Notes on CPDOS attack CDN

Sending malicious HTTP requests (including overside header, meta char, method override header) to CDNs endpoint 
--> these kind of requests are not detected by caching system, are processed by intermediate CDN caching system 
--> then forward to the origin server 
--> origin return server-generated error page 
--> CDN stored error page on edge 
--> CDN serves the same error for normal requests from end-user

Main impact: AWS Cloudfront (FIXED)



  • Site:
  • Paper: PDF
  • Reported to HTTP implementation vendors and cache providers on February 19, 2019