1COMPUTER SECURITY Table of Contents Introduction......................................................................................................................................2 Principles of CDN............................................................................................................................3 Description of CPDoS Exploit.........................................................................................................4 Solutions to the CPDoS Exploit......................................................................................................6 Future Importance and Effectiveness of CPDoS.............................................................................7 Conclusion.......................................................................................................................................8 References......................................................................................................................................10
2COMPUTER SECURITY Introduction One of the common type of distributed server systems that are used to deliver web contents to users with low response times is called content delivery network (CDN). The main principle of working of the CDN is the faster delivery of the web contents if the user’s geographical location is closer to the web hosting provider’s content (Liaoet al.2018). Moreover, it also ensures the reduction in the response time of the nearby server, enabling the user to download the web contents at a fast rate than the contents located in a remote server. The CDN follows the basic server-client principle and instead of single server to hold all the data, it utilises a composite of multiple servers in which the data remains distributed (Halloushet al. 2016). The data is distributed to the different servers from a node (commonly called the root server). On the other hand, CPDoS orCache-PoisonedDenial-of-Service is a type of web cache poisoning attack that has come to existence only recently. The main target of this type of exploit is to disable any resources (online) and websites that contain significant amount of data (Nguyen, Iacono and Federrath 2019). Three different types of CPDoS have been detected, namely – HTTP Header Oversize (HHO), HTTP Method Override (HMO) and HTTP Meta Character (HMC).CPDoS exploit is a new type of attack that targets the caches and creates denial of service and hence, not much has been known regarding the same. Considering CPDoS is a very new kind of attack that needs to be explored even further, its exact future importance and effectiveness are yet to be properly known. However, one thing is ensured that these types of attacks can create a large amount of vulnerability using semantic gaps and that will can cause massive security threats in the near future (Brown and Willink 2018). From the information that is currently known, it can be said that the CPDoS attacks can affect the distributed systems more than the others. This is mainly because the distributed systems have distinct layers and thus attacking is much easier. Rapid research progress over the months have allowed the researchers to know more about the type of exploit and how the attackers are performing these types of exploits in order to create denial of service. In spite of the rapid research progress, appropriate solutions are yet to be developed.
3COMPUTER SECURITY The main purpose of this report is to study the main principles of CDN and also CPDoS attacks with special emphasis on how CPDoS attacks are done and the possible solutions and future implications of CPDoS attacks. Principles of CDN Content Delivery Network (CDN) is a type of distributed server system or network that enables the delivery of web pages and web contents to a particular internet user on the basis of the user’s geographical location. The main principle of working of the CDN is the faster delivery of the web contents if the user’s geographical location is closer to the web hosting provider’s content (Zhouet al.2018). Moreover, it also ensures the reduction in the response time of the nearby server, enabling the user to download the web contents at a fast rate than the contents located in a remote server. This type of distribution network is mostly used for online streaming services like Netflix and Hulu but at the same time, these networks have extensive coverage that is very much beneficial for the load distribution of servers that in turn helps in improving the experience of the users. The CDN follows the basic server-client principle and instead of single server to hold all the data, it utilises a composite of multiple servers in which the data remains distributed. The data is distributed to the different servers from a node (commonly called the root server). The path from the root server to the user’s server depends on the user’s geographical location (Sunet al.2018). If the user’s geographical location is near, the data transmission will be faster and much more efficient. As per the current systems and utilisations, three types of CDNs are commonly used. Edge distribution, edge hierarchy and hub and spoke. These three are explained below. Edge Distribution– Edge distribution is generally used in CDNs that are small, having low coverage area. There are certain edge devices to which the root servers are connected and the data is transmitted from root server to the edge devices before being delivered to the user (Zhauet al.2018). If the edge devices or nodes are absent, the data can also be transmitted directly to the user’s internet access point. The retrieval process is generally very fast and thus, it is very suitable for online streaming of music, videos, online games and others.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
4COMPUTER SECURITY Edge Hierarchy– This type of distribution is mostly suitable for CDNs that are medium sized. The main process includes the installation of the hub caches downstream from the root server that in turn is utilised to distribute the data to the servers that are nearby. Hub and Spoke– This type of distribution network is mostly suitable for large scale CDNs. The connected servers in this network are called ‘hubs’ in which, mirroring of the root server data is done (Chenet al.2018). A cache spoke is utilised that helps to retrieve any data within a server during a request from the user. Description of CPDoS Exploit CPDoS orCache-PoisonedDenial-of-Service is a type of web cache poisoning attack that has come to existence only recently. The main target of this type of exploit is to disable any resources (online) and websites that contain significant amount of data. As a result of this exploit, the users are not able to open websites or view any data contained within the website (Sakhawatet al.2018). The sequence of the CPDoS attacks is described as follows. i.The attacker, who wants to poison the server, creates a malicious header and sends the same through a web server to the victim resource in the form of a simple HTTP request (Meghana, Subashri and Vimal 2017). The malicious header can remain unobtrusive even when the intermediate cache processes the request. ii.The request is forwarded to the origin server by the cache since the fresh copy of the targeted resource is not stored. As the origin server processes the request, an error message is generated as the request contains a header that is malicious in nature. iii.As a result of the error generated, the user does not get access to the requested resources and receives an error page instead while entering the website. iv.The generation of the error page also helps the attacker to understand that the attack has been successfully done. v.The users trying to access the resource in the target website, even after several requests, will always be directed to cached error page.
5COMPUTER SECURITY Till now, three different types of CPDoS have been detected, namely – HTTP Header Oversize (HHO), HTTP Method Override (HMO) and HTTP Meta Character (HMC). HTTPHeaderOversize–Majorandimportantinformationinwebserversand intermediate systems are often included within the HTTP request header. The request header also includes header fields and meta data related to the cache in the form of encodings, languages and media types that are supported for the clients (Prabadevi, Jeyanthi and Abraham 2020). There are certain HTTP standards that govern various aspects of the HTTP requests but one gap is that the standards do not have specify and size limits for the request headers of HTTP. In order to fill this gap in the standard, most of the proxies and web servers set their own size limits. Some common examples include Amazon Cloudfront CDN whose limit is 20,480 bytes whereas Apache HTTPD allows 8,192 bytes (DiBenedetto and Papadopoulos 2016). The attackers utilize this large semantic gap between the allowable limits to inject oversized headers into the web servers and as a result, create cache poisoning. For making a poisoning of this type, the attacker can perform two techniques. The first technique is using various malicious headers to create a request header and the second technique involves using oversized key or value for a single header. The first option is shown in the form of a Ruby code in the following (Nguyen, Iacono and Federrath 2019). require 'net/http' uri = URI("https://example.org/index.html") req = Net::HTTP::Get.new(uri) num = 200 i = 0 # Setting malicious and irrelevant headers fields for creating an oversized header until i > num do req["X-Oversized-Header-#{i}"] = "Big-Value-0000000000000000000000000000000000" i +=1; end res = Net::HTTP.start(uri.hostname, uri.port, :use_ssl => uri.scheme == 'https') {|http|
6COMPUTER SECURITY http.request(req) } HTTP Method Override (HMO)– The HTTP standards that are currently in effect allows transactions on the web by the clients and web servers using various methods. Some of the commonly used HTTP methods are POST, GET, PUT and DELETE but many firewalls, load balancers, proxies and caches allow only POST and GET whereas the other two (DELETE and PUT) are blocked by them (Trabelsi 2016). HTTP Method Override Attack aims to bypass these firewalls and caches by utilizing POST and GET even though they are blocked. In order to bypass the blocking, headers like X-HTTP-Method-Override,X-HTTP-MethodorX-Method- Override are utilised by the attackers. The following snippet shows how such commands are being inserted and executed by the attacker. POST /items/1 HTTP/1.1 Host: example.org X-HTTP-Method-Override: DELETE HTTP/1.1 200 OK Content-Type: text/plain Content-Length: 62 Resource has been successfully removed with the DELETE method. HTTP Meta Character (HMC)– Although the working of this poisoning attack is similar to Header Oversize attack (HHO), oversized header is not used in this case. Instead, bypassing of cache is done through the use of harmful meta character inserted within the request header (Hussainet al.2016). Some of the common meta characters used include line break/carriage return (\n), line feed (\r) or bell (\a). Solutions to the CPDoS Exploit CPDoS exploit is a new type of attack that targets the caches and creates denial of service and hence, not much has been known regarding the same. This type of attack has been recently
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
7COMPUTER SECURITY detected in 2019 and since then, various researchers have started working on finding solutions to the same. Rapid research progress over the months have allowed the researchers to know more about the type of exploit and how the attackers are performing these types of exploits in order to create denial of service (AbdAllah, Zulkernine and Hassanein 2018). In spite of the rapid research progress, appropriate solutions are yet to be developed. Instead, the researchers recommend some common safety techniques to avoid any type of cache attack like CPDoS exploit. Some of these recommended measures are as follows. Deep Learning– In order to avoid CPDoS exploit, deep learning about how it is done and how it traps users is very much important. Without sufficient knowledge, the users will not even be able realise that they are the victims of CPDoS attack. There are some online resources about CPDoS that can be considered for reading and understanding the attack. Review Cache Files– One of the most important recommended technique is to conduct a detailed review of the user’s origin web server’s caching configuration. The main focus of the review will be to ensure only static files that are independent of user input are cached. No Trust on Data in HTTP Headers– As discussed above, most of the attacks are done through the data in HTTP headers and hence, any data from the HTTP headers must not be trusted by the user. Avoid GET Request– Previously, it has been discussed that GET requests are not permissible by firewalls and other protecting entities. As a result, if any user receives GET request bodies, he should completely avoid them and also ensure the contents of the response are not modified. Future Importance and Effectiveness of CPDoS Considering CPDoS is a very new kind of attack that needs to be explored even further, its exact future importance and effectiveness are yet to be properly known. However, one thing is ensured that these types of attacks can create a large amount of vulnerability using semantic gaps and that will can cause massive security threats in the near future. From the information that is currently known, it can be said that the CPDoS attacks can affect the distributed systems more than the others (Nageshet al.2016). This is mainly because the distributed systems have distinct
8COMPUTER SECURITY layers and thus attacking is much easier. As discussed in the previous part of the report, CPDoS attacks can be done through three distinct techniques and it is evident from study that a simple but malicious request can be sufficient to cripple a website if the user is not able to detect the threat or the attempt of denial of service. What’s more, this type of attack can affect a large geographical region, making it a major national level or even continental level of threat. Researchers conducted a detailed study on various types of websites and found that 30% of websites among top 500 listed by Alexa, 16% of URLs and 11% DoD websites are very much vulnerable to CPDoS attacks, thus presenting a major global problem for the internet (AbdAllah, Zulkernine and Hassanein 2018). In addition, these websites contain update files and mission critical firmware that can be the targets of the CPDoS attacks . The researchers have also presented their opinion that more semantic gap vulnerabilities may occur in the future due to the fact thatMircoservices and Service-Oriented Architecture design principles are followed by a majority of the distributed systems that are currently in use (Nguyen, Iacono and Federrath 2019). In these design principles, different programming languages are used and distinct entities are operated, making them easy targets of the CPDoS attacks. Further research will continue for the development of robust safeguards that will help to prevent CPDoS attacks in addition to detecting them in time so that the user does not allow such attacks to enter the web server. For the time being, the users should stay alert and ensure they are not allowing in the potential attacks that include malicious data within the HTTP headers. Conclusion Based on the study above in the report, some discussions can be made regarding the final findings. Content Delivery Network (CDN) is a type of distributed server system or network that enables the delivery of web pages and web contents to a particular internet user on the basis of the user’s geographical location. The main principle of working of the CDN is the faster delivery of the web contents if the user’s geographical location is closer to the web hosting provider’s content. This type of distribution network is mostly used for online streaming services like Netflix and Hulu but at the same time, these networks have extensive coverage that is very much beneficial for the load distribution of servers that in turn helps in improving the experience of the users. The CDN follows the basic server-client principle and instead of single server to hold all the data, it utilises a composite of multiple servers in which the data remains distributed. The
9COMPUTER SECURITY data is distributed to the different servers from a node (commonly called the root server). The path from the root server to the user’s server depends on the user’s geographical location. Three types of CDNs are commonly used. Edge distribution, edge hierarchy and hub and spoke. Edge distribution is generally used in CDNs that are small, having low coverage area. There are certain edge devices to which the root servers are connected and the data is transmitted from root server to the edge devices before being delivered to the user. If the edge devices or nodes are absent, the data can also be transmitted directly to the user’s internet access point. Edge hierarchy is mostly suitable for CDNs that are medium sized. The main process includes the installation of the hub caches downstream from the root server that in turn is utilised to distribute the data to the servers that are nearby. Hub and Spoke is suitable for large scale CDNs. The connected servers in this network are called ‘hubs’ in which, mirroring of the root server data is done. A cache spoke is utilised that helps to retrieve any data within a server during a request from the user. CPDoS orCache-PoisonedDenial-of-Service is a type of web cache poisoning attack that has come to existence only recently. The main target of this type of exploit is to disable any resources (online) and websites that contain significant amount of data. Until now, three different types of CPDoS have been detected, namely – HTTP Header Oversize (HHO), HTTP Method Override (HMO) and HTTP Meta Character (HMC).CPDoS exploit is a new type of attack that targets the caches and creates denial of service and hence, not much has been known regarding the same. This type of attack has been recently detected only last year and since then, various researchers have started working on finding solutions to the same. From the information that is currently known, it can be said that the CPDoS attacks can affect the distributed systems more than the others. This is mainly because the distributed systems have distinct layers and thus attacking is much easier. As discussed in the previous part of the report, CPDoS attacks can be done through three distinct techniques and it is evident from study that a simple but malicious request can be sufficient to cripple a website if the user is not able to detect the threat or the attempt of denial of service. Rapid research progress over the months have allowed the researchers to know more about the type of exploit and how the attackers are performing these types of exploits in order to create denial of service. In order to avoid CPDoS exploit, deep learning about how it is done and how it traps users is very much important. Without sufficient knowledge, the users will not even be able realise that they are the victims of CPDoS attack.
Paraphrase This Document
Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
11COMPUTER SECURITY References AbdAllah, E.G., Zulkernine, M. and Hassanein, H.S., 2018. DADI: Defending against distributed denialofserviceininformation‐centricnetworkingroutingandcaching.Securityand Privacy,1(2), p.e16. Bhat, D., Rizk, A., Zink, M. and Steinmetz,R., 2018. SABR: Network-assisted content distributionforQoE-drivenABRvideostreaming.ACMTransactionsonMultimedia Computing, Communications, and Applications (TOMM),14(2s), pp.1-25. Brown, J.D. and Willink, T.J., 2018. ARP cache poisoning and routing loops in ad hoc networks.Mobile Networks and Applications,23(5), pp.1306-1317. Chen, C., Hu, J., Qiu, T., Atiquzzaman, M. and Ren, Z., 2018. CVCG: Cooperative V2V-aided transmission scheme based on coalitional game for popular content distribution in vehicular ad- hoc networks.IEEE Transactions on Mobile Computing,18(12), pp.2811-2828. Deng, S., Yuan, C., Yang, J. and Zhou, A., 2017. Distributed mining for content filtering function based on simulated annealing and gene expression programming in active distribution network.IEEE Access,5, pp.2319-2328. DiBenedetto, S. and Papadopoulos, C., 2016, April. Mitigating poisoned content with forwarding strategy. In2016 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS)(pp. 164-169). IEEE. Halloush, R., Liu, H., Dong, L., Wu, M. and Radha, H., 2017. Hop-by-hop content distribution withnetworkcodinginmultihopwirelessnetworks.DigitalCommunicationsand Networks,3(1), pp.47-54. Hussain, M.A., Jin, H., Hussien, Z.A., Abduljabbar, Z.A., Abbdal, S.H. and Ibrahim, A., 2016, July.DNSprotectionagainstspoofingandpoisoningattacks.In20163rdInternational Conference on Information Science and Control Engineering (ICISCE)(pp. 1308-1312). IEEE.
12COMPUTER SECURITY Lei, K., Zhong, S., Zhu, F., Xu, K. and Zhang, H., 2017. An NDN IoT content distribution model with network coding enhanced forwarding strategy for 5G.IEEE Transactions on Industrial Informatics,14(6), pp.2725-2735. Liao, D., Sun, G., Yang, G. and Chang, V., 2018. Energy-efficient virtual content distribution network provisioning in cloud-based data centers.Future Generation Computer Systems,83, pp.347-357. Meghana, J.S., Subashri, T. and Vimal, K.R., 2017, March. A survey on ARP cache poisoning and techniques for detection and mitigation. In2017 Fourth International Conference on Signal Processing, Communication and Networking (ICSCN)(pp. 1-6). IEEE. Nagesh, K., Sumathy, R., Devakumar, P. and Sathiyamurthy, K., 2016, August. A survey on denial of service attacks and preclusions. InProceedings of the International Conference on Informatics and Analytics(pp. 1-10). Nguyen, H.V., Iacono, L.L. and Federrath, H., 2019, November. Your Cache Has Fallen: Cache- Poisoned Denial-of-Service Attack. InProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security(pp. 1915-1936). Prabadevi, B., Jeyanthi, N. and Abraham, A., 2020. An analysis of security solutions for ARP poisoningattacksanditseffectsonmedicalcomputing.InternationalJournalofSystem Assurance Engineering and Management,11(1), pp.1-14. Sakhawat, D., Khan, A.N., Aslam, M. and Chronopoulos, A.T., 2018. Agent-based ARP cache poisoning detection in switched LAN environments.IET Networks,8(1), pp.67-73. Shin, H. and Park, J.S., 2017. Optimizing random network coding for multimedia content distribution over smartphones.Multimedia Tools and Applications,76(19), pp.19379-19395. Sun, G., Chang, V., Yang, G. and Liao, D., 2018. The cost-efficient deployment of replica servers in virtual content distribution networks for data fusion.Information Sciences,432, pp.495-515.
Secure Best Marks with AI Grader
Need help grading? Try our AI Grader for instant feedback on your assignments.
13COMPUTER SECURITY Trabelsi, Z., 2016. Microsoft Windows vs. Apple Mac OS X: Resilience against ARP cache poisoningattackinalocalareanetwork.InformationSecurityJournal:AGlobal Perspective,25(1-3), pp.68-82. Zhao, J., Liang, P., Liufu, W. and Fan, Z., 2019, December. Recent Developments in Content Delivery Network: A Survey. InInternational Symposium on Parallel Architectures, Algorithms and Programming(pp. 98-106). Springer, Singapore. Zhou, Z., Yu, H., Xu, C., Zhang, Y., Mumtaz, S. and Rodriguez, J., 2018. Dependable content distribution in D2D-based cooperative vehicular networks: A big data-integrated coalition game approach.IEEE Transactions on Intelligent Transportation Systems,19(3), pp.953-964.