October 28, 2019

CPDoS attack update

By Richard Yew, Principal Product Manager, Security

Security researchers recently announced Cache-Poisoned Denial-of-Service (CPDoS), a new class of web cache poisoning attacks. Verizon Media Platform has analyzed this type of attack and determined that our default caching behavior is not vulnerable to this new threat. A CPDoS attack works by crafting a malformed HTTP request that passes through a CDN (or other caching layer) to generate an error response from the victim's server. The error response is then cached within the CDN and will cause a DoS to legitimate users trying to access the original content.  

By default, caching is only enabled for successful 200 OK responses from origins, but not any "negative" responses like 4xx or 5xx error pages because of the risk of erroneously serving a cached error state when the content should be available. However, since Verizon Media allows for custom caching behavior, customers implementing non-standard caching behavior such as error response caching may be vulnerable to CPDoS.

We strongly advise customers to verify and review all non-standard caching rules, specifically for negative or error response caching to ensure that the CPDoS vulnerability is accounted for.

We appreciate the work of the researchers Hoai Viet Nguyen and Luigi Lo Iacono, who disclosed this vulnerability and their efforts to educate the internet community.

If you are a security researcher wishing to collaborate or responsibly disclose information, please contact us via our coordinated disclosure program.

Contact us
Contact a rep
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Sales

Support

Manage your account or get tools and information.

More info