Content Delivery Networks (CDNs) are designed to enhance network performance and protect against web attack traffic for their hosting websites. And the HTTP compression request mechanism primarily aims to reduce unnecessary network transfers. However, we find that the specification failed to consider the security risks introduced when CDNs meet compression requests. In this paper, we present a novel HTTP amplification attack, CDN Compression Format Convert (CDN-Convet) Attacks. It allows attackers to massively exhaust not only the outgoing bandwidth of the origin servers deployed behind CDNs but also the bandwidth of CDN surrogate nodes. We examined the CDN-Convet attacks on 11 popular CDNs to evaluate the feasibility and real-world impacts. Our experimental results show that all these CDNs are affected by the CDN-Convet attacks. We have also disclosed our findings to affected CDN providers and have received constructive feedback.

翻译：内容分发网络（CDN）旨在提升网络性能，并为其托管网站抵御网络攻击流量。而HTTP压缩请求机制的主要目标是减少不必要的网络传输。然而，我们发现该规范未能充分考虑CDN处理压缩请求时引入的安全风险。本文提出一种新型HTTP放大攻击——CDN压缩格式转换（CDN-Convet）攻击。该攻击不仅能使攻击者大量耗尽部署在CDN后的源服务器出口带宽，还能耗尽CDN代理节点的带宽。我们在11个主流CDN上对CDN-Convet攻击进行了测试，以评估其可行性和实际影响。实验结果表明，所有受测CDN均受到CDN-Convet攻击的影响。我们已将研究结果披露给受影响的CDN提供商，并获得了建设性反馈。