What the 2021 Cloudflare CDN Vulnerability Can Teach Us

CDN’s are very beneficial but also at a big risk of being targeted by hackers 

In April 2021, a security researcher known as RyotaK discovered a bug and reported it to Cloudflare under the company’s vulnerability disclosure program. Not a big deal, right? On the contrary, it was a very big deal. RyotaK discovered a bug, which exposed a vulnerability, one that might have involved 13 percent of the world’s websites and countless online stores and e-commerce customers.

How could it be that one vulnerability could expose a large chunk of global internet capability to malicious actors? The answer lies in the letters C-D-N.

CDN, Workhorse of the Internet

First of all though, what is a CDN? A content delivery network (CDN) is a system of linked servers that provide web content to internet users, quickly and securely. Website owners copy and deposit CDNs content at different locations, so it is always relatively close to users. The goal: avoid bottlenecks that would occur if all users tried to get to content stored at a single location at the same time. Avoiding bottlenecks also avoids latency, those annoying delays in online service that often make users leave a website in impatience.

CDN benefits abound

But wait, there are more! Lower latency is just the beginning of CDN benefits:

• Faster website load times. Distributing content to CDN servers close to website visitors reduces bounce rates and increases time that visitors spend on your website.
• Lower bandwidth costs. Bandwidth costs are a big website expense. By caching and using other optimization methods, CDNs reduce the data that origin servers must provide. This approach reduces website hosting costs.
• Greater content availability. The distributed nature of CDNs makes them less likely than most origin servers to stop operations due to hardware failure or traffic overflow.
• Improved customer loyalty. There’s nothing like fast load speeds and high network availability to give website visitors an A-1 customer experience. Customer satisfaction and loyalty usually follow.

But all isn’t rosy in CDN country. There are security vulnerabilities to consider, too.

Types of CDN attacks

Although finding the 2021 Cloudflare vulnerability was a coup, CDNs are vulnerable to a variety of attacks, which include:

• Dynamic content attacks. Attackers flood target networks with dynamic content requests to slow or stop delivery of website services. Distributed denial of service attacks are the best-known example of these exploits.
• SSL-based attacks. Malicious actors aim at a target’s secured online services.
• Direct IP attacks. Hackers launch a direct attack on web server IP addresses at the customer origin server.
• Web application attacks. CDNs provide web apps with only limited protection. This vulnerability exposes customer web applications to data leakage, data thefts and other threats.

Learning from the Cloudflare CDN Vulnerability

In his April 2021 research, RyotaK discovered a vulnerability in CDNJS, an open source CDN service supported by its community and Cloudflare. The researcher explored repositories in the CDNJS environment and discovered a way to trick the CDN servers into running code that an intruder inserted into the system.

The vulnerability’s importance lies in its scope. CDNs become choice targets for malicious actors because successful attacks can have far-reaching consequences for many websites, online stores, and their customers. In this case, CDNJS serves millions of websites with more than 4,000 publicly stored collections of JavaScript and CSS files.

If a malicious actor had found the vulnerability before RyotaK, more than one in seven of the world’s websites—and the data they contain—might have been open to scrutiny and likely misuse. (NOTE: The vulnerability described here applies to the CDNJS platform only, not to Cloudflare CDN services.)

Protecting Web Content with CDNs

In the Cloudflare case, a human found the vulnerability. But it’s faster, easier, and more thorough to use IT to avoid or neutralize potential cyberattacks. Here’s the lineup of capabilities to look for in well-rounded CDNs. They include functions that can protect themselves from malicious attacks, hardware failure, and traffic overflow.

• Local and global server load balancing makes it easier to scale rapid spikes in traffic by distributing network data flow evenly across several servers.

• Machine learning caches dynamically generated pages efficiently and reduces bandwidth use.
• Fast dynamic and static content delivery improve response and connection speeds while reducing bandwidth costs. For example: Rapid mitigation SLA, low latency (50ms), and 99.999% uptime.
• DDoS protection enables CDNs to redistribute floods of traffic during attacks.
• Automatic, intelligent failover redistributes traffic to other servers when hardware failures make a CDN server go offline.
• Minification and file compression reduce the amount of data that’s transferred by CDNs.

Uneven Advantage Favors the Hackers

The RyotaK research and Cloudflare investigation that followed provided takeaways, which provide a snapshot of CDN security methods:

• The vulnerability could be exploited without special programming or other technical skills.
• A single vulnerability could have affected millions of websites, stores, and customers.
• Related supply chain vulnerabilities (and there were many) were easy to exploit but hard to detect and mediate.
• Cooperation between RyotaK and Cloudflare security team made it possible to correct the problem within 24 hours of the first report.

Collaboration and a strong set of security tools holds out some hope for more effective protection methods in the future. But in the long run, the advantage still favors the bad guys.