Preventing Malicious Request Loops

A group of researchers has discovered an attack called "Forwarding Loop Attacks in the Content Delivery Networks" that can force multiple service providers to send each other an unending stream of requests in a loop, resulting in resource exhaustion and denial of service at the service provider. The attack is practical and can be performed using a large list of service providers. To prevent such attacks, all proxy services need to conform to HTTP 1.1 standards, which include the "Via" header for preventing request loops. However, some reverse proxy services allow customers to strip or modify headers, including the Via header, leading to potential vulnerabilities. CloudFlare has implemented protections against this attack and encourages other service providers to do the same by not allowing customers to remove or modify Via headers for requests to their site, appending an RFC 7230-compliant Via header when proxying traffic, and returning an appropriate error if a request comes in with its own Via header.