proposed possible mitigation solutions.

Publication
In Proceedings of the 32nd USENIX Security Symposium. Anaheim, California, August 9–11, 2023. (Acceptance rate: 422/1,444=29.2%, Acceptance rate in summer: 91/388=23.5%, Acceptance rate in fall: 155/531=29.2%, Acceptance rate in winter: 176/525=33.5%)

Overview

Temporal CDN-Convex Lens: A CDN-Assisted Practical Pulsing DDoS Attack.

Xiang Li
Xiang Li
Ph.D. Candidate in Cyberspace Security (Tsinghua University)

Xiang Li is a 5th-year Ph.D. candidate at the Institute of Network Science and Cyberspace, Tsinghua University, advised by Professors Qi Li and Haixin Duan. His research interests include network security, protocol security, IPv6 security, DNS security, Internet measurement, network & protocol fuzzing, network vulnerability discovery & attack, and underground economy with 17 research papers. As the first author, he has published many research papers at all top-tier security conferences, including Oakland S&P, USENIX Security, CCS, NDSS, and Black Hat (Asia, USA, and Europe). He has obtained over 190 CVE/CNVD vulnerability numbers, more than $11,600 rewards, 306+ GitHub stars, multiple CERT reports, 60+ news coverage, and RFC acknowledgement. He got multiple prizes, such as 1st prize of IPv6 Technology Application Innovation Competition, 2nd prize of GeekCon 2023 DAF Contest, National Scholarship, Wang Dazhong Scholarship, and Tsinghua Outstanding Scholarship.