ProductsLogo
LogoStudy Documents
LogoAI Grader
LogoAI Answer
LogoAI Code Checker
LogoPlagiarism Checker
LogoAI Paraphraser
LogoAI Quiz
LogoAI Detector
PricingBlogAbout Us
logo

Computer Security - CPDoS Attack

Verified

Added on  2022/08/16

|14
|4367
|11
AI Summary

Contribute Materials

Your contribution can guide someone’s learning journey. Share your documents today.
Document Page
Running Head: COMPUTER SECURITY
Computer Security: CPDoS Attack
Name of the Student
Name of the University

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
1COMPUTER SECURITY
Table of Contents
Introduction......................................................................................................................................2
Principles of CDN............................................................................................................................3
Description of CPDoS Exploit.........................................................................................................4
Solutions to the CPDoS Exploit......................................................................................................6
Future Importance and Effectiveness of CPDoS.............................................................................7
Conclusion.......................................................................................................................................8
References......................................................................................................................................10
Document Page
2COMPUTER SECURITY
Introduction
One of the common type of distributed server systems that are used to deliver web
contents to users with low response times is called content delivery network (CDN). The main
principle of working of the CDN is the faster delivery of the web contents if the user’s
geographical location is closer to the web hosting provider’s content (Liao et al. 2018).
Moreover, it also ensures the reduction in the response time of the nearby server, enabling the
user to download the web contents at a fast rate than the contents located in a remote server. The
CDN follows the basic server-client principle and instead of single server to hold all the data, it
utilises a composite of multiple servers in which the data remains distributed (Halloush et al.
2016). The data is distributed to the different servers from a node (commonly called the root
server). On the other hand, CPDoS or Cache-Poisoned Denial-of-Service is a type of web cache
poisoning attack that has come to existence only recently. The main target of this type of exploit
is to disable any resources (online) and websites that contain significant amount of data (Nguyen,
Iacono and Federrath 2019). Three different types of CPDoS have been detected, namely –
HTTP Header Oversize (HHO), HTTP Method Override (HMO) and HTTP Meta Character
(HMC). CPDoS exploit is a new type of attack that targets the caches and creates denial of
service and hence, not much has been known regarding the same. Considering CPDoS is a very
new kind of attack that needs to be explored even further, its exact future importance and
effectiveness are yet to be properly known. However, one thing is ensured that these types of
attacks can create a large amount of vulnerability using semantic gaps and that will can cause
massive security threats in the near future (Brown and Willink 2018). From the information that
is currently known, it can be said that the CPDoS attacks can affect the distributed systems more
than the others. This is mainly because the distributed systems have distinct layers and thus
attacking is much easier. Rapid research progress over the months have allowed the researchers
to know more about the type of exploit and how the attackers are performing these types of
exploits in order to create denial of service. In spite of the rapid research progress, appropriate
solutions are yet to be developed.
Document Page
3COMPUTER SECURITY
The main purpose of this report is to study the main principles of CDN and also CPDoS
attacks with special emphasis on how CPDoS attacks are done and the possible solutions and
future implications of CPDoS attacks.
Principles of CDN
Content Delivery Network (CDN) is a type of distributed server system or network that
enables the delivery of web pages and web contents to a particular internet user on the basis of
the user’s geographical location. The main principle of working of the CDN is the faster delivery
of the web contents if the user’s geographical location is closer to the web hosting provider’s
content (Zhou et al. 2018). Moreover, it also ensures the reduction in the response time of the
nearby server, enabling the user to download the web contents at a fast rate than the contents
located in a remote server. This type of distribution network is mostly used for online streaming
services like Netflix and Hulu but at the same time, these networks have extensive coverage that
is very much beneficial for the load distribution of servers that in turn helps in improving the
experience of the users.
The CDN follows the basic server-client principle and instead of single server to hold all
the data, it utilises a composite of multiple servers in which the data remains distributed. The
data is distributed to the different servers from a node (commonly called the root server). The
path from the root server to the user’s server depends on the user’s geographical location (Sun et
al. 2018). If the user’s geographical location is near, the data transmission will be faster and
much more efficient.
As per the current systems and utilisations, three types of CDNs are commonly used.
Edge distribution, edge hierarchy and hub and spoke. These three are explained below.
Edge Distribution – Edge distribution is generally used in CDNs that are small, having
low coverage area. There are certain edge devices to which the root servers are connected and
the data is transmitted from root server to the edge devices before being delivered to the user
(Zhau et al. 2018). If the edge devices or nodes are absent, the data can also be transmitted
directly to the user’s internet access point. The retrieval process is generally very fast and thus, it
is very suitable for online streaming of music, videos, online games and others.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
4COMPUTER SECURITY
Edge Hierarchy – This type of distribution is mostly suitable for CDNs that are medium
sized. The main process includes the installation of the hub caches downstream from the root
server that in turn is utilised to distribute the data to the servers that are nearby.
Hub and Spoke – This type of distribution network is mostly suitable for large scale
CDNs. The connected servers in this network are called ‘hubs’ in which, mirroring of the root
server data is done (Chen et al. 2018). A cache spoke is utilised that helps to retrieve any data
within a server during a request from the user.
Description of CPDoS Exploit
CPDoS or Cache-Poisoned Denial-of-Service is a type of web cache poisoning attack that
has come to existence only recently. The main target of this type of exploit is to disable any
resources (online) and websites that contain significant amount of data. As a result of this
exploit, the users are not able to open websites or view any data contained within the website
(Sakhawat et al. 2018).
The sequence of the CPDoS attacks is described as follows.
i. The attacker, who wants to poison the server, creates a malicious header and
sends the same through a web server to the victim resource in the form of a simple
HTTP request (Meghana, Subashri and Vimal 2017). The malicious header can
remain unobtrusive even when the intermediate cache processes the request.
ii. The request is forwarded to the origin server by the cache since the fresh copy of
the targeted resource is not stored. As the origin server processes the request, an
error message is generated as the request contains a header that is malicious in
nature.
iii. As a result of the error generated, the user does not get access to the requested
resources and receives an error page instead while entering the website.
iv. The generation of the error page also helps the attacker to understand that the
attack has been successfully done.
v. The users trying to access the resource in the target website, even after several
requests, will always be directed to cached error page.
Document Page
5COMPUTER SECURITY
Till now, three different types of CPDoS have been detected, namely – HTTP Header
Oversize (HHO), HTTP Method Override (HMO) and HTTP Meta Character (HMC).
HTTP Header Oversize Major and important information in web servers and
intermediate systems are often included within the HTTP request header. The request header also
includes header fields and meta data related to the cache in the form of encodings, languages and
media types that are supported for the clients (Prabadevi, Jeyanthi and Abraham 2020). There are
certain HTTP standards that govern various aspects of the HTTP requests but one gap is that the
standards do not have specify and size limits for the request headers of HTTP. In order to fill this
gap in the standard, most of the proxies and web servers set their own size limits. Some common
examples include Amazon Cloudfront CDN whose limit is 20,480 bytes whereas Apache
HTTPD allows 8,192 bytes (DiBenedetto and Papadopoulos 2016). The attackers utilize this
large semantic gap between the allowable limits to inject oversized headers into the web servers
and as a result, create cache poisoning. For making a poisoning of this type, the attacker can
perform two techniques. The first technique is using various malicious headers to create a
request header and the second technique involves using oversized key or value for a single
header. The first option is shown in the form of a Ruby code in the following (Nguyen, Iacono
and Federrath 2019).
require 'net/http'
uri = URI("https://example.org/index.html")
req = Net::HTTP::Get.new(uri)
num = 200
i = 0
# Setting malicious and irrelevant headers fields for creating an oversized header
until i > num do
req["X-Oversized-Header-#{i}"] = "Big-Value-0000000000000000000000000000000000"
i +=1;
end
res = Net::HTTP.start(uri.hostname, uri.port, :use_ssl => uri.scheme == 'https') {|http|
Document Page
6COMPUTER SECURITY
http.request(req)
}
HTTP Method Override (HMO) – The HTTP standards that are currently in effect allows
transactions on the web by the clients and web servers using various methods. Some of the
commonly used HTTP methods are POST, GET, PUT and DELETE but many firewalls, load
balancers, proxies and caches allow only POST and GET whereas the other two (DELETE and
PUT) are blocked by them (Trabelsi 2016). HTTP Method Override Attack aims to bypass these
firewalls and caches by utilizing POST and GET even though they are blocked. In order to
bypass the blocking, headers like X-HTTP-Method-Override, X-HTTP-Method or X-Method-
Override are utilised by the attackers. The following snippet shows how such commands are
being inserted and executed by the attacker.
POST /items/1 HTTP/1.1
Host: example.org
X-HTTP-Method-Override: DELETE
HTTP/1.1 200 OK
Content-Type: text/plain
Content-Length: 62
Resource has been successfully removed with the DELETE method.
HTTP Meta Character (HMC) – Although the working of this poisoning attack is similar
to Header Oversize attack (HHO), oversized header is not used in this case. Instead, bypassing of
cache is done through the use of harmful meta character inserted within the request header
(Hussain et al. 2016). Some of the common meta characters used include line break/carriage
return (\n), line feed (\r) or bell (\a).
Solutions to the CPDoS Exploit
CPDoS exploit is a new type of attack that targets the caches and creates denial of service
and hence, not much has been known regarding the same. This type of attack has been recently

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
7COMPUTER SECURITY
detected in 2019 and since then, various researchers have started working on finding solutions to
the same. Rapid research progress over the months have allowed the researchers to know more
about the type of exploit and how the attackers are performing these types of exploits in order to
create denial of service (AbdAllah, Zulkernine and Hassanein 2018). In spite of the rapid
research progress, appropriate solutions are yet to be developed. Instead, the researchers
recommend some common safety techniques to avoid any type of cache attack like CPDoS
exploit. Some of these recommended measures are as follows.
Deep Learning – In order to avoid CPDoS exploit, deep learning about how it is done and
how it traps users is very much important. Without sufficient knowledge, the users will not even
be able realise that they are the victims of CPDoS attack. There are some online resources about
CPDoS that can be considered for reading and understanding the attack.
Review Cache Files – One of the most important recommended technique is to conduct a
detailed review of the user’s origin web server’s caching configuration. The main focus of the
review will be to ensure only static files that are independent of user input are cached.
No Trust on Data in HTTP Headers – As discussed above, most of the attacks are done
through the data in HTTP headers and hence, any data from the HTTP headers must not be
trusted by the user.
Avoid GET Request – Previously, it has been discussed that GET requests are not
permissible by firewalls and other protecting entities. As a result, if any user receives GET
request bodies, he should completely avoid them and also ensure the contents of the response are
not modified.
Future Importance and Effectiveness of CPDoS
Considering CPDoS is a very new kind of attack that needs to be explored even further,
its exact future importance and effectiveness are yet to be properly known. However, one thing is
ensured that these types of attacks can create a large amount of vulnerability using semantic gaps
and that will can cause massive security threats in the near future. From the information that is
currently known, it can be said that the CPDoS attacks can affect the distributed systems more
than the others (Nagesh et al. 2016). This is mainly because the distributed systems have distinct
Document Page
8COMPUTER SECURITY
layers and thus attacking is much easier. As discussed in the previous part of the report, CPDoS
attacks can be done through three distinct techniques and it is evident from study that a simple
but malicious request can be sufficient to cripple a website if the user is not able to detect the
threat or the attempt of denial of service. What’s more, this type of attack can affect a large
geographical region, making it a major national level or even continental level of threat.
Researchers conducted a detailed study on various types of websites and found that 30% of
websites among top 500 listed by Alexa, 16% of URLs and 11% DoD websites are very much
vulnerable to CPDoS attacks, thus presenting a major global problem for the internet (AbdAllah,
Zulkernine and Hassanein 2018). In addition, these websites contain update files and mission
critical firmware that can be the targets of the CPDoS attacks . The researchers have also
presented their opinion that more semantic gap vulnerabilities may occur in the future due to the
fact that Mircoservices and Service-Oriented Architecture design principles are followed by a
majority of the distributed systems that are currently in use (Nguyen, Iacono and Federrath
2019). In these design principles, different programming languages are used and distinct entities
are operated, making them easy targets of the CPDoS attacks. Further research will continue for
the development of robust safeguards that will help to prevent CPDoS attacks in addition to
detecting them in time so that the user does not allow such attacks to enter the web server. For
the time being, the users should stay alert and ensure they are not allowing in the potential
attacks that include malicious data within the HTTP headers.
Conclusion
Based on the study above in the report, some discussions can be made regarding the final
findings. Content Delivery Network (CDN) is a type of distributed server system or network that
enables the delivery of web pages and web contents to a particular internet user on the basis of
the user’s geographical location. The main principle of working of the CDN is the faster delivery
of the web contents if the user’s geographical location is closer to the web hosting provider’s
content. This type of distribution network is mostly used for online streaming services like
Netflix and Hulu but at the same time, these networks have extensive coverage that is very much
beneficial for the load distribution of servers that in turn helps in improving the experience of the
users. The CDN follows the basic server-client principle and instead of single server to hold all
the data, it utilises a composite of multiple servers in which the data remains distributed. The
Document Page
9COMPUTER SECURITY
data is distributed to the different servers from a node (commonly called the root server). The
path from the root server to the user’s server depends on the user’s geographical location. Three
types of CDNs are commonly used. Edge distribution, edge hierarchy and hub and spoke. Edge
distribution is generally used in CDNs that are small, having low coverage area. There are
certain edge devices to which the root servers are connected and the data is transmitted from root
server to the edge devices before being delivered to the user. If the edge devices or nodes are
absent, the data can also be transmitted directly to the user’s internet access point. Edge
hierarchy is mostly suitable for CDNs that are medium sized. The main process includes the
installation of the hub caches downstream from the root server that in turn is utilised to distribute
the data to the servers that are nearby. Hub and Spoke is suitable for large scale CDNs. The
connected servers in this network are called ‘hubs’ in which, mirroring of the root server data is
done. A cache spoke is utilised that helps to retrieve any data within a server during a request
from the user. CPDoS or Cache-Poisoned Denial-of-Service is a type of web cache poisoning
attack that has come to existence only recently. The main target of this type of exploit is to
disable any resources (online) and websites that contain significant amount of data. Until now,
three different types of CPDoS have been detected, namely – HTTP Header Oversize (HHO),
HTTP Method Override (HMO) and HTTP Meta Character (HMC). CPDoS exploit is a new
type of attack that targets the caches and creates denial of service and hence, not much has been
known regarding the same. This type of attack has been recently detected only last year and since
then, various researchers have started working on finding solutions to the same. From the
information that is currently known, it can be said that the CPDoS attacks can affect the
distributed systems more than the others. This is mainly because the distributed systems have
distinct layers and thus attacking is much easier. As discussed in the previous part of the report,
CPDoS attacks can be done through three distinct techniques and it is evident from study that a
simple but malicious request can be sufficient to cripple a website if the user is not able to detect
the threat or the attempt of denial of service. Rapid research progress over the months have
allowed the researchers to know more about the type of exploit and how the attackers are
performing these types of exploits in order to create denial of service. In order to avoid CPDoS
exploit, deep learning about how it is done and how it traps users is very much important.
Without sufficient knowledge, the users will not even be able realise that they are the victims of
CPDoS attack.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser
Document Page
10COMPUTER SECURITY
Document Page
11COMPUTER SECURITY
References
AbdAllah, E.G., Zulkernine, M. and Hassanein, H.S., 2018. DADI: Defending against distributed
denial of service in information‐centric networking routing and caching. Security and
Privacy, 1(2), p.e16.
Bhat, D., Rizk, A., Zink, M. and Steinmetz, R., 2018. SABR: Network-assisted content
distribution for QoE-driven ABR video streaming. ACM Transactions on Multimedia
Computing, Communications, and Applications (TOMM), 14(2s), pp.1-25.
Brown, J.D. and Willink, T.J., 2018. ARP cache poisoning and routing loops in ad hoc
networks. Mobile Networks and Applications, 23(5), pp.1306-1317.
Chen, C., Hu, J., Qiu, T., Atiquzzaman, M. and Ren, Z., 2018. CVCG: Cooperative V2V-aided
transmission scheme based on coalitional game for popular content distribution in vehicular ad-
hoc networks. IEEE Transactions on Mobile Computing, 18(12), pp.2811-2828.
Deng, S., Yuan, C., Yang, J. and Zhou, A., 2017. Distributed mining for content filtering
function based on simulated annealing and gene expression programming in active distribution
network. IEEE Access, 5, pp.2319-2328.
DiBenedetto, S. and Papadopoulos, C., 2016, April. Mitigating poisoned content with forwarding
strategy. In 2016 IEEE Conference on Computer Communications Workshops (INFOCOM
WKSHPS) (pp. 164-169). IEEE.
Halloush, R., Liu, H., Dong, L., Wu, M. and Radha, H., 2017. Hop-by-hop content distribution
with network coding in multihop wireless networks. Digital Communications and
Networks, 3(1), pp.47-54.
Hussain, M.A., Jin, H., Hussien, Z.A., Abduljabbar, Z.A., Abbdal, S.H. and Ibrahim, A., 2016,
July. DNS protection against spoofing and poisoning attacks. In 2016 3rd International
Conference on Information Science and Control Engineering (ICISCE) (pp. 1308-1312). IEEE.
Document Page
12COMPUTER SECURITY
Lei, K., Zhong, S., Zhu, F., Xu, K. and Zhang, H., 2017. An NDN IoT content distribution model
with network coding enhanced forwarding strategy for 5G. IEEE Transactions on Industrial
Informatics, 14(6), pp.2725-2735.
Liao, D., Sun, G., Yang, G. and Chang, V., 2018. Energy-efficient virtual content distribution
network provisioning in cloud-based data centers. Future Generation Computer Systems, 83,
pp.347-357.
Meghana, J.S., Subashri, T. and Vimal, K.R., 2017, March. A survey on ARP cache poisoning
and techniques for detection and mitigation. In 2017 Fourth International Conference on Signal
Processing, Communication and Networking (ICSCN) (pp. 1-6). IEEE.
Nagesh, K., Sumathy, R., Devakumar, P. and Sathiyamurthy, K., 2016, August. A survey on
denial of service attacks and preclusions. In Proceedings of the International Conference on
Informatics and Analytics (pp. 1-10).
Nguyen, H.V., Iacono, L.L. and Federrath, H., 2019, November. Your Cache Has Fallen: Cache-
Poisoned Denial-of-Service Attack. In Proceedings of the 2019 ACM SIGSAC Conference on
Computer and Communications Security (pp. 1915-1936).
Prabadevi, B., Jeyanthi, N. and Abraham, A., 2020. An analysis of security solutions for ARP
poisoning attacks and its effects on medical computing. International Journal of System
Assurance Engineering and Management, 11(1), pp.1-14.
Sakhawat, D., Khan, A.N., Aslam, M. and Chronopoulos, A.T., 2018. Agent-based ARP cache
poisoning detection in switched LAN environments. IET Networks, 8(1), pp.67-73.
Shin, H. and Park, J.S., 2017. Optimizing random network coding for multimedia content
distribution over smartphones. Multimedia Tools and Applications, 76(19), pp.19379-19395.
Sun, G., Chang, V., Yang, G. and Liao, D., 2018. The cost-efficient deployment of replica
servers in virtual content distribution networks for data fusion. Information Sciences, 432,
pp.495-515.

Secure Best Marks with AI Grader

Need help grading? Try our AI Grader for instant feedback on your assignments.
Document Page
13COMPUTER SECURITY
Trabelsi, Z., 2016. Microsoft Windows vs. Apple Mac OS X: Resilience against ARP cache
poisoning attack in a local area network. Information Security Journal: A Global
Perspective, 25(1-3), pp.68-82.
Zhao, J., Liang, P., Liufu, W. and Fan, Z., 2019, December. Recent Developments in Content
Delivery Network: A Survey. In International Symposium on Parallel Architectures, Algorithms
and Programming (pp. 98-106). Springer, Singapore.
Zhou, Z., Yu, H., Xu, C., Zhang, Y., Mumtaz, S. and Rodriguez, J., 2018. Dependable content
distribution in D2D-based cooperative vehicular networks: A big data-integrated coalition game
approach. IEEE Transactions on Intelligent Transportation Systems, 19(3), pp.953-964.
1 out of 14
[object Object]

Your All-in-One AI-Powered Toolkit for Academic Success.

Available 24*7 on WhatsApp / Email

[object Object]