5 January 2011—After WikiLeaks began publishing confidential communications of the U.S. State Department late last year, a spate of incidents put distributed denial-of-service (DDoS) attacks back in the news. These attacks can take many forms, the most straightforward of which is simply to overwhelm the targeted file server with requests. If that server can't keep up with the barrage, legitimate users are effectively shut out.
An attractive defense is to employ a large number of servers at far-flung locations. Such content-delivery networks are common enough, and plugging into one isn't difficult. Akamai Technologies runs the largest such network; it has 73 000 globally distributed servers, which, according to the company, handles 15 to 30 percent of all Web traffic.
With such file-serving clout in your corner, your site should be able to stand up to almost any pummeling, right? That's what Akamai boasted in the wake of the recent attacks. And in most situations, linking up with a content-delivery network is undoubtedly a good defense. But many of the companies doing so probably don't know that if the bad guys are clever enough—and if the good guys are not quite on the ball—using a content-delivery network might actually increase a Web site's vulnerability.
That troubling possibility came to light in research reported in 2009 at the 14th European Symposium on Research in Computer Security by Michael Rabinovich, a professor of electrical engineering and computer science at Case Western Reserve University, in Cleveland, and two graduate students then studying under his direction, Sipat Triukose and Zakaria Al-Qudah.
"Content-delivery networks have this intuitively understood claim that they improve the resiliency of Web sites to distributed denial-of-service attacks," says Rabinovich. "If an attacker tries to launch an attack, he will exhaust his resources before the content-delivery network notices a blip." But while Rabinovich's group was studying the performance of content-delivery networks, they stumbled on a subtle weakness. To appreciate the trouble it could cause, you need to understand a little bit about these networks.
When your computer requests something from the Web site of a company that uses a content-delivery network, you are invisibly routed to one of the network's many so-called edge servers. If that edge server does not have the content you are looking for, which might include rather large files, such as video clips or images, it retrieves a copy from the company's server (the origin server) and passes it to you. The edge server also keeps a copy in its cache. Subsequent requests for that content can thus be accommodated without consulting the origin server. This is what protects that server from being swamped with requests.
The basic problem, Rabinovich's team found, is that a bad guy can add what's known as a query string to the URL he is targeting. Query strings are common enough—you often see them at the top of your browser introduced by a question mark. They are used to communicate parameters to the server, such as the particular keywords you are Googling.
The conundrum here is that if a random query string is added to a URL, the content-delivery network's server will typically treat the request as new and pass it on to the origin server. If the origin server is not expecting a query string, it will most likely disregard it and just supply the file normally. That is to say, an attacker can force an edge server to consult the origin server—perhaps to ask for a copy of a large file—at will.