cashing out the great cannon on browser based ddos
play

Cashing out the Great Cannon? On Browser-based DDoS Attacks and - PowerPoint PPT Presentation

May 02, 2023 •159 likes •520 views

Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C. Rossow (1) , F. J. Ryba (2) , T. C. Schmidt (3) , M. Whlisch (2) (1) CISPA / MMCI, Saarland University (2) Freie Universitt Berlin (3) HAW Hamburg

  1. Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C. Rossow (1) , F. J. Ryba (2) , T. C. Schmidt (3) , M. Wählisch (2) (1) CISPA / MMCI, Saarland University (2) Freie Universität Berlin (3) HAW Hamburg

  2. Classical DDoS Botnets Target Botmaster Infected hosts GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] C&C server HTTP flood HTTP flood  DDoS is a severe threat to the Internet  In classical DDoS botnets: ● Infection-based recruitment (Drive-by download, Browser vulns, ...) ● Architecture-dependent malware August 14, 2015 2

  3. Browser-based DDoS Botnet Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  Browser-based botnet a new type of botnet ● Infectionless bots recruitment ● Architecture-independent malware (e.g., OSX, Windows, Linux, Android) August 14, 2015 3

  4. The Great Cannon Target Botmaster Browsers The Web  In March 2015 first browser-based DDoS attacks [CitizenLab]  Recruitment: Powerful attacker injects JS into HTTP conversations ➔ We envision also less powerful attacker can launch similar attacks August 14, 2015 4

  5. Threat Model Target Botmaster Browsers The Web  No control of the network, e.g., no ISP  Infiltrate JS over the Web, e.g., as advertisement [Grossman]  Economic incentives August 14, 2015 5

  6. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  GC showed that browsers can be used as bots August 14, 2015 6

  7. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  GC showed that browsers can be used as bots ● However, anecdotal knowledge only [Kuppan, Grossman] August 14, 2015 7

  8. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  GC showed that browsers can be used as bots ● However, anecdotal knowledge only [Kuppan, Grossman] ➔ To date, no systematic understanding of browser features to support DDoSes August 14, 2015 8

  9. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  Promising for less powerful attackers, i.e., criminals with economic incentives August 14, 2015 9

  10. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  Promising for less powerful attackers, i.e., criminals with economic incentives ● However, little is known about recruitment techniques and costs August 14, 2015 10

  11. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  Promising for less powerful attackers, i.e., criminals with economic incentives ● However, little is known about recruitment techniques and costs ➔ Hard to assess if criminals will jump on the wagon of GC-like attacks August 14, 2015 11

  12. Contents  Review browser features  Browser features in DoS attacks  Cost estimation and comparison August 14, 2015 12

  13. Browser Features August 14, 2015 13

  14. Classical DDoS bots: Yoddos/DirtJumper Yoddos Attack Commands (Source [Welzel])  Supports different DDoS attacks ● TCP, UDP, and HTTP based flooding  And attack variants: ● HTTP reqs. with no recv() ● Via TCP FIN or RST ● HTTP custom Host and Referer ● Bypass filters August 14, 2015 14

  15. Web Browsers as DDoS bots Yoddos Attack Commands (Source [Welzel])  Offer communication APIs ● e.g., XMLHttpRequest, WebSocket, and Server-Sent Events  Other DoS-enabling JS APIs ● Image and WebWorker APIs  However, less flexible ● No direct access to TCP/UDP ● restricted to extensions... ● No IP spoofing  Reviewed 4 APIs ... August 14, 2015 15

  16. XMLHttpRequest API (1/4)  Send HTTP requests to arbitrary targets var target = "http://target/"; var target = "http://target/";  Restrictions: var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.open("GET", target); ➔ SOP and CORS, but HTTP requests are sent xhr.send(); xhr.send(); Send HTTP Send HTTP anyway request request Yoddos Attack Commands (Source [Welzel]) August 14, 2015 16

  17. XMLHttpRequest API (2/4)  Send HTTP requests to arbitrary targets var target = "http://target/"; var target = "http://target/";  Restrictions: var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.open("GET", target); ➔ SOP and CORS, but HTTP requests are sent xhr.send(); xhr.send(); Send HTTP Send HTTP anyway request request Yoddos Attack Commands (Source [Welzel]) August 14, 2015 17

  18. XMLHttpRequest API (3/4)  Send HTTP requests to arbitrary targets var target = "http://target/"; var target = "http://target/";  Restrictions: var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.open("GET", target); ➔ SOP and CORS, but HTTP requests are sent RST RST setTimeout(function() { anyway setTimeout(function() { after 10 ms after 10 ms xhr.abort(); xhr.abort();  Additional behaviors: }, 10); }, 10); ➔ Partial control over the TCP socket xhr.send(); xhr.send(); life-cycle → no rcvd() Yoddos Attack Commands (Source [Welzel]) August 14, 2015 18

  19. XMLHttpRequest API (4/4)  Send HTTP requests to arbitrary targets var target = "http://target/"; var target = "http://target/";  Restrictions: var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.open("GET", target); ➔ SOP and CORS, but HTTP requests are sent RST RST setTimeout(function() { anyway setTimeout(function() { after 10 ms after 10 ms xhr.abort(); xhr.abort();  Additional behaviors: }, 10); }, 10); ➔ Partial control over the TCP socket xhr.send(); xhr.send(); life-cycle → no rcvd() ● Set/modify request headers Yoddos Attack Commands (Source [Welzel]) ● Except for Host and Referer (and others) August 14, 2015 19

  20. Web Sockets (1/2)  Extension of HTTP var target = "ws://target/"; var target = "ws://target/"; ● Establish full-duplex stream-oriented client-server var ws = new WebSocket(target); var ws = new WebSocket(target); communication channel via the WebSocket Handshake protocol WebSocket Handshake WebSocket Handshake ➔ Based on a HTTP request/response pair Yoddos Attack Commands (Source [Welzel]) August 14, 2015 20

  21. Web Sockets (2/2)  Extension of HTTP var target = "ws://target/"; var target = "ws://target/"; RST ● Establish full-duplex stream-oriented client-server RST after 10ms setTimeout(function () { after 10ms setTimeout(function () { communication channel via the WebSocket ws.close(); ws.close(); Handshake protocol }, 10); }, 10); ➔ Based on a HTTP request/response pair var ws = new WebSocket(target); var ws = new WebSocket(target);  Additional behaviors: ➔ Partial control over the TCP socket life-cycle → no rcvd() Yoddos Attack Commands (Source [Welzel]) ● No access to request headers August 14, 2015 21

  22. API Evaluation August 14, 2015 22

  23. Aggressiveness API Browser AVG Reqs/s MAX Reqs/s XMLHttpReq. Chrome 1,005 1,886 Firefox 2,165 2,892 WebSocket Chrome 34 73 Firefox 0 0 Server-Sent Evts Chrome 210 941 Firefox 258 1,907 Image Chrome 84 109 Firefox 751 1,916  Firefox shows a more aggressive behavior  18x faster than prior tests: ~170 XHR reqs/s [Kuppan] August 14, 2015 23

  24. Aggressiveness Browser Workers AVG Reqs/s API Browser AVG Reqs/s MAX Reqs/s Chrome 0 1,359 XMLHttpReq. Chrome 1,005 1,886 2 966 Firefox 2,165 2,892 3 689 WebSocket Chrome 34 73 Firefox 0 1,456 Firefox 0 0 2 2,424 Server-Sent Evts Chrome 210 941 3 2,616 Firefox 258 1,907 Image Chrome 84 109 Firefox 751 1,916  Firefox shows a more aggressive behavior  18x faster than prior tests: ~170 XHR reqs/s [Kuppan] August 14, 2015 24

  25. Aggressiveness Browser Workers AVG Reqs/s API Browser AVG Reqs/s MAX Reqs/s Chrome 0 1,359 XMLHttpReq. Chrome 1,005 1,886 2 966 Firefox 2,165 2,892 3 689 WebSocket Chrome 34 73 Firefox 0 1,456 Firefox 0 0 2 2,424 Server-Sent Evts Chrome 210 941 3 2,616 Firefox 258 1,907 Image Chrome 84 109 Firefox 751 1,916  Firefox shows a more aggressive behavior  18x faster than prior tests: ~170 XHR reqs/s [Kuppan] ➔ ~3,000 reqs/s is a severe threat August 14, 2015 25

  26. Bot Recruitment and Cost Estimation August 14, 2015 26

  27. Recruitment Technique  Cost depends on the recruitment technique  Techniques 1. Ad networks ● Malicious JS as advertisment 2. Typosquatting ● Registration of domain misspellings 3. Machine-generated visits 4. Web application hijacking ● Using vulns to spread malicious JS, e.g., Stored XSS August 14, 2015 27

Recommend

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent the access to a computer system to it's legitimate users. DDoS: DoS attack on the network using a lot of different source IP Why:

327 views • 16 slides
Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Introduction: Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation Attacker signals slaves to launch an attack on a specific target address (victim). Slaves then respond by Comp290: Network

275 views • 9 slides
On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens

On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens

On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens nses Mu Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA Transit-link DDoS

548 views • 29 slides
On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao,

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao,

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA Transit-link DDoS attack: a powerful type of volumetric DDoS attack

438 views • 25 slides
Encouraging Savings at the Check Cashing Window Preliminary Results from an Evaluation of a

Encouraging Savings at the Check Cashing Window Preliminary Results from an Evaluation of a

Encouraging Savings at the Check Cashing Window Preliminary Results from an Evaluation of a Savings US Finance Initiative January 17, 2017 Product for Check Cashing Clients in NYC usfi@poverty-action.org Introductions & Agenda

477 views • 21 slides
Training Manual Google Docs and the Chrome browser work great together! If you do not have the

Training Manual Google Docs and the Chrome browser work great together! If you do not have the

Freehold Borough Schools Technology Department Training Manual Google Docs and the Chrome browser work great together! If you do not have the Chrome browser on your laptop, please put in a helpdesk ticket. Go to the district website

575 views • 18 slides
.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS A)ack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos A)acks Few Qmes

150 views • 13 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

1 DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology of work DDoS tactics in-the-wild and how to improve Ready, set, FACEPALM! Q&A ~$ whoami 3 Moshe Zioni, Head of Research,

656 views • 47 slides
Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim to DDoS mitigation service SOS "I am getting DoSd" 2 DDoS Transport Choice SOS : Requirements Emergency signal.

247 views • 5 slides
Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense e Quan Jia, Huangxin Wang, Dan Fleck, Fei Li, Angelos Stavrou, Walter Powell Presented by Surya Mani Content u Motivation u Related Work u

262 views • 23 slides
Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&D division of Nexusguard building next

764 views • 44 slides
Bypassing ISP and Enterprise Anti- DDoS with 90s technology Dennis Rand

Bypassing ISP and Enterprise Anti- DDoS with 90s technology Dennis Rand

So you think IoT DDoS botnets are dangerous Bypassing ISP and Enterprise Anti- DDoS with 90s technology Dennis Rand https://www.ecrimelabs.com @DennisRand About me Im a security researcher and founder of eCrimeLabs, based out of Denmark.

674 views • 48 slides
DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How DDoS works UDP Data Client Server Response TCP DDoS Distributed denial-of-service attack Attacker targets a victim from a number of

356 views • 22 slides
What is a good pen based application? The windows desktop and browser are HCI For Pen Based

What is a good pen based application? The windows desktop and browser are HCI For Pen Based

What is a good pen based application? The windows desktop and browser are HCI For Pen Based Computing NOT good pen based apps! Richard Anderson CSE 481 B Winter 2007 What is a good UI? How do you measure it? Mechanical Properties

208 views • 8 slides
A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon

A Guide About DDoS Attacks Understanding and anticipating DDoS Guillaume Valadon guillaume.valadon@ssi.gouv.fr RIPE 70 - May, 11 2015 ANSSI - http://www.ssi.gouv.fr/guide-ddos & https://goo.gl/UL8M1 1/12 ANSSI Created on July 7th 2009,

142 views • 12 slides
CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks

CS 110 Summer 2018 Ryan Eberhardt DDoS Attacks https://www.reveelium.com/en/ddos-attacks-the-cyber-boogeyman-part-i/ DDoS Attacks 1,700 Gbps!! 2015 :-/

748 views • 20 slides
Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim

Discriminating reflective DDoS attack tools at the reflector Fons Mijnen Max Grim fons.mijnen@os3.nl max.grim@os3.nl 2 DDoS attacks DDoS attacks are a problem internet users have faced for many years, and is still relevant today. 3 DDoS

531 views • 52 slides
A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms Jelena Mirkovic, Janice Martin & Peter Reiher Manu Shantharam & David Hadka What is DoS? DoS A type of attack wherein access to computer resource / service is denied or

380 views • 18 slides
National Cybersecurity Center of Excellence Mitigating IoT-Based DDoS Build 1 Demonstration

National Cybersecurity Center of Excellence Mitigating IoT-Based DDoS Build 1 Demonstration

National Cybersecurity Center of Excellence Mitigating IoT-Based DDoS Build 1 Demonstration Presentation April 10, 2019 Challenge There will be 20.4 billion connected IoT devices by 2020 (per Gartner) As IoT devices become more common

671 views • 41 slides
DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service

DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service

DDoS Attack Landscapes Introduction General opinion AKA DDoS skeptics Denial of Service attacks are a fact of life on the Internet Service disruption Sometimes employed as a smoke screen What this talk is and

799 views • 23 slides
No Cloud Allowed Denying Service to DDOS Protection Services Presented by: Allison Nixon

No Cloud Allowed Denying Service to DDOS Protection Services Presented by: Allison Nixon

No Cloud Allowed Denying Service to DDOS Protection Services Presented by: Allison Nixon Allison.Nixon@integralis.com Pentesting, Incident Response PaulDotCom host Cloud Based DDOS Protection How it works Fundamental flaws

875 views • 25 slides
COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure

COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure

COLOSSAL DDoS ATTACKS ARE THE NEW REALITY Defeating DDoS Needs a Precision Strategy Your Secure Application Services CONFIDENTIAL | DO NOT DISTRIBUTE Company 1. CONFIDENTIAL | DO NOT DISTRIBUTE Attack Tools over Time - Evolved Binary

385 views • 12 slides

More recommend