Presented by: Akbar Saidov Authors: M. Polychronakis, K. G. Anagnostakis, E. P. Markatos.
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros...
-
date post
21-Dec-2015 -
Category
Documents
-
view
218 -
download
1
Transcript of Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros...
![Page 1: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/1.jpg)
Puppetnets: Misusing Web Browsers as a Distributed Attack
Infrastructure
Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis
Adapted by Gary Bramwell
![Page 2: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/2.jpg)
Spiros Antonatos
Motivation
• Considerable effort has been put into detecting current forms of malware– Viruses, worms, botnets, …
• Threats as we know them today will eventually die – Attackers will avoid traditional attacks
• Attacks on the design of applications is the next step– It has already started ( XSS worms, SQL
injection attacks)
![Page 3: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/3.jpg)
Spiros Antonatos
A next-generation attack: Puppetnets
• Botnets have served attackers well so far• Can we have a botnet in a world without
buffer overflows and spyware?– You can call me puppetnet
• Puppetnets use the bad design of world wide web to form a limited version of botnets– No browser or operating system exploits, only
typical HTML pages
![Page 4: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/4.jpg)
Spiros Antonatos
What can puppetnets do?
• Denial of Service attacks– Flood a victim with requests
• Scan subnets for open ports– Distributed nmap-like scans
• Propagate attack vectors– CodeRed-like worms, XSS worms
• Computational attacks– Calculate MD5 checksums, password
cracking
![Page 5: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/5.jpg)
Spiros Antonatos
What can’t puppetnets do?
• Unable to have total control on a client machine– They live and die inside web browsers
• No raw sockets, no keylogging• Access to file system is denied• Access of other pages browsed by
the user is denied
![Page 6: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/6.jpg)
Spiros Antonatos
Puppetnets for DoS attacks
Stealthiness
To avoid client-side caching
Stealthiness
![Page 7: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/7.jpg)
Spiros Antonatos
Effectiveness of DoS
• Depends on two factors:• Web session time. How long a user stays
on a site– Most users stay several minutes (nearly 10) in a
page– Data taken from KDDCUP trace, Webtrends and
our personal pages• Size of puppetnets. How many users visit
concurrently a site– 90% of sites have nearly up to one thousand
concurrent users – Maximum value observed was 1 million– Data from Alexa, ABCE dataset, Webtrends and
Webalizer
![Page 8: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/8.jpg)
Spiros Antonatos
Measuring DoS
•First input: Ingress bandwidth consumed by one puppet vs. RTT between browser and server
•Second input: Capacity distribution as measured in “Variability in TCP round-trip times”
MaxURL: make requests with 2K URL length
MaxSYN: make normal requests in an excessive rate
![Page 9: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/9.jpg)
Spiros Antonatos
DDoS firepower of 1000 puppets
Firefox Explorer
maxSYN 2 aliases 83.97Mbit/s 106.3Mbit/s
maxSYN 3 aliases 137.26Mbit/s 173.28Mbit/s
maxURL 2 aliases 664.74Mbit/s 502.06Mbit/s
maxURL 3 aliases 1053.79Mbit/s 648.33Mbit/s
• We use aliases to trick the browser handle same destination as different server– “www.google.com” is not same as “www.google.com.” for most
browsers
• Aliases help us overcome restrictions of maximum connections per server
![Page 10: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/10.jpg)
Spiros Antonatos
Using puppetnets for scanning
• Example: scan the Internet for servers listening on port 5349
• The idea is to measure time spent to get a response
• Do a “sandwich” attack– <IMG
SRC=’http://www.attacker.com/cgi-bin/ping’>– <IMG SRC=’http://www.targetsite.com:5349’>– <IMG
SRC=’http://www.attacker.com/cgi-bin/ping’>
• Time between two requests to attacker.com is the key information needed
![Page 11: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/11.jpg)
Spiros Antonatos
Optimizing scanning
• In the previous example, for each candidate target we need two requests to malicious site– Not scalable, malicious site is finally
DDoSed• Use onLoad and onError hooks provided by
javascript– Sandwich as backup solution, in the absence of
javascript
• Measure the time between request and onLoad/onError trigger
![Page 12: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/12.jpg)
Spiros Antonatos
Scanning illustrated
•We need to define two paramaters: unreachable and timeout
![Page 13: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/13.jpg)
Spiros Antonatos
Defining scanning parameters
• Measured time to get the main index of 50,880 web servers
• Measurements from four different network points– Geographically
distributed– Different
connectibity characteristics
![Page 14: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/14.jpg)
Spiros Antonatos
Effectiveness of scanning
• The longer the timeout is, the less scans we can do per minute– Unreachable
timeout was set to 200ms
• Less scans means less targets found
Note: browsers impose port restrictions, mainly telnet,POP3 and IMAP
![Page 15: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/15.jpg)
Spiros Antonatos
Malicious computations
• Make puppets to perform malicious computations– RC5 cracking, MD5 calculations, etc.
• Use javascript or Java applets for computations• A 1000-node is as fast as a 128-node cluster
Method MD5 calculations
Javascript 380
Java applet 434K
Java stand-alone 640K
C stand-alone 3.3M
![Page 16: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/16.jpg)
Spiros Antonatos
Other cool stuff
• Spam distribution through puppetnets– Safari browser allows to connect to any port!
• Weakly designed web services can be exploited– Lycos mail uses cookies for login– Form for sending mail is simple (most services
usually put a hidden id)– Any puppet that has recently logged in to Lycos
can send spam through user’s account
• We found lycos with 30min search, there are thousands of services out there
![Page 17: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/17.jpg)
Spiros Antonatos
Defenses (1/3)
• Disable Javascript– Threat will be reduced but not eliminated– Browsing experience will be altered
significantly
• IDS/IPS signatures– For example, detect SMTP commands inside a
POST– Hard for DDoS attacks– Obfuscation of HTML and javascript prevents
static analysis
![Page 18: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/18.jpg)
Spiros Antonatos
Defenses (2/3)
• Client-side behavioral controls– Limit number of non-local objects– 99% of websites access 11 or less
foreign domains, 99.94% less than 20– Can achieve 10x reduction in DDoS
strength while disrupting 0.1% of websites
– Can be bypassed if attacker has access to DNS server
![Page 19: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/19.jpg)
Spiros Antonatos
Defenses (3/3)
• Access Tokens• Server sends a policy to client that
describes the level of trust for a specific referrer
• Client implements the policy inside the browser
• If referrer is not trustworthy, all requests to victim server will be stopped at the client side
![Page 20: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/20.jpg)
Spiros Antonatos
Access Tokens illustrated
![Page 21: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/21.jpg)
Spiros Antonatos
Access Token limitations
• Requires implementation on client and browser side– Server must issue policies– Client must be set up to implement
policies
• Requests after first are blocked– First request still sent and acked– Severely hampers, but still allows DDoS
![Page 22: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/22.jpg)
Spiros Antonatos
Questions?
![Page 23: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/23.jpg)
Puppetnets: Misusing Web Browsers as a Distributed Attack
Infrastructure
Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis
To appear in ACM CCS 2006
![Page 24: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/24.jpg)
Spiros Antonatos
Backup slides
![Page 25: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/25.jpg)
Spiros Antonatos
Web session times
![Page 26: Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell.](https://reader036.fdocuments.in/reader036/viewer/2022062320/56649d6b5503460f94a4b0dd/html5/thumbnails/26.jpg)
Spiros Antonatos
Puppetnet size