RangeAmp DDoS attacks use CDN servers to amplify web traffic and bring down websites
We had earlier in the week reported about how potential hackers and cybercriminals could exploit the way DNS servers handle recursive queries to launch super-amplified DDoS attacks on websites by a whopping 1620x times. The vulnerability is called the NXNS attack and was found by two Israeli security researchers. Now a team of Chinese researchers have found a new DDoS attack vector called RangeAmp. RangeAmp manipulates the CDN servers to amplify the DDoS attacks on target websites.
What is RangeAmp DDoS attack?
The Chinese academics discovered two ways in which they could abuse HTTP packets to amplify web traffic and bring down websites and content delivery networks (CDNs). They have named this technique as RangeAmp. RangeAmp exploits incorrect implementations of the HTTP “Range Requests” attribute hence the name.
HTTP Range Requests are particularly used by cloud delivery networks (CDN) to request only a part of the website which has been updated by the end-user. This is a normal HTTP standard and allows the CDNs to load the website more quickly for viewers. Normally when you type in a URL for a website without a CDN, it loads the full website but when you type in a URL for a website using a CDN, it loads only the dynamic content while the static content is loaded from the CDNs cache. This not only loads up pages faster but also relieves the load on the website’s hosting provider thus minimizing the RAM used.
RangeAmp exploits this particular feature to send malformed HTTP requests to websites and cause an outage. The Chinese researcher team of Weizhong Li, Kaiwen Shen, Run Guo, Baojun Liu, Jia Zhang, Haixin Duan k, Shuang Hao, Xiarun Chen, and Yao Wan found that they could use malformed HTTP Range Requests to amplify how web servers and CDN systems react when having to deal with a range request operation and make a particular target website stop working.
Two RangeAmp DDoS attacks
The Chinese researcher team says the RangeAmp DDoS attack can be exploited in two ways:
The first is called a RangeAmp Small Byte Range (SBR) attack. RangeAmp SBR attack is done by sending a malformed HTTP range request to the CDN provider, which amplifies the traffic towards the destination server, eventually crashing the targeted site.
While the second one is called RangeAmp Overlapping Byte Ranges (OBR) attack. To exploit the RangeAmp OBR attack, the potential hacker sends a malformed HTTP range request to a CDN provider like above. But in this case, the web traffic is funneled through other CDN servers. This attack method amplifies the web traffic inside the CDN networks, crashing CDN servers, and rendering both the CDNs and many other destination sites inaccessible.
In essence, the first RangeAmp SBR DDoS attack uses the CDN to send malformed requests to the victim website and bring it down while in the RangeAmp OBR DDoS attack, the hacker uses the CDN to bring down the CDN itself and cause cascading domino effect.
The Chinese team tested RangeAmp attacks against 13 CDN providers and found that all were vulnerable to the RangeAmp SBR attack, and six were also vulnerable to the OBR variant when used in certain combinations. The Chinese team found that RangeAmp SBR attacks were easiest to perform and could be devastatingly used by cybercriminals to amplify traffic.
They noted that they could amplify the DDoS traffic from 724 to 43,330 times the original traffic using the RangeAmp SBR attack while they could amplify the DDoS traffic by 7,500 times using the RangeAmp OBR DDoS attack method. The RangeAmp OBR DDoS attack was a little difficult to exploit and needed a higher level of networking knowledge to implement.
The team has notified the 13 CDN providers, out of which 12 responded positively and either rolled out or said they planned to roll out updates to their HTTP Range Request implementation. The CDN providers who have responded positively are Akamai, Alibaba Cloud, Azure, Cloudflare, CloudFront, CDNsun, CDN77, Fastly, G-Core Labs, Huawei Cloud, KeyCDN, and Tencent Cloud.
The paper will be presented in July at the IEEE/IFIP DSN 2020 virtual conference, where it’s one of the three papers nominated for the Best Paper Award.