| The Internet has penetrated into all aspects of contemporary people’s life.In order to ensure the network service quality of users,the Content Delivery Network(CDN)hosts the content of the website on the network device closest to users by adding a new network architecture on the basis of the existing network,so that users can obtain the required content nearby.It improves the response speed when users visit the website and solves the problem of Internet congestion.The Content Delivery Network ensures that web content serves users in an extremely efficient way,mainly based on the cache server.The cache server is distributed at the network edge near users and is a transparent mirror of resource providers and source servers.The cache server provides end users with the best service experience by its caching mechanism and geographical distribution advantages.The Content Delivery Network uses its caching mechanism to solve the problem that the same resources need to be repeatedly transmitted on the network.However,with the emergence of various pollution attacks,they in turn use the vulnerability of the cache mechanism to induce the cache server to save the wrong resource copy in the cache directory,resulting in the user’s request not getting the expected page.More seriously,if the response returned by the source server contains the user’s private information or the page with an attack vulnerability,It is saved as a reasonable resource by the cache server,which also means that the user information is made public,and the cache resources of any visitor hitting the cache server will be attacked by the toxic page.At the same time,the cache server will spread the error information page to other edge nodes on the Content Delivery Network,erasing the corresponding target resources on the victim website.This makes the entire cache server system unavailable.Therefore,it is urgent to actively detect and defend against cache pollution attacks in Content Delivery Network.This paper deeply studies the cache security of the Content Delivery Network,and proposes a detection scheme for the cache pollution of Content Delivery Network to accurately detect whether the resources hosted by the website on the cache server are polluted.In the meantime,a defense strategy against cache pollution is proposed to protect the security of user cache resources.The main research work is as follows:1.Aiming at the problem of cache pollution vulnerability detection,a cache pollution detection scheme based on content consistency check is proposed.Firstly,the dynamic inspection of the website to be detected is carried out.Secondly,for the website that returns a dynamic response,the attack vector is generated by path obfuscation technology to simulate the cache pollution attack and judge the response of the source server.Finally,for the website that the source server returns a successful response,we judge whether the cache server caches the wrong response through the cache control part of the cache server response body.If the attack vector request hits the wrong cache,it means that the website to be detected contains cache pollution vulnerabilities,which are easy to cause further threats.Compared with the previous detection schemes,the content consistency check scheme proposed in this paper can detect cache pollution vulnerabilities for any website,and has good scalability and universality,and the experimental results show that this scheme can detect more potential vulnerability threat.2.For the research on cache pollution vulnerability defense,a cache pollution defense scheme based on the header whitelist is proposed.This solution mainly considers that most of the cache pollution vulnerabilities are caused by the semantic gap.Therefore,based on the advantages of the whitelist,a special security intermediate,header whitelist,is used to process the HTTP messages received by each processing component with HTTP standard as the baseline.The specific approach is to reduce the received request to the minimum header field required by each component and apply the field value to the header whitelist for normalization.In this way,requests containing format errors and ambiguities will be rejected,reducing various risks caused by semantic gap vulnerabilities when processing HTTP messages.As a special security intermediate,the header whitelist agent only needs to be deployed around the components to be protected and does not need to make redundant changes to the processing components to be protected.At the same time,it can also reduce the risk of triggering new attacks by using the semantic gap vulnerability.Therefore,the cache pollution prevention scheme based on the header whitelist can be considered as a method to prevent various attacks caused by the threat of semantic gap. |
PDF Full Text Request