Stepping Stone Detection at The Server Side

Slides:



Advertisements
Similar presentations
How Much Anonymity does Network Latency Leak? Paper by: Nicholas Hopper, Eugene Vasserman, Eric Chan-Tin Presented by: Dan Czerniewski October 3, 2011.
Advertisements

An Empirical Study of Real Audio Traffic A. Mena and J. Heidemann USC/Information Sciences Institute In Proceedings of IEEE Infocom Tel-Aviv, Israel March.
1 Internet Networking Spring 2004 Tutorial 13 LSNAT - Load Sharing NAT (RFC 2391)
Page: 1 Director 1.0 TECHNION Department of Computer Science The Computer Communication Lab (236340) Summer 2002 Submitted by: David Schwartz Idan Zak.
EEC-484/584 Computer Networks Discussion Session for HTTP and DNS Wenbing Zhao
TCP over ad hoc networks Ad Hoc Networks will have to be interfaced with the Internet. As such backward compatibility is a big issue. One might expect.
Design and Implementation of a Server Director Project for the LCCN Lab at the Technion.
1 Spring Semester 2007, Dept. of Computer Science, Technion Internet Networking recitation #12 LSNAT - Load Sharing NAT (RFC 2391)
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Process-to-Process Delivery:
On the Anonymity of Anonymity Systems Andrei Serjantov (anonymous)
CECS 5460 – Assignment 3 Stacey VanderHeiden Güney.
From Coulouris, Dollimore, Kindberg and Blair Distributed Systems: Concepts and Design Edition 5, © Addison-Wesley 2012 Exercises for Chapter 3: Networking.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
An Efficient Approach for Content Delivery in Overlay Networks Mohammad Malli Chadi Barakat, Walid Dabbous Planete Project To appear in proceedings of.
1 The Internet and Networked Multimedia. 2 Layering  Internet protocols are designed to work in layers, with each layer building on the facilities provided.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
Othman Othman M.M., Koji Okamura Kyushu University 1.
1 TCP - Part II Relates to Lab 5. This is an extended module that covers TCP data transport, and flow control, congestion control, and error control in.
1 Capacity Dimensioning Based on Traffic Measurement in the Internet Kazumine Osaka University Shingo Ata (Osaka City Univ.)
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
McGraw-Hill Chapter 23 Process-to-Process Delivery: UDP, TCP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
TCP/IP1 Address Resolution Protocol Internet uses IP address to recognize a computer. But IP address needs to be translated to physical address (NIC).
Network Processing Systems Design
SESSION HIJACKING It is a method of taking over a secure/unsecure Web user session by secretly obtaining the session ID and masquerading as an authorized.
Polytechnic University Firewall and Trusted Systems Presented by, Lekshmi. V. S cos
Defining Network Infrastructure and Network Security Lesson 8.
Chapter 3 Part 1 Switching and Bridging
Behrouz A. Forouzan TCP/IP Protocol Suite, 3rd Ed.
NAT (Network Address Translation)
Chapter 9: Transport Layer
TCP - Part II.
The Intranet.
Instructor Materials Chapter 9: Transport Layer
NET 536 Network Security Firewalls and VPN
Topics discussed in this section:
Packets & Routing Lower OSI layers (1-3) concerned with packets and the network Packets carry data independently through the network, and into other networks…
5. End-to-end protocols (part 1)
Computer Networking Devices
21-2 ICMP(Internet control message protocol)
The Impact of Replacement Granularity on Video Caching
Process-to-Process Delivery, TCP and UDP protocols
Mohammad Malli Chadi Barakat, Walid Dabbous Alcatel meeting
PART 5 Transport Layer Computer Networks.
Web Caching? Web Caching:.
Introduction to Networking
Chapter 6: Network Layer
Switching Techniques In large networks there might be multiple paths linking sender and receiver. Information may be switched as it travels through various.
Internet Networking recitation #12
SWITCHING Switched Network Circuit-Switched Network Datagram Networks
Transport Layer Unit 5.
Chapter 5 TCP Transmission Control
Computer Communication & Networks
* Essential Network Security Book Slides.
Chapter 23 Introduction To Transport Layer
I. Basic Network Concepts
Process-to-Process Delivery:
SPEAKER: Yu-Shan Chou ADVISOR: DR. Kai-Wei Ke
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 4: Planning and Configuring Routing and Switching.
Switching Techniques.
Lecture 3: Secure Network Architecture
CPEG514 Advanced Computer Networkst
Memento: Making Sliding Windows Efficient for Heavy Hitters
Chapter 3 Part 3 Switching and Bridging
Ch 17 - Binding Protocol Addresses
Process-to-Process Delivery: UDP, TCP
Lecture 4a Mobile IP 1.
Virtual Private Network
Message Passing Systems
Presentation transcript:

Stepping Stone Detection at The Server Side A Real-Time Algorithm to Detect whether a proxy being is used as a Stepping Stone Devin Crane

Reference R. Lin et all, “Stepping stone detection at the server side,” in the proceeding 4th IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), pp.964-969, 2011.

Contents Introduction Previous Work New Approach Hacking Vulnerabilities Conclusion

Proxy Server Originally created to enhance web browsing performance for a group of users Saves the results of all requests for a certain amount of time Facilitates anonymous browsing by concealing a user’s IP address

Proxy Server Can be used to circumvent firewalls, such as accessing Facebook from school But a proxy is also used maliciously

Goal Detect the use of a stepping stone from the server’s perspective No general method currently available Dependent on use of Nagle’s algorithm, explained later

Contents Introduction Previous Work New Approach Hacking Vulnerabilities Conclusion

Previous Work A common solution is to check the header variables in a HTTP request for things like X-Forwarded-For or Via. Means the request should have relayed by a web proxy. Doesn’t work for anonymous proxies, since it can simply choose to not add the header to a forwarded HTTP request

Previous Work Other stepping stone detection research seeks to detect whether a host is being used as a stepping stone This newly proposed approach seeks to detect whether a TCP connection is initiated by a stepping stone, from a server’s perspective

Previous Work - Hopper et al Focused on anonymous routing networks, such as Tor or the use of a proxy Used a latency-based attack to detect the location of a client behind the Tor network, based on the network latency between the client and the entry node of the Tor network Measured the application-layer latency based on the time difference between when the proxy receives an HTML page and when the client processes the HTML page Can be thwarted by making the proxy parse the HTML page and issue corresponding HTTP requests on behalf of the client, thereby making the measured network latency and application-layer latency too similar to detect

Contents Introduction Previous Work New Approach Hacking Vulnerabilities Conclusion

New Approach Detect stepping stones from the server side by contrasting the network and application-layer latencies

Nagle’s Algorithm Built into most, possibly all, of TCP implementations today Basic idea is to reduce the number of packets generated by a TCP sender Combines smaller packets into bigger packets Because the algorithm changes the traffic pattern of TCP packet streams, the traffic generated by a client would have different patterns compared with the traffic relayed by a proxy To be referred to as ‘Nagle’s’ going forward

Nagle’s Algorithm Without applying Nagle’s, the inter-arrival times (IAT) of consecutive packets are retained as the data generation intervals at the sender application. If it is enabled, it will buffer data and form a larger packet until old data are acknowledged. So, in most cases, the IAT of generated packets will be close to the round-trip time (RTT) between the sender and the receiver. IAT is the time between the “start” of two events.

Proxy-present scenarios The following 4 scenarios will explain how Nagle’s and the distance from the proxy to the client and server will change the traffic patterns from client to server. Nagle-disabled proxy with RTTcp < RTTps Nagle-disabled proxy with RTTcp > RTTps Nagle-enabled proxy with RTTcp < RTTps Nagle-enabled proxy with RTTcp > RTTps Assume client sends out 4-byte messages every 5ms to the server via the proxy. RTTcp = RTT between the client and proxy RTTps= RTT between the proxy and server IATs = inter-arrival times of packets arriving at the server. PSs = Payload sizes of packets arriving at the server

Case 1: Nagle-disabled proxy with RTTcp < RTTps Proxy is basically a repeater. Since the client still has Nagle’s enabled, the packet inter-arrival times (IAT) sent by the client will be about equal to RTTcp. IATs is about equal to RTTcp .

Case 2: Nagle-disabled proxy with RTTcp > RTTps Same as Case 1, except RTTcp > RTTps. IATs is about equal to RTTps, not RTTcp like in Case 1.

Case 3: Nagle-enabled proxy with RTTcp < RTTps Two-phase buffering effect happens here. Buffering happens at the client, and then Nagle’s means the proxy buffers until the ACK returns from the server before sending more. IATs is about equal to RTTps. Packet payload sizes follow N-modal distr.

n-modal property

Case 4: Nagle-enabled proxy with RTTcp > RTTps Similar to Case 3, except RTTcp > RTTps. Since the proxy can send out packets at a faster pace than the client, the two-phase buffer effect that case 3 doesn’t happen here. IATs is about equal to RTTcp.

Case Summary If a proxy relays TCP traffic for a client towards a server, the patterns of the packets arriving at the server will reveal the presence of the proxy node. Also, the traffic patterns may be different depending on whether Nagle’s is enabled at the proxy and the relative magnitude or distance of RTTcp and RTTps. The 4 cases show that IATs and PSs (packet payload sizes arriving at the server) are indicators for detecting the presence of the proxy node between a client and a server.

New Detection Scheme Enough IATs and PSs samples must have been collected Compare IATs and IATgen (interval in which the client generates small data chunks) If #2 appr. equal, Nagle’s is not enabled at the client and time to abort, to be discussed further in the Security Analysis, or Potential Hacks, section Next, if IATs is not close to RTTus (below), the remote peer is a proxy based on cases 1, 2, and 4.

New Detection Scheme 5. However, if IATs is close to RTTus , and PSs holds the n-modal property, PSs does consistently spread over a certain value over time. Normalize PSs into PNs by dividing PSs by the size of the data chunk generated by the client (4 bytes in this case) This makes PNs the number of chunks delivered by a packet arriving at the server. Divide PNs into a number of segments, with window size n, 10 in this case If the number of chunks in a segment is clustered around a value, the segment is single-modal If ratio of single-modally distributed segments is lower than a threshold, the remote peer is deemed a proxy, otherwise it is a client

New Detection Scheme Algorithm

Controlled Experiments 3 computers: client, proxy, and server, all with Ubuntu Linux 2.6.32 and gigabit Ethernet switch Switch between two configurations to emulate conditions with and without the proxy as a stepping stone C-S configuration, client connects via TCP to server directly C-P-S configuration, used program Socksify to redirect the client’s TCP connections to the server via proxy, where Dante is installed as a SOCKS server Each experimental run, client sends 1,000 4-byte data chunks very 5 ms dummynet used to inject latency from client to proxy to simulate different RTTcp and RTTps

Controlled Experiments The server used the new scheme to determine if a proxy was in use by inferring RTTus, IATs, and PSs based on the received packets 100 runs for C-S config, >= 50 runs for each of 4 cases of the C-P-S config Most wrong decisions made in the Case 3 scenarios, RTTcp < RTTps

Controlled Results

Internet Experiments Conducted on PlanetLab to get uncontrollable cross-traffic 304 nodes, randomly chose 2 nodes as client and server for C-S config and 3 nodes for C-P-S config Enabling Nagle’s is randomly decided > 10,000 C-S runs; > 2,000 of C-P-S runs of 4 cases Scheme can’t detect proxy if RTTcp < 5 ms; removed. < 1% Mostly breaks when RTTcp is similar to RTTps, but the scheme relies on this not being true, only 7% of runs. Also, Case 3. Internet queuing delays may lead to unstable RTTcs

Internet Results

Performance New scheme achieves 92% accuracy in 99% of runs. Can serve as a strong complement to other stepping stone detection algorithms, like Hopper et all, for the scenarios it isn’t as successful. Table 1 Table 2

Contents Introduction Previous Work New Approach Hacking Vulnerabilities Conclusion

Potential hacks of new scheme Disable Nagle’s on both client and proxy New scheme requires Nagle’s to be enabled at the client so it doesn’t work. Must find another detection method However, if the proxy also turns it off, it’s easily detectable since IATs is similar to IATgen

Potential hacks of new scheme Nagle’s disabled on both client and proxy, but the client simulates Nagle’s at the application layer Client can simulate Nagle’s make it look as if it directly connects to the server Packets can be purposely sent with interval time RTTps so that IATs is similar to RTTps. However, this can be detected by occasionally blocking the TCP ACK during detection process. Nagle’s will cause buffering and wait for an ACK. The client will then have to release a packet every RTTps. If an ACK is blocked longer than RTTps, and still see new packets at the server, this evasion is likely happening.

Potential hacks of new scheme Nagle’s is disabled on the client but enabled on the proxy node Client and proxy would be seen as a virtual node with a long internal processing delay. Hard to detect, but Hopper et al’s distance based scheme could help detect in this case

Contents Introduction Previous Work New Approach Hacking Vulnerabilities Conclusion

Conclusion Proposed a new scheme that allows a server to detect whether a remote peer of a TCP connection is a stepping stone Because Nagle’s Algorithm changes the traffic patterns of TCP packet streams, the client traffic would have different patterns when compared with proxy-relayed traffic Therefore this new scheme detects the presence of a stepping stone by observing the interarrival times and payload size of the packets arriving at a server Considered a starting point to give critical Internet users the power to refuse anonymous access whenever necessary

Thank you Any questions?