End-Users Get Maneuvered: Empirical Analysis of Redirection Hijacking in Content Delivery Networks

Website Maintenance Alert

Due to scheduled maintenance, the USENIX website will not be available on Tuesday, December 17, from 10:00 am to 2:00 pm Pacific Daylight Time (UTC -7). We apologize for the inconvenience.

If you are trying to register for Enigma 2020, please complete your registration before or after this time period.


Shuai Hao, Yubao Zhang, and Haining Wang, University of Delaware; Angelos Stavrou, George Mason University


The success of Content Delivery Networks (CDNs) relies on the mapping system that leverages dynamically generated DNS records to distribute client’s request to a proximal server for achieving optimal content delivery. However, the mapping system is vulnerable to malicious hijacks, as (1) it is very difficult to provide pre-computed DNSSEC signatures for dynamically generated records and (2) even considering DNSSEC enabled, DNSSEC itself is vulnerable to replay attacks. By leveraging crafted but legitimate mapping between end-user and edge server, adversaries can hijack CDN’s request redirection and nullify the benefits offered by CDNs, such as proximal access, load balancing, and DoS protection, while remaining undetectable by existing security practices. In this paper, we investigate the security implications of dynamic mapping that remain understudied in security and CDN community. We perform a characterization of CDN’s service delivery and assess this fundamental vulnerability in DNS-based CDNs in the wild. We demonstrate that DNSSEC is ineffective to address this problem, even with the newly adopted ECDSA that is capable of achieving live signing. We then discuss practical countermeasures against such manipulation.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {217555,
author = {Shuai Hao and Yubao Zhang and Haining Wang and Angelos Stavrou},
title = {End-Users Get Maneuvered: Empirical Analysis of Redirection Hijacking in Content Delivery Networks},
booktitle = {27th {USENIX} Security Symposium ({USENIX} Security 18)},
year = {2018},
isbn = {978-1-939133-04-5},
address = {Baltimore, MD},
pages = {1129--1145},
url = {https://www.usenix.org/conference/usenixsecurity18/presentation/hao},
publisher = {{USENIX} Association},
month = aug,

Presentation Video 

Presentation Audio