Executive Summary

Title Forwarding Loop Attacks in Content Delivery Networks may result in denial of service
Name VU#938151 First vendor Publication 2016-02-29
Vendor VU-CERT Last vendor Modification 2016-03-04
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector :
Cvss Base Score Not Defined Attack Range Not Defined
Cvss Impact Score Not Defined Attack Complexity Not Defined
Cvss Expoit Score Not Defined Authentication Not Defined
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#938151

Forwarding Loop Attacks in Content Delivery Networks may result in denial of service

Original Release date: 29 Feb 2016 | Last revised: 04 Mar 2016


Content Delivery Networks (CDNs) may in some scenarios be manipulated into a forwarding loop, which consumes server resources and causes a denial of service (DoS) on the network.


CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Content Delivery Networks (CDNs) are used to improve website performance and scalability by connecting a user to geographically nearby server for content. CDNs typically operate in two modes, a "push" mode allowing a user to upload content to the CDN for later distribution, or a "pull" mode which effectively acts as a reverse proxy.

In some scenarios, a malicious user can manipulate "pull mode" forwarding to forward in an internal loop within the CDN. This effectively launches a denial of service (DoS) attack against the CDN by consuming large amounts of resources.

More information is provided in the researcher's conference paper.


A remote attacker may be able to create a denial of service condition in CDNs, preventing access to hosted content.


The researchers and CERT have reached out to known affected CDNs to inform them of this attack. CDNs are implementing their own counter-measures to this attack. If you are an employee of a CDN, the CERT/CC encourages you to review the researcher's conference paper to determine if your CDN may be impacted.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Akamai Technologies, Inc.Affected-04 Mar 2016
CDNsunAffected27 Dec 201504 Jan 2016
OnAppAffected-29 Feb 2016
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)



  • https://www.internetsociety.org/sites/default/files/blogs-media/forwarding-loop-attacks-content-delivery-networks.pdf


Thanks to Jianjun Chen and Jian Jiang for reporting this vulnerability.

This document was written by Garret Wassermann.

Other Information

  • CVE IDs:Unknown
  • Date Public:24 Feb 2016
  • Date First Published:29 Feb 2016
  • Date Last Updated:04 Mar 2016
  • Document Revision:32


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/938151

Alert History

If you want to see full details history, please login or register.
Date Informations
2016-03-04 21:29:41
  • Multiple Updates
2016-03-04 21:23:38
  • Multiple Updates
2016-02-29 21:30:07
  • Multiple Updates
2016-02-29 21:24:06
  • First insertion