The Dark Side of the Web: An Open Proxy’s View Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson Princeton University.

Slides:

Advertisements

Similar presentations

Enabling Secure Internet Access with ISA Server

Advertisements

RASPro is a secure high performance remote application delivery platform through a perfect combination of application hosting and application streaming.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

DMZ (De-Militarized Zone)

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

System and Network Security Practices COEN 351 E-Commerce Security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Web server security Dr Jim Briggs WEBP security1.

COEN 252: Computer Forensics Router Investigation.

Caching and Content Distribution Networks. Web Caching r As an example, we use the web to illustrate caching and other related issues browser Web Proxy.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Towards Understanding Modern Web Traffic

Internet Relay Chat Chandrea Dungy Derek Garrett #29.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

IMonitor Software About IMonitorSoft Since the year of 2002, coming with EAM Security Series born, IMonitor Security Company stepped into the field of.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

B OTNETS T HREATS A ND B OTNETS DETECTION Mona Aldakheel

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Csci5233 Computer Security1 Bishop: Chapter 27 System Security.

Infrastructure for Better Quality Internet Access & Web Publishing without Increasing Bandwidth Prof. Chi Chi Hung School of Computing, National University.

ECE4112 Lab 7: Honeypots and Network Monitoring and Forensics Group 13 + Group 14 Allen Brewer Jiayue (Simon) Chen Daniel Chu Chinmay Patel.

Honeypot and Intrusion Detection System

Web Application Firewall (WAF) RSA ® Conference 2013.

Final Introduction ---- Web Security, DDoS, others

Forensic and Investigative Accounting Chapter 14 Internet Forensics Analysis: Profiling the Cybercriminal © 2005, CCH INCORPORATED 4025 W. Peterson Ave.

Healing the Web: An Overview of CoDeeN & Related Projects Vivek Pai, Larry Peterson + many others Princeton University.

Module 10: Monitoring ISA Server Overview Monitoring Overview Configuring Alerts Configuring Session Monitoring Configuring Logging Configuring.

Module 4: Configuring ISA Server as a Firewall. Overview Using ISA Server as a Firewall Examining Perimeter Networks and Templates Configuring System.

Securing Web Service by Automatic Robot Detection KyoungSoo Park, Vivek S. Pai Princeton University Kang-Won Lee, Seraphin Calo IBM T.J. Watson Research.

2: Application Layer1 Chapter 2 outline r 2.1 Principles of app layer protocols r 2.2 Web and HTTP r 2.3 FTP r 2.4 Electronic Mail r 2.5 DNS r 2.6 Socket.

A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li.

POSTER TEMPLATE BY: Whitewater HTTP Vulnerabilities Nick Berry, Joe Joyce, & Kevin Vaccaro. Syntax & Routing Attempt to capture.

Unit – I CLIENT / SERVER ARCHITECTURE. Unit Structure  Evolution of Client/Server Architecture  Client/Server Model  Characteristics of Client/Server.

NS-H /11041 Intruder. NS-H /11042 Intruders Three classes of intruders (hackers or crackers): –Masquerader –Misfeasor –Clandestine user.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 8 Omar Meqdadi Department of Computer Science and Software Engineering University of.

NETWORK HARDWARE AND SOFTWARE MR ROSS UNIT 3 IT APPLICATIONS.

Integrating and Troubleshooting Citrix Access Gateway.

Denial of Service Sharmistha Roy Adversarial challenges in Web Based Services.

OSDI 2002 Boston, MA 1 The Effectiveness of Request Redirection on CDN Robustness Limin Wang Vivek Pai and Larry Peterson Princeton University.

Module 7: Advanced Application and Web Filtering.

1 Chapter 9 Intruders. 2 Outline Intruders –Intrusion Techniques –Password Protection –Password Selection Strategies –Intrusion Detection Statistical.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.

Module 10: Windows Firewall and Caching Fundamentals.

The CoDeeN Content Distribution Network Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson Princeton University August 12, 2003.

BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection Presented by D Callahan.

Role Of Network IDS in Network Perimeter Defense.

Hiearchial Caching in Traffic Server. Hiearchial Caching  A set of techniques and mechanisms to increase the size and performance of network caches.

Overview on Web Caching COSC 513 Class Presentation Instructor: Prof. M. Anvari Student name: Wei Wei ID:

CoDeeN,Large Files, & CoDeploy KyoungSoo Park, Vivek Pai, Larry Peterson Princeton University.

Ch 2. Application Layer Myungchul Kim

SSH. 2 SSH – Secure Shell SSH is a cryptographic protocol – Implemented in software originally for remote login applications – One most popular software.

The Dark Side of the Web: An Open Proxy’s View Vivek Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, and Larry Peterson Princeton University.

Vivek Pai, Larry Peterson, & the CoDeeN group Princeton University

BUILD SECURE PRODUCTS AND SERVICES

Chapter 9 Intruders.

Critical Security Controls

Password Management Limit login attempts Encrypt your passwords

Securing the Network Perimeter with ISA 2004

Co* Projects : CoDNS, CoDeploy, CoMon

Chapter 27: System Security

Anupam Das , Nikita Borisov

Chapter 9 Intruders.

Presentation transcript:

The Dark Side of the Web: An Open Proxy’s View Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson Princeton University

Nov 20, 2003CoDeeN Security - HotNets II2 Origins: Surviving Heavy Loads Surviving flash crowds, DDoS attacks Absorb via massive resources Raise the bar for attacks Tolerate smaller crowds Survive larger attacks Existing approach: Content Distribution Networks

Nov 20, 2003CoDeeN Security - HotNets II3 Building an Academic CDN Flash crowds are real We have the technology OSDI’02 paper on CDN performance USITS’03 proxy API PlanetLab provides the resources Continuous service, decentralized control Seeing real traffic, reliability, etc We use it ourselves Open access = more traffic

Nov 20, 2003CoDeeN Security - HotNets II4 How Does CoDeeN Work? Server surrogates (proxies) on most North American sites Originally everywhere, but we cut back Clients specify proxy to use Cache hits served locally Cache misses forwarded to CoDeeN nodes Maybe forwarded to origin servers

Nov 20, 2003CoDeeN Security - HotNets II5 How Does CoDeeN Work? CoDeeN Proxy origin Request Response Cache hit Each CoDeeN proxy is a forward proxy, reverse proxy, & redirector Cache miss Response Cache hit Cache miss Response Request Cache Miss

Nov 20, 2003CoDeeN Security - HotNets II6 Steps For Inviting Trouble Use a popular protocol HTTP Emulate a popular tool/interface Web proxy servers Allow open access With HTTP’s lack of accountability Be more attractive than competition Uptime, bandwidth, anonymity

Nov 20, 2003CoDeeN Security - HotNets II7 Hello, Trouble! Spammers Bandwidth hogs High request rates Content Thieves Worrisome anonymity Commonality: using CoDeeN to do things they would not do directly

Nov 20, 2003CoDeeN Security - HotNets II8 The Root of All Trouble origin CoDeeN Proxy (Malicious) Client http/tcp No End-To-End Authentication

Nov 20, 2003CoDeeN Security - HotNets II9 Spammers SMTP (port 25) tunnels via CONNECT Relay via open mail server POST forms (formmail scripts) Exploit website scripts IRC channels (port 6667) via CONNECT Captive audience, high port #

Nov 20, 2003CoDeeN Security - HotNets II10 Attempted SMTP Tunnels/Day

Nov 20, 2003CoDeeN Security - HotNets II11 Bandwidth Hogs Webcam trackers Mass downloads of paid cam sites Cross-Pacific traffic Simultaneous large file downloads Steganographers Large files small images All uniform sizes

Nov 20, 2003CoDeeN Security - HotNets II12 High Request Rates Password crackers Attacking random Yahoo! accounts Google crawlers Dictionary crawls – baffles Googlians Click counters Defeat ad-supported “game”

Nov 20, 2003CoDeeN Security - HotNets II13 Content Theft Licensed content theft Journals and databases are expensive Intra-domain access Protected pages within the hosting site

Nov 20, 2003CoDeeN Security - HotNets II14 Worrisome Anonymity Request spreaders Use CoDeeN as a DDoS platform! TCP over HTTP Non-HTTP Port 80 Access logging insufficient Vulnerability testing Low rate, triggers IDS

Nov 20, 2003CoDeeN Security - HotNets II15 Goals, Real & Otherwise Desired: allow only “safe” accesses Ideally An oracle tells you what’s safe “Your” users are not impacted Open proxies considered inherently bad NLANR requires accounts, proxy-auth JANET closed to outsiders No research in “partially open” proxies

Nov 20, 2003CoDeeN Security - HotNets II16 Privilege Separation Local Proxy Local Server Remote Proxy Remote Client Unprivileged Request Local Client Privileged Request

Nov 20, 2003CoDeeN Security - HotNets II17 Rate Limiting 3 scales capture burstiness Exceptions Login attempts Vulnerability tests Day Hour Minute

Nov 20, 2003CoDeeN Security - HotNets II18 Other Techniques Limiting methods – GET, (HEAD) Local users not restricted Sanity checking on requests Browsers, machines very different Modifying request stream Most promising future direction

Nov 20, 2003CoDeeN Security - HotNets II19 By The Numbers… Running 24/7 since May, ~40 nodes Over 400,000 unique IPs as clients Over 150 million requests serviced Valid rates up to 50K reqs/hour Roughly 4 million reqs/day aggregate About 4 real abuse incidents Availability: high uptimes, fast upgrades

Nov 20, 2003CoDeeN Security - HotNets II20 Daily Client Population Count

Nov 20, 2003CoDeeN Security - HotNets II21 Daily Request Volume

Nov 20, 2003CoDeeN Security - HotNets II22 Monitors & Other Venues Routinely trigger open proxy alerts Educating sysadmins, others Really good honeypots 6000 SMTP flows/minute at CMU Spammers do ~1M HTTP ops/day Early problem detection Failing PlanetLab nodes Compromised university machines

Nov 20, 2003CoDeeN Security - HotNets II23 Lessons & Directions Few substitutes for reality Non-dedicated hardware really interesting Failure modes not present in NS-2 Stopgap measures pretty effective Very slow arms race Breathing time for better solutions Next: more complex techniques Machine learning, high-dim clustering

Nov 20, 2003CoDeeN Security - HotNets II24 More Info Thanks: Intel, HP, iMimic, PlanetLab Central