1 / 26

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure. Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell. Motivation. Considerable effort has been put into detecting current forms of malware Viruses, worms, botnets, …

jael-knapp
Download Presentation

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis Adapted by Gary Bramwell

  2. Motivation • Considerable effort has been put into detecting current forms of malware • Viruses, worms, botnets, … • Threats as we know them today will eventually die • Attackers will avoid traditional attacks • Attacks on the design of applications is the next step • It has already started ( XSS worms, SQL injection attacks) Spiros Antonatos

  3. A next-generation attack: Puppetnets • Botnets have served attackers well so far • Can we have a botnet in a world without buffer overflows and spyware? • You can call me puppetnet • Puppetnets use the bad design of world wide web to form a limited version of botnets • No browser or operating system exploits, only typical HTML pages Spiros Antonatos

  4. What can puppetnets do? • Denial of Service attacks • Flood a victim with requests • Scan subnets for open ports • Distributed nmap-like scans • Propagate attack vectors • CodeRed-like worms, XSS worms • Computational attacks • Calculate MD5 checksums, password cracking Spiros Antonatos

  5. What can’t puppetnets do? • Unable to have total control on a client machine • They live and die inside web browsers • No raw sockets, no keylogging • Access to file system is denied • Access of other pages browsed by the user is denied Spiros Antonatos

  6. Puppetnets for DoS attacks To avoid client-side caching Stealthiness Stealthiness Spiros Antonatos

  7. Effectiveness of DoS • Depends on two factors: • Web session time. How long a user stays on a site • Most users stay several minutes (nearly 10) in a page • Data taken from KDDCUP trace, Webtrends and our personal pages • Size of puppetnets. How many users visit concurrently a site • 90% of sites have nearly up to one thousand concurrent users • Maximum value observed was 1 million • Data from Alexa, ABCE dataset, Webtrends and Webalizer Spiros Antonatos

  8. Measuring DoS • First input: Ingress bandwidth consumed by one puppet vs. RTT between browser and server • Second input: Capacity distribution as measured in “Variability in TCP round-trip times” MaxURL: make requests with 2K URL length MaxSYN: make normal requests in an excessive rate Spiros Antonatos

  9. DDoS firepower of 1000 puppets • We use aliases to trick the browser handle same destination as different server • “www.google.com” is not same as “www.google.com.” for most browsers • Aliases help us overcome restrictions of maximum connections per server Spiros Antonatos

  10. Using puppetnets for scanning • Example: scan the Internet for servers listening on port 5349 • The idea is to measure time spent to get a response • Do a “sandwich” attack • <IMG SRC=’http://www.attacker.com/cgi-bin/ping’> • <IMG SRC=’http://www.targetsite.com:5349’> • <IMG SRC=’http://www.attacker.com/cgi-bin/ping’> • Time between two requests to attacker.com is the key information needed Spiros Antonatos

  11. Optimizing scanning • In the previous example, for each candidate target we need two requests to malicious site • Not scalable, malicious site is finally DDoSed • Use onLoad and onError hooks provided by javascript • Sandwich as backup solution, in the absence of javascript • Measure the time between request and onLoad/onError trigger Spiros Antonatos

  12. Scanning illustrated • We need to define two paramaters: unreachable and timeout Spiros Antonatos

  13. Defining scanning parameters • Measured time to get the main index of 50,880 web servers • Measurements from four different network points • Geographically distributed • Different connectibity characteristics Spiros Antonatos

  14. Effectiveness of scanning • The longer the timeout is, the less scans we can do per minute • Unreachable timeout was set to 200ms • Less scans means less targets found Note: browsers impose port restrictions, mainly telnet,POP3 and IMAP Spiros Antonatos

  15. Malicious computations • Make puppets to perform malicious computations • RC5 cracking, MD5 calculations, etc. • Use javascript or Java applets for computations • A 1000-node is as fast as a 128-node cluster Spiros Antonatos

  16. Other cool stuff • Spam distribution through puppetnets • Safari browser allows to connect to any port! • Weakly designed web services can be exploited • Lycos mail uses cookies for login • Form for sending mail is simple (most services usually put a hidden id) • Any puppet that has recently logged in to Lycos can send spam through user’s account • We found lycos with 30min search, there are thousands of services out there Spiros Antonatos

  17. Defenses (1/3) • Disable Javascript • Threat will be reduced but not eliminated • Browsing experience will be altered significantly • IDS/IPS signatures • For example, detect SMTP commands inside a POST • Hard for DDoS attacks • Obfuscation of HTML and javascript prevents static analysis Spiros Antonatos

  18. Defenses (2/3) • Client-side behavioral controls • Limit number of non-local objects • 99% of websites access 11 or less foreign domains, 99.94% less than 20 • Can achieve 10x reduction in DDoS strength while disrupting 0.1% of websites • Can be bypassed if attacker has access to DNS server Spiros Antonatos

  19. Defenses (3/3) • Access Tokens • Server sends a policy to client that describes the level of trust for a specific referrer • Client implements the policy inside the browser • If referrer is not trustworthy, all requests to victim server will be stopped at the client side Spiros Antonatos

  20. Access Tokens illustrated Spiros Antonatos

  21. Access Token limitations • Requires implementation on client and browser side • Server must issue policies • Client must be set up to implement policies • Requests after first are blocked • First request still sent and acked • Severely hampers, but still allows DDoS Spiros Antonatos

  22. Questions? Spiros Antonatos

  23. Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Lam Vin The, Spiros Antonatos and Kostas G. Anagnostakis To appear in ACM CCS 2006

  24. Backup slides Spiros Antonatos

  25. Web session times Spiros Antonatos

  26. Puppetnet size Spiros Antonatos

More Related