Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.

Slides:



Advertisements
Similar presentations
Security Issues of Peer-to-Peer Systems February 14, 2001 OReilly Peer-to-Peer Conference Nelson Minar, CTO POPULAR POWER.
Advertisements

Network and Application Attacks Contributed by- Chandra Prakash Suryawanshi CISSP, CEH, SANS-GSEC, CISA, ISO 27001LI, BS 25999LA, ERM (ISB) June 2006.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
1 Topic 1 – Lesson 3 Network Attacks Summary. 2 Questions ► Compare passive attacks and active attacks ► How do packet sniffers work? How to mitigate?
Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
SYN Flooding: A Denial of Service Attack Shivani Hashia CS265.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
Lecture 15 Denial of Service Attacks
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Introduction to Application Penetration Testing
IT 210 The Internet & World Wide Web introduction.
Attacks on Computer Systems
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Chapter 15: Security (Part 1). The Security Problem Security must consider external environment of the system, and protect the system resources Intruders.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 8 – Denial of Service.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
APT29 HAMMERTOSS Jayakrishnan M.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Networks and Security Monday, 10 th Week. Types of Attacks/Security Issues  Viruses  Worms  Macro Virus  Virus  Trojan Horse  Phishing 
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
Honeypot and Intrusion Detection System
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Final Introduction ---- Web Security, DDoS, others
Chapter 4 Networking and the Internet. © 2005 Pearson Addison-Wesley. All rights reserved 4-2 Chapter 4: Networking and the Internet 4.1 Network Fundamentals.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
Client Side Vulnerabilities Aka, The Perils of HTTP Lesson 14.
DNS Security Pacific IT Pros Nov. 5, Topics DoS Attacks on DNS Servers DoS Attacks by DNS Servers Poisoning DNS Records Monitoring DNS Traffic Leakage.
1 Figure 4-16: Malicious Software (Malware) Malware: Malicious software Essentially an automated attack robot capable of doing much damage Usually target-of-opportunity.
1 CHAPTER 3 CLASSES OF ATTACK. 2 Denial of Service (DoS) Takes place when availability to resource is intentionally blocked or degraded Takes place when.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
Beyond negative security Signatures are not always enough Or Katz Trustwave ot.com/
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
What is risk online operation:  massive movement of operation to the internet has attracted hackers who try to interrupt such operation daily.  To unauthorized.
1 Introduction to Malcode, DoS Attack, Traceback, RFID Security Cliff C. Zou 03/02/06.
Denial of Service Attack 발표자 : 전지훈. What is Denial of Service Attack?  Denial of Service Attack = DoS Attack  Service attacks on a Web server floods.
Chapter 7 Denial-of-Service Attacks Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: “An action.
4061 Session 26 (4/19). Today Network security Sockets: building a server.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
IT Computer Security JEOPARDY RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands RouterModesWANEncapsulationWANServicesRouterBasicsRouterCommands.
DoS/DDoS attack and defense
ACM Conference on Computer and Communications Security 2006 Puppetnet: Misusing web browsers as a distributed attack infrastructure Network Seminar Presenter:
Network Security Threats KAMI VANIEA 18 JANUARY KAMI VANIEA 1.
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.
Sessions and cookies (part 2) MIS 3501, Fall 2015 Brad N Greenwood, PhD Department of MIS Fox School of Business Temple University 11/19/2015.
Web Applications on the battlefield Alain Abou Tass.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
TMG Client Protection 6NPS – Session 7.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
DDoS Attacks on Financial Institutions Presentation
WWW and HTTP King Fahd University of Petroleum & Minerals
World Wide Web policy.
Instructor Materials Chapter 7 Network Security
MIT GSL 2018 week 1 | day 4 Introduction to Web Development II.
Presentation transcript:

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell

Spiros Antonatos Motivation Considerable effort has been put into detecting current forms of malware –Viruses, worms, botnets, … Threats as we know them today will eventually die –Attackers will avoid traditional attacks Attacks on the design of applications is the next step –It has already started ( XSS worms, SQL injection attacks)

Spiros Antonatos A next-generation attack: Puppetnets Botnets have served attackers well so far Can we have a botnet in a world without buffer overflows and spyware? –You can call me puppetnet Puppetnets use the bad design of world wide web to form a limited version of botnets –No browser or operating system exploits, only typical HTML pages

Spiros Antonatos What can puppetnets do? Denial of Service attacks –Flood a victim with requests Scan subnets for open ports –Distributed nmap-like scans Propagate attack vectors –CodeRed-like worms, XSS worms Computational attacks –Calculate MD5 checksums, password cracking

Spiros Antonatos What can’t puppetnets do? Unable to have total control on a client machine –They live and die inside web browsers No raw sockets, no keylogging Access to file system is denied Access of other pages browsed by the user is denied

Spiros Antonatos Puppetnets for DoS attacks Stealthiness To avoid client-side caching Stealthiness

Spiros Antonatos Effectiveness of DoS Depends on two factors: Web session time. How long a user stays on a site –Most users stay several minutes (nearly 10) in a page –Data taken from KDDCUP trace, Webtrends and our personal pages Size of puppetnets. How many users visit concurrently a site –90% of sites have nearly up to one thousand concurrent users –Maximum value observed was 1 million –Data from Alexa, ABCE dataset, Webtrends and Webalizer

Spiros Antonatos Measuring DoS First input: Ingress bandwidth consumed by one puppet vs. RTT between browser and server Second input: Capacity distribution as measured in “Variability in TCP round-trip times” MaxURL: make requests with 2K URL length MaxSYN: make normal requests in an excessive rate

Spiros Antonatos DDoS firepower of 1000 puppets FirefoxExplorer maxSYN 2 aliases83.97Mbit/s106.3Mbit/s maxSYN 3 aliases137.26Mbit/s173.28Mbit/s maxURL 2 aliases664.74Mbit/s502.06Mbit/s maxURL 3 aliases Mbit/s648.33Mbit/s We use aliases to trick the browser handle same destination as different server –“ is not same as “ for most browsers Aliases help us overcome restrictions of maximum connections per server

Spiros Antonatos Using puppetnets for scanning Example: scan the Internet for servers listening on port 5349 The idea is to measure time spent to get a response Do a “sandwich” attack – Time between two requests to attacker.com is the key information needed

Spiros Antonatos Optimizing scanning In the previous example, for each candidate target we need two requests to malicious site –Not scalable, malicious site is finally DDoSed Use onLoad and onError hooks provided by javascript –Sandwich as backup solution, in the absence of javascript Measure the time between request and onLoad/onError trigger

Spiros Antonatos Scanning illustrated We need to define two paramaters: unreachable and timeout

Spiros Antonatos Defining scanning parameters Measured time to get the main index of 50,880 web servers Measurements from four different network points –Geographically distributed –Different connectibity characteristics

Spiros Antonatos Effectiveness of scanning The longer the timeout is, the less scans we can do per minute –Unreachable timeout was set to 200ms Less scans means less targets found Note: browsers impose port restrictions, mainly telnet,POP3 and IMAP

Spiros Antonatos Malicious computations Make puppets to perform malicious computations –RC5 cracking, MD5 calculations, etc. Use javascript or Java applets for computations A 1000-node is as fast as a 128-node cluster MethodMD5 calculations Javascript380 Java applet434K Java stand-alone640K C stand-alone3.3M

Spiros Antonatos Other cool stuff Spam distribution through puppetnets –Safari browser allows to connect to any port! Weakly designed web services can be exploited –Lycos mail uses cookies for login –Form for sending mail is simple (most services usually put a hidden id) –Any puppet that has recently logged in to Lycos can send spam through user’s account We found lycos with 30min search, there are thousands of services out there

Spiros Antonatos Defenses (1/3) Disable Javascript –Threat will be reduced but not eliminated –Browsing experience will be altered significantly IDS/IPS signatures –For example, detect SMTP commands inside a POST –Hard for DDoS attacks –Obfuscation of HTML and javascript prevents static analysis

Spiros Antonatos Defenses (2/3) Client-side behavioral controls –Limit number of non-local objects –99% of websites access 11 or less foreign domains, 99.94% less than 20 –Can achieve 10x reduction in DDoS strength while disrupting 0.1% of websites –Can be bypassed if attacker has access to DNS server

Spiros Antonatos Defenses (3/3) Access Tokens Server sends a policy to client that describes the level of trust for a specific referrer Client implements the policy inside the browser If referrer is not trustworthy, all requests to victim server will be stopped at the client side

Spiros Antonatos Access Tokens illustrated

Spiros Antonatos Access Token limitations Requires implementation on client and browser side –Server must issue policies –Client must be set up to implement policies Requests after first are blocked –First request still sent and acked –Severely hampers, but still allows DDoS

Spiros Antonatos Questions?

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis To appear in ACM CCS 2006

Spiros Antonatos Backup slides

Spiros Antonatos Web session times

Spiros Antonatos Puppetnet size