Suspicious traffic could be testing CDN evasion, says expert

An individual or group is doing new probing of content delivery networks (CDNs), an effort that CSOs, CIOs and network administrators should worry about if they use CDNs instead of web application firewalls to protect websites.

That’s the conclusion of Johannes Ullrich, dean of research at the SANS Institute, who this week said  his organization’s honeypots last month detected a curious amount of traffic with server requests that include CDN-related headers.

Perhaps, he said, someone is testing a tactic to evade CDN defences for launching either a targeted attack or a widespread distributed denial of service (DDoS) attack on a site.

For example, the honeypots have seen headers on traffic that include:

• “Cf-Warp-Tag-Id,” which is associated with Cloudflare’s Warp VPN service;
• “X-Fastly-Request-Id,”, which is associated with the Fastly CDN;
• “X-Akamai-Transformed,” a header added by Akamai;
• and a puzzler: “X-T0Ken-Inf0.” Ullrich thinks it might contain a form of authentication token, but isn’t sure.

In an interview, he said one explanation is that a threat actor is trying to get around a CDN’s filters by creating page requests that include a CDN-related header.

Another possible explanation is that these requests are merely going through a CDN, but, Ullrich said, “the requests we’re seeing don’t quite look like that.”

Internet requests are messages sent from a client such as a web browser to a web server, requesting a web page. A wave of requests can be a DDoS attack, or mask a different kind of attack.

These days, many organizations use CDNs or cloud providers for basic DDoS protection and bot filtering in addition to load balancing. In a typical setup, Ullrich said, DNS is used to point clients to the CDN, which then forwards the request to a customer’s web server.

However, there’s a problem: If an attacker can identify the IP address of the actual web server, they are often able to bypass the CDN and reach the web server directly. There are a few ways for users to prevent this. For example, depending on the CDN selected, it may be possible to allow access only from the CDN’s IP address space. However, for some of the larger providers, this list of addresses may be large and very dynamic.

Another option is to add custom headers. Some CDNs offer special custom headers with randomized values to identify requests that have passed through the CDN. And a less secure option is to look for any header that identifies the CDN. However, Ullrich noted, merely looking for a header should be avoided, as attackers can easily include this header in their traffic. This appears to be the activity the SANS honeypot has been seeing since November.

A spokesperson for CDN Cloudflare’s PR agency said a comment couldn’t be arranged by deadline.

Related content: How a bot management file push crippled Cloudflare’s global network

Kellman Meghu, chief security architect at DeepCove Security, says the activity seen by the SANS Institute’s honeypots isn’t new. But, he added, it only becomes an issue when there is improper access control, or the controls fail.

“Origin web servers should be deployed with access controls, be it security groups or firewall rules, to only ever allow communication with the CDN service,” he said in an email. “Just deploying your web application as accessible to the world, and then overlaying a CDN to act as the front end seems like a terrible waste of money and effort. In today’s world of infrastructure-as-code, this can and should be easy to manage and mitigate as far as risk goes.”

Aditya Sood, VP of security engineering and AI strategy at Aryaka, said in an email that a surge in requests that include CDN-related headers “is clear experimentation from threat actors, and the impersonation isn’t just random noise, its reconnaissance. Attacks are probing to uncover the weak origin validation in organizations who are trusting the mere presence of a CDN-specific header instead of enforcing proper controls like IP allowlists, private network peering, or cryptographically validated tokens. When you see multiple CDN fingerprints being spoofed at roughly the same time, it usually means new tooling or automated scanners are being deployed in the wild.” 

Proper origin hardening that includes strict IP allowlists, validated tokens, or private connectivity is essential to protect websites, he said. “Relying only on the presence of CDN-specific headers is no longer viable, and organizations that have not fully locked down their backend infrastructure may already be exposed.”

Ullrich added that CDNs and other traffic filtering services will issue a unique value to each customer as proof that traffic has gone through its service, so web administrators should configure their web servers or next generation firewalls to only accept requests with that unique value.

The activity SANS has seen is “definitely something that should be seen as a warning that something that could become more than it is now,” he said. “Now it’s only a curiosity, but it could easily become more. You [admins] need to follow your content delivery network’s guidance to protect your web server from attacks like this.”