240 likes | 367 Views
The Dark Side of the Web: An Open Proxy’s View. Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson Princeton University. Origins: Surviving Heavy Loads. Surviving flash crowds, DDoS attacks Absorb via massive resources Raise the bar for attacks Tolerate smaller crowds
E N D
The Dark Side of the Web:An Open Proxy’s View Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson Princeton University
Origins: Surviving Heavy Loads • Surviving flash crowds, DDoS attacks • Absorb via massive resources • Raise the bar for attacks • Tolerate smaller crowds • Survive larger attacks • Existing approach: Content Distribution Networks CoDeeN Security - HotNets II
Building an Academic CDN • Flash crowds are real • We have the technology • OSDI’02 paper on CDN performance • USITS’03 proxy API • PlanetLab provides the resources • Continuous service, decentralized control • Seeing real traffic, reliability, etc • We use it ourselves • Open access = more traffic CoDeeN Security - HotNets II
How Does CoDeeN Work? • Server surrogates (proxies) on most North American sites • Originally everywhere, but we cut back • Clients specify proxy to use • Cache hits served locally • Cache misses forwarded to CoDeeN nodes • Maybe forwarded to origin servers CoDeeN Security - HotNets II
Cache miss Response Request Cache Miss Cache hit Cache miss Response Cache hit Request Response How Does CoDeeN Work? origin CoDeeN Proxy Each CoDeeN proxy is a forward proxy, reverse proxy, & redirector CoDeeN Security - HotNets II
Steps For Inviting Trouble • Use a popular protocol • HTTP • Emulate a popular tool/interface • Web proxy servers • Allow open access • With HTTP’s lack of accountability • Be more attractive than competition • Uptime, bandwidth, anonymity CoDeeN Security - HotNets II
Hello, Trouble! • Spammers • Bandwidth hogs • High request rates • Content Thieves • Worrisome anonymity Commonality: using CoDeeN to do things they would not do directly CoDeeN Security - HotNets II
No End-To-End Authentication The Root of All Trouble CoDeeN Proxy http/tcp http/tcp origin (Malicious) Client CoDeeN Security - HotNets II
Spammers • SMTP (port 25) tunnels via CONNECT • Relay via open mail server • POST forms (formmail scripts) • Exploit website scripts • IRC channels (port 6667) via CONNECT • Captive audience, high port # CoDeeN Security - HotNets II
Attempted SMTP Tunnels/Day CoDeeN Security - HotNets II
Bandwidth Hogs • Webcam trackers • Mass downloads of paid cam sites • Cross-Pacific traffic • Simultaneous large file downloads • Steganographers • Large files small images • All uniform sizes CoDeeN Security - HotNets II
High Request Rates • Password crackers • Attacking random Yahoo! accounts • Google crawlers • Dictionary crawls – baffles Googlians • Click counters • Defeat ad-supported “game” CoDeeN Security - HotNets II
Content Theft • Licensed content theft • Journals and databases are expensive • Intra-domain access • Protected pages within the hosting site CoDeeN Security - HotNets II
Worrisome Anonymity • Request spreaders • Use CoDeeN as a DDoS platform! • TCP over HTTP • Non-HTTP Port 80 • Access logging insufficient • Vulnerability testing • Low rate, triggers IDS CoDeeN Security - HotNets II
Goals, Real & Otherwise • Desired: allow only “safe” accesses • Ideally • An oracle tells you what’s safe • “Your” users are not impacted • Open proxies considered inherently bad • NLANR requires accounts, proxy-auth • JANET closed to outsiders • No research in “partially open” proxies CoDeeN Security - HotNets II
Remote Client Unprivileged Request Local Client Privileged Request Privilege Separation Remote Proxy Local Proxy Local Server CoDeeN Security - HotNets II
Rate Limiting Minute • 3 scales capture burstiness • Exceptions • Login attempts • Vulnerability tests Hour Day CoDeeN Security - HotNets II
Other Techniques • Limiting methods – GET, (HEAD) • Local users not restricted • Sanity checking on requests • Browsers, machines very different • Modifying request stream • Most promising future direction CoDeeN Security - HotNets II
By The Numbers… • Running 24/7 since May, ~40 nodes • Over 400,000 unique IPs as clients • Over 150 million requests serviced • Valid rates up to 50K reqs/hour • Roughly 4 million reqs/day aggregate • About 4 real abuse incidents • Availability: high uptimes, fast upgrades CoDeeN Security - HotNets II
Daily Client Population Count CoDeeN Security - HotNets II
Daily Request Volume CoDeeN Security - HotNets II
Monitors & Other Venues • Routinely trigger open proxy alerts • Educating sysadmins, others • Really good honeypots • 6000 SMTP flows/minute at CMU • Spammers do ~1M HTTP ops/day • Early problem detection • Failing PlanetLab nodes • Compromised university machines CoDeeN Security - HotNets II
Lessons & Directions • Few substitutes for reality • Non-dedicated hardware really interesting • Failure modes not present in NS-2 • Stopgap measures pretty effective • Very slow arms race • Breathing time for better solutions • Next: more complex techniques • Machine learning, high-dim clustering CoDeeN Security - HotNets II
More Info http://codeen.cs.princeton.edu Thanks: Intel, HP, iMimic, PlanetLab Central CoDeeN Security - HotNets II