Cybersecurity best practices and DDoS defence strategies
In early 2020, a team of Chinese researchers found a new way to abuse HTTP packets to amplify web traffic and bring down websites and content delivery networks (CDNs). Named “RangeAmp”, the attack exploits the HTTP range requests attribute that allows clients (usually browsers) to request only a specific portion (range) of a file from a server.
Two types of RangeAmp attacks were identified. The first, known as a RangeAmp Small Byte Range (SBR) attack, is accomplished by sending a malformed HTTP range request to a CDN provider, which amplifies the traffic towards the destination server, eventually overwhelming the targeted site.
The second type is called a RangeAmp Overlapping Byte Range (OBR) attack. To exploit the RangeAmp OBR attack, the attacker also sends a malformed HTTP range request to a CDN provider, but in this case, the web traffic is funnelled through other CDN servers. This attack method amplifies the web traffic inside the CDN networks and not only crashes CDN servers, but also renders the CDNs and many other destination sites inaccessible.
HTTP Range Requests are part of the HTTP standard that allow web clients to request only a specific range of a file from the web server. This feature was created for pausing and resuming traffic in controlled (pause/resume actions) or uncontrolled (network congestion/disconnection) situations. RangeAmp attacks exploit the incorrect implementations of the HTTP range requests attribute by manipulating CDN servers to amplify traffic towards destination servers and ultimately crash targeted sites.
Nexusguard’s “RangeAmp Rule” is designed specifically to mitigate invalid requests that exploit this vulnerability.
Nexusguard’s mitigation methodology involves filtering and stringent rule checking techniques that inspect all HTTP requests so that malicious or invalid requests never reach the backend server.