Cloudflare response to CPDoS exploits

Three vulnerabilities were disclosed as Cache Poisoning Denial of Service attacks in a paper by Hoai Viet Nguyen, Luigi Lo Iacono, and Hannes Federrath of TH Köln - University of Applied Sciences. These attacks are similar to the cache poisoning attacks presented last year at DEFCON. Most customers do not have to take any action to protect themselves from the newly disclosed vulnerabilities. Some configuration changes are recommended if you are a Cloudflare customer running unpatched versions of Microsoft IIS and have request filtering enabled on your origin or have forced caching of HTTP response code 400 through the use of Cloudflare Workers. Cloudflare has not seen any attempted exploitation of the vulnerabilities described in this paper. The company maintains the integrity of its content caching infrastructure by building it to behave in ways compliant with industry standards and actively adding defenses to their caching logic to protect customers from common caching pitfalls.