Team of chinese scientists discovered a new way abuse of HTTP packets to amplify traffic, attacks on sites and content delivery networks (CDNs). The attack is called RangeAmp and, in fact, it is a new DoS’a method that uses incorrect implementation of the Range Requests attribute.
Range Requests is part of the HTTP standard that allows clients (usually browsers) to request only a specific part (range, Range) of a file from the server. This function was created to suspend and resume traffic in controlled (pause and subsequent resumption of actions) or uncontrolled (network congestion or shutdown) situations.
Standardization HTTP Range Requests It has been discussed by IETF experts for more than a decade, but because of its usefulness, Range Requests have long been used by browsers, servers, and CDNs.
Chinese researchers write that attackers can use Range Requests' distorted HTTP requests to amplify the response of web servers and content delivery networks to such requests. So, there are two ways to use RangeAmp.
The first method is called RangeAmp Small Byte Range (SBR). In this case, the attacker sends an incorrectly generated request to the CDN provider, which amplifies the traffic to the target server, which ultimately leads to a malfunction of the target site.
The second method is called Overlapping Byte Ranges (OBR). In this case, the hacker sends an incorrectly generated request to the CDN provider, but traffic is routed through other CDN servers. As a result, traffic is already amplifying within the content delivery networks, due to which failures occur both in the operation of the CDN servers (because of which the content delivery networks cease to work normally) and in the operation of numerous target sites.
Experts say that they tested RangeAmp attacks against 13 CDN providers and found that they are all vulnerable to the RangeRmp SBR problem, and 6 providers were also vulnerable to the RangeAmp OBR option in certain combinations.
RangeAmp authors emphasize that such attacks are very dangerous and require minimal resources to implement. So, it is reported that attackers can use the RangeAmp SBR attack to amplify traffic 724-43330 times.
Implementing a RangeAmp OBR attack is a little more difficult, since 6 vulnerable CDNs must have certain configurations (master-surrogate). However, if these conditions were met, OBR attacks could also be used to amplify traffic within CDNs. As a result, the size of the source packet was “inflated” by 7,500 times.
At the same time, OBR is considered the most dangerous of the two attacks, since with its help hackers can disable pieces of the network of the CDN provider, while blocking the ability to connect to thousands of sites.
13 CDN providers warned about RangeAmp seven months ago. 12 of them responded to warnings from experts and have already taken measures to protect against RangeAmp attacks (or plan to do so in the near future). This list includes: Akamai, Alibaba Cloud, Azure, Cloudflare, CloudFront, CDNsun, CDN77, Fastly, G-Core Labs, Huawei Cloud, KeyCDN and Tencent Cloud.
“Unfortunately, the StackPath provider did not respond, although we sent them letters several times and tried to contact the customer service department,” experts write.
Experts plan to talk in full detail about the RangeAmp problem at the conference IEEE / IFIP DSN 2020, which will be held in July this year in an online format.