By Richard Yew, Principal Product Manager, Security
Security researchers recently announced Cache-Poisoned Denial-of-Service (CPDoS), a new class of web cache poisoning attacks. Verizon Media Platform has analyzed this type of attack and determined that our default caching behavior is not vulnerable to this new threat. A CPDoS attack works by crafting a malformed HTTP request that passes through a CDN (or other caching layer) to generate an error response from the victim's server. The error response is then cached within the CDN and will cause a DoS to legitimate users trying to access the original content.
By default, caching is only enabled for successful 200 OK responses from origins, but not any "negative" responses like 4xx or 5xx error pages because of the risk of erroneously serving a cached error state when the content should be available. However, since Verizon Media allows for custom caching behavior, customers implementing non-standard caching behavior such as error response caching may be vulnerable to CPDoS.
We strongly advise customers to verify and review all non-standard caching rules, specifically for negative or error response caching to ensure that the CPDoS vulnerability is accounted for.
We appreciate the work of the researchers Hoai Viet Nguyen and Luigi Lo Iacono, who disclosed this vulnerability and their efforts to educate the internet community.
If you are a security researcher wishing to collaborate or responsibly disclose information, please contact us via our coordinated disclosure program.