Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Dark Side of the Web: An Open Proxy’s View Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson Princeton University.

Published byQuentin Hunt Modified over 9 years ago

Similar presentations

Presentation on theme: "The Dark Side of the Web: An Open Proxy’s View Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson Princeton University."— Presentation transcript:

1 The Dark Side of the Web: An Open Proxy’s View Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson Princeton University

2 Nov 20, 2003CoDeeN Security - HotNets II2 Origins: Surviving Heavy Loads Surviving flash crowds, DDoS attacks Absorb via massive resources Raise the bar for attacks Tolerate smaller crowds Survive larger attacks Existing approach: Content Distribution Networks

3 Nov 20, 2003CoDeeN Security - HotNets II3 Building an Academic CDN Flash crowds are real We have the technology OSDI’02 paper on CDN performance USITS’03 proxy API PlanetLab provides the resources Continuous service, decentralized control Seeing real traffic, reliability, etc We use it ourselves Open access = more traffic

4 Nov 20, 2003CoDeeN Security - HotNets II4 How Does CoDeeN Work? Server surrogates (proxies) on most North American sites Originally everywhere, but we cut back Clients specify proxy to use Cache hits served locally Cache misses forwarded to CoDeeN nodes Maybe forwarded to origin servers

5 Nov 20, 2003CoDeeN Security - HotNets II5 How Does CoDeeN Work? CoDeeN Proxy origin Request Response Cache hit Each CoDeeN proxy is a forward proxy, reverse proxy, & redirector Cache miss Response Cache hit Cache miss Response Request Cache Miss

6 Nov 20, 2003CoDeeN Security - HotNets II6 Steps For Inviting Trouble Use a popular protocol HTTP Emulate a popular tool/interface Web proxy servers Allow open access With HTTP’s lack of accountability Be more attractive than competition Uptime, bandwidth, anonymity

7 Nov 20, 2003CoDeeN Security - HotNets II7 Hello, Trouble! Spammers Bandwidth hogs High request rates Content Thieves Worrisome anonymity Commonality: using CoDeeN to do things they would not do directly

8 Nov 20, 2003CoDeeN Security - HotNets II8 The Root of All Trouble origin CoDeeN Proxy (Malicious) Client http/tcp No End-To-End Authentication

9 Nov 20, 2003CoDeeN Security - HotNets II9 Spammers SMTP (port 25) tunnels via CONNECT Relay via open mail server POST forms (formmail scripts) Exploit website scripts IRC channels (port 6667) via CONNECT Captive audience, high port #

10 Nov 20, 2003CoDeeN Security - HotNets II10 Attempted SMTP Tunnels/Day

11 Nov 20, 2003CoDeeN Security - HotNets II11 Bandwidth Hogs Webcam trackers Mass downloads of paid cam sites Cross-Pacific traffic Simultaneous large file downloads Steganographers Large files small images All uniform sizes

12 Nov 20, 2003CoDeeN Security - HotNets II12 High Request Rates Password crackers Attacking random Yahoo! accounts Google crawlers Dictionary crawls – baffles Googlians Click counters Defeat ad-supported “game”

13 Nov 20, 2003CoDeeN Security - HotNets II13 Content Theft Licensed content theft Journals and databases are expensive Intra-domain access Protected pages within the hosting site

14 Nov 20, 2003CoDeeN Security - HotNets II14 Worrisome Anonymity Request spreaders Use CoDeeN as a DDoS platform! TCP over HTTP Non-HTTP Port 80 Access logging insufficient Vulnerability testing Low rate, triggers IDS

15 Nov 20, 2003CoDeeN Security - HotNets II15 Goals, Real & Otherwise Desired: allow only “safe” accesses Ideally An oracle tells you what’s safe “Your” users are not impacted Open proxies considered inherently bad NLANR requires accounts, proxy-auth JANET closed to outsiders No research in “partially open” proxies

16 Nov 20, 2003CoDeeN Security - HotNets II16 Privilege Separation Local Proxy Local Server Remote Proxy Remote Client Unprivileged Request Local Client Privileged Request

17 Nov 20, 2003CoDeeN Security - HotNets II17 Rate Limiting 3 scales capture burstiness Exceptions Login attempts Vulnerability tests Day Hour Minute

18 Nov 20, 2003CoDeeN Security - HotNets II18 Other Techniques Limiting methods – GET, (HEAD) Local users not restricted Sanity checking on requests Browsers, machines very different Modifying request stream Most promising future direction

19 Nov 20, 2003CoDeeN Security - HotNets II19 By The Numbers… Running 24/7 since May, ~40 nodes Over 400,000 unique IPs as clients Over 150 million requests serviced Valid rates up to 50K reqs/hour Roughly 4 million reqs/day aggregate About 4 real abuse incidents Availability: high uptimes, fast upgrades

20 Nov 20, 2003CoDeeN Security - HotNets II20 Daily Client Population Count

21 Nov 20, 2003CoDeeN Security - HotNets II21 Daily Request Volume

22 Nov 20, 2003CoDeeN Security - HotNets II22 Monitors & Other Venues Routinely trigger open proxy alerts Educating sysadmins, others Really good honeypots 6000 SMTP flows/minute at CMU Spammers do ~1M HTTP ops/day Early problem detection Failing PlanetLab nodes Compromised university machines

23 Nov 20, 2003CoDeeN Security - HotNets II23 Lessons & Directions Few substitutes for reality Non-dedicated hardware really interesting Failure modes not present in NS-2 Stopgap measures pretty effective Very slow arms race Breathing time for better solutions Next: more complex techniques Machine learning, high-dim clustering

24 Nov 20, 2003CoDeeN Security - HotNets II24 More Info http://codeen.cs.princeton.edu Thanks: Intel, HP, iMimic, PlanetLab Central

Download ppt "The Dark Side of the Web: An Open Proxy’s View Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson Princeton University."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
RASPro is a secure high performance remote application delivery platform through a perfect combination of application hosting and application streaming.

RASPro is a secure high performance remote application delivery platform through a perfect combination of application hosting and application streaming.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.

ESafe Reporter V3.0 eSafe Learning and Certification Program February 2007.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.

Flash Crowds And Denial of Service Attacks: Characterization and Implications for CDNs and Web Sites Aaron Beach Cs395 network security.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Caching and Content Distribution Networks. Web Caching r As an example, we use the web to illustrate caching and other related issues browser Web Proxy.

Caching and Content Distribution Networks. Web Caching r As an example, we use the web to illustrate caching and other related issues browser Web Proxy.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Towards Understanding Modern Web Traffic

Towards Understanding Modern Web Traffic
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
IMonitor Software About IMonitorSoft Since the year of 2002, coming with EAM Security Series born, IMonitor Security Company stepped into the field of.

IMonitor Software About IMonitorSoft Since the year of 2002, coming with EAM Security Series born, IMonitor Security Company stepped into the field of.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Similar presentations

Ads by Google