Looking into CDN Traffic in the Network
A CDN or Content Delivery Server, is a geographically distributed network of interconnected servers. CDNs are a crucial part of the modern internet infrastructure which solves the problem of latency (delay before transfer of data begins from a web server) by speeding up the webpage loading time for data-heavy (like multimedia) web applications.
The usage of CDN has significantly increased with the rise of data volumes in web applications in the last few years. As per the Sandvine Global Internet Phenomena Report 2023, different popular CDN providers are included in the list of top 10 video applications for APAC region for their increased volume of application traffic.
Figure 1: Without CDN and with CDN scenario
Network Traffic Analysis
The ATI team in Keysight has analyzed the network traffic of different popular CDN like Amazon CloudFront, Cloudflare, Akamai, Fastly and has seen some interesting information from the decrypted traffic which can be useful for other researchers.
Inside HTTP Request Header:
- When a website decides to use CDN, then sometimes it typically integrates the CDN service name like CloudFront, Cloudflare, akamai etc. at the DNS level which changes the DNS records like CNAME records to point into the CDN’s domain. The same behavior is also seen inside the “Host” or “: authority” header inside the HTTP request. For example, if the original website is “www. popularOTT.com”, then after the CDN name integration the URL looks like www.popularOTT.cdnprovider.com as shown below –
Figure 2: Sample CDN request header
Inside HTTP Response Header:
When a response is sent from the Content Delivery Server (CDN) server, it often includes some specific headers inside the HTTP response packet which provide some information about the CDN server as shown below –
- X-Cache: This header indicates whether a request is a hit, miss or bypass in the CDN cache. If its value is set as “HIT” (“HIT from cloudfront” for CloudFront) inside the HTTP response that means the request is served by the CDN server, not the origin server.
Figure 3: Sample response header from CDN server containing X-Cache header.
- X-Cache-Status: It is similar to “X-Cache” header which provides some detailed information about the caching process. Sometimes we also see the CDN provider information inside the header name. As example when a response is sent from Cloudflare CDN, then sometimes we see this “cf-cache-status” (here cf refers to Cloudflare) header inside the response packet.
Figure 4: Sample response header from CDN server containing X-Cache-Status header.
- Via: This repones header indicates if any intermediate proxy or CDN presents through which the request has passed. As example when a request has passed through Amazon CloudFront CDN, then sometimes we see information about that like “1.1 2b14bcf8de4af74db0f6562ceac643f8.cloudfront.net (CloudFront)” inside the “via” response header.
Figure 5: Sample response header from CDN server containing Via header.
- Server: In some cases, we can see the CDN server name in the “server” header inside the HTTP response packet as shown below –
Figure 6: Sample response header from CDN server containing Server header.
- Sometimes, we see other custom headers like “x-akamai-request-id”, “x-bdcdn-cache-status” etc. inside the HTTP response which indicates that the response is sent from a CDN server.
Figure 7: Sample response header from CDN server containing other CDN related headers.
CDN in Keysight ATI
At Keysight Technologies, our Application and Threat Intelligence (ATI) team, researchers have examined the traffic pattern of various leading CDN service providers based on their application traffic from the world’s top 50 most popular websites and they have published the network traffic pattern of 2 popular CDNs (Amazon CloudFront and Cloudflare) in ATI-2024-03 Strike Pack released on February 15, 2024. So please stay tuned for the other popular CDN application traffic which will be released in the upcoming ATI releases.
Figure 8: CDN Superflows present in BreakingPoint
Leverage Subscription Service to Stay Ahead of Attacks
Keysight's Application and Threat Intelligence subscription provides daily malware and bi-weekly updates of the latest application protocols and vulnerabilities for use with Keysight test platforms. The ATI Research Centre continuously monitors threats as they appear in the wild. Customers of BreakingPoint now have access to attack campaigns for different advanced persistent threats, allowing BreakingPoint Customers to test their currently deployed security control's ability to detect or block such attacks.