Abstract
Content Delivery Networks (CDNs) are commonly believed to offer their customers protection against application-level denial of service (DoS) attacks. Indeed, a typical CDN with its vast resources can absorb these attacks without noticeable effect. This paper uncovers a vulnerability which not only allows an attacker to penetrate CDN’s protection, but to actually use a content delivery network to amplify the attack against a customer Web site. We show that leading commercial CDNs – Akamai and Limelight – and an influential research CDN – Coral – can be recruited for this attack. By mounting an attack against our own Web site, we demonstrate an order of magnitude attack amplification though leveraging the Coral CDN. We present measures that both content providers and CDNs can take to defend against our attack. We believe it is important that CDN operators and their customers be aware of this attack so that they could protect themselves accordingly.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Akamai Technologies, http://www.akamai.com/html/technology/index.html
Akamai Technologies, http://www.akamai.com/html/perspectives/index.html
Andersen, D.G.: Mayday: Distributed Filtering for Internet Services. In: 4th Usenix Symp. on Internet Technologies and Sys, Seattle, WA (March 2003)
The Coral content distribution network, http://www.coralcdn.org/
Dipzoom: Deep internet performance zoom, http://dipzoom.case.edu
ESI Language Specification 1.0. (August 2001), http://www.w3.org/TR/esi-lang
Feldmann, A., Cáceres, R., Douglis, F., Glass, G., Rabinovich, M.: Performance of web proxy caching in heterogeneous bandwidth environments. In: INFOCOM, pp. 107–116 (1999)
Freedman, M.J., Freudenthal, E., Mazières, D.: Democratizing content publication with coral. In: NSDI, pp. 239–252 (2004)
Jung, J., Krishnamurthy, B., Rabinovich, M.: Flash crowds and denial of service attacks: characterization and implications for CDNs and web sites. In: WWW, pp. 293–304 (2002)
Lee, K.-W., Chari, S., Shaikh, A., Sahu, S., Cheng, P.-C.: Improving the resilience of content distribution networks to large scale distributed denial of service attacks. Computer Networks 51(10), 2753–2770 (2007)
Limelight networks, http://www.limelightnetworks.com/network.htm
Maggs, B.: Personal communication (2008)
Partridge, C., Mendez, T., Milliken, W.: RFC 1546: Host anycasting service (November 1993)
Rabinovich, M., Spatscheck, O.: Web Caching and Replication. Addison-Wesley, Reading (2001)
Scalzo, F.: Recent DNS reflector attacks (2006), http://www.nanog.org/mtg-0606/pdf/frank-scalzo.pdf
Su, A.-J., Choffnes, D.R., Kuzmanovic, A., Bustamante, F.E.: Drafting behind akamai (travelocity-based detouring). In: SIGCOMM, pp. 435–446 (2006)
Su, A.-J., Kuzmanovic, A.: Thinning Akamai. In: ACM IMC, pp. 29–42 (2008)
Triukose, S., Wen, Z., Rabinovich, M.: Content delivery networks: How big is big enough (poster paper). In: ACM SIGMETRICS, Seattle, WA (June 2009)
Vaughn, R., Evron, G.: DNS amplification attacks (2006), http://www.isotf.org/news/
Wang, L., Park, K., Pang, R., Pai, V.S., Peterson, L.: Reliability and security in the CoDeeN content distribution network. In: USENIX, pp. 171–184 (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2009 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Triukose, S., Al-Qudah, Z., Rabinovich, M. (2009). Content Delivery Networks: Protection or Threat?. In: Backes, M., Ning, P. (eds) Computer Security – ESORICS 2009. ESORICS 2009. Lecture Notes in Computer Science, vol 5789. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-04444-1_23
Download citation
DOI: https://doi.org/10.1007/978-3-642-04444-1_23
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-04443-4
Online ISBN: 978-3-642-04444-1
eBook Packages: Computer ScienceComputer Science (R0)