cashing out the great cannon on browser based ddos
play

Cashing out the Great Cannon? On Browser-based DDoS Attacks and - PowerPoint PPT Presentation

Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C. Rossow (1) , F. J. Ryba (2) , T. C. Schmidt (3) , M. Whlisch (2) (1) CISPA / MMCI, Saarland University (2) Freie Universitt Berlin (3) HAW Hamburg


  1. Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C. Rossow (1) , F. J. Ryba (2) , T. C. Schmidt (3) , M. Wählisch (2) (1) CISPA / MMCI, Saarland University (2) Freie Universität Berlin (3) HAW Hamburg

  2. Classical DDoS Botnets Target Botmaster Infected hosts GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] C&C server HTTP flood HTTP flood  DDoS is a severe threat to the Internet  In classical DDoS botnets: ● Infection-based recruitment (Drive-by download, Browser vulns, ...) ● Architecture-dependent malware August 14, 2015 2

  3. Browser-based DDoS Botnet Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  Browser-based botnet a new type of botnet ● Infectionless bots recruitment ● Architecture-independent malware (e.g., OSX, Windows, Linux, Android) August 14, 2015 3

  4. The Great Cannon Target Botmaster Browsers The Web  In March 2015 first browser-based DDoS attacks [CitizenLab]  Recruitment: Powerful attacker injects JS into HTTP conversations ➔ We envision also less powerful attacker can launch similar attacks August 14, 2015 4

  5. Threat Model Target Botmaster Browsers The Web  No control of the network, e.g., no ISP  Infiltrate JS over the Web, e.g., as advertisement [Grossman]  Economic incentives August 14, 2015 5

  6. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  GC showed that browsers can be used as bots August 14, 2015 6

  7. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  GC showed that browsers can be used as bots ● However, anecdotal knowledge only [Kuppan, Grossman] August 14, 2015 7

  8. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  GC showed that browsers can be used as bots ● However, anecdotal knowledge only [Kuppan, Grossman] ➔ To date, no systematic understanding of browser features to support DDoSes August 14, 2015 8

  9. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  Promising for less powerful attackers, i.e., criminals with economic incentives August 14, 2015 9

  10. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  Promising for less powerful attackers, i.e., criminals with economic incentives ● However, little is known about recruitment techniques and costs August 14, 2015 10

  11. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  Promising for less powerful attackers, i.e., criminals with economic incentives ● However, little is known about recruitment techniques and costs ➔ Hard to assess if criminals will jump on the wagon of GC-like attacks August 14, 2015 11

  12. Contents  Review browser features  Browser features in DoS attacks  Cost estimation and comparison August 14, 2015 12

  13. Browser Features August 14, 2015 13

  14. Classical DDoS bots: Yoddos/DirtJumper Yoddos Attack Commands (Source [Welzel])  Supports different DDoS attacks ● TCP, UDP, and HTTP based flooding  And attack variants: ● HTTP reqs. with no recv() ● Via TCP FIN or RST ● HTTP custom Host and Referer ● Bypass filters August 14, 2015 14

  15. Web Browsers as DDoS bots Yoddos Attack Commands (Source [Welzel])  Offer communication APIs ● e.g., XMLHttpRequest, WebSocket, and Server-Sent Events  Other DoS-enabling JS APIs ● Image and WebWorker APIs  However, less flexible ● No direct access to TCP/UDP ● restricted to extensions... ● No IP spoofing  Reviewed 4 APIs ... August 14, 2015 15

  16. XMLHttpRequest API (1/4)  Send HTTP requests to arbitrary targets var target = "http://target/"; var target = "http://target/";  Restrictions: var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.open("GET", target); ➔ SOP and CORS, but HTTP requests are sent xhr.send(); xhr.send(); Send HTTP Send HTTP anyway request request Yoddos Attack Commands (Source [Welzel]) August 14, 2015 16

  17. XMLHttpRequest API (2/4)  Send HTTP requests to arbitrary targets var target = "http://target/"; var target = "http://target/";  Restrictions: var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.open("GET", target); ➔ SOP and CORS, but HTTP requests are sent xhr.send(); xhr.send(); Send HTTP Send HTTP anyway request request Yoddos Attack Commands (Source [Welzel]) August 14, 2015 17

  18. XMLHttpRequest API (3/4)  Send HTTP requests to arbitrary targets var target = "http://target/"; var target = "http://target/";  Restrictions: var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.open("GET", target); ➔ SOP and CORS, but HTTP requests are sent RST RST setTimeout(function() { anyway setTimeout(function() { after 10 ms after 10 ms xhr.abort(); xhr.abort();  Additional behaviors: }, 10); }, 10); ➔ Partial control over the TCP socket xhr.send(); xhr.send(); life-cycle → no rcvd() Yoddos Attack Commands (Source [Welzel]) August 14, 2015 18

  19. XMLHttpRequest API (4/4)  Send HTTP requests to arbitrary targets var target = "http://target/"; var target = "http://target/";  Restrictions: var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.open("GET", target); ➔ SOP and CORS, but HTTP requests are sent RST RST setTimeout(function() { anyway setTimeout(function() { after 10 ms after 10 ms xhr.abort(); xhr.abort();  Additional behaviors: }, 10); }, 10); ➔ Partial control over the TCP socket xhr.send(); xhr.send(); life-cycle → no rcvd() ● Set/modify request headers Yoddos Attack Commands (Source [Welzel]) ● Except for Host and Referer (and others) August 14, 2015 19

  20. Web Sockets (1/2)  Extension of HTTP var target = "ws://target/"; var target = "ws://target/"; ● Establish full-duplex stream-oriented client-server var ws = new WebSocket(target); var ws = new WebSocket(target); communication channel via the WebSocket Handshake protocol WebSocket Handshake WebSocket Handshake ➔ Based on a HTTP request/response pair Yoddos Attack Commands (Source [Welzel]) August 14, 2015 20

  21. Web Sockets (2/2)  Extension of HTTP var target = "ws://target/"; var target = "ws://target/"; RST ● Establish full-duplex stream-oriented client-server RST after 10ms setTimeout(function () { after 10ms setTimeout(function () { communication channel via the WebSocket ws.close(); ws.close(); Handshake protocol }, 10); }, 10); ➔ Based on a HTTP request/response pair var ws = new WebSocket(target); var ws = new WebSocket(target);  Additional behaviors: ➔ Partial control over the TCP socket life-cycle → no rcvd() Yoddos Attack Commands (Source [Welzel]) ● No access to request headers August 14, 2015 21

  22. API Evaluation August 14, 2015 22

  23. Aggressiveness API Browser AVG Reqs/s MAX Reqs/s XMLHttpReq. Chrome 1,005 1,886 Firefox 2,165 2,892 WebSocket Chrome 34 73 Firefox 0 0 Server-Sent Evts Chrome 210 941 Firefox 258 1,907 Image Chrome 84 109 Firefox 751 1,916  Firefox shows a more aggressive behavior  18x faster than prior tests: ~170 XHR reqs/s [Kuppan] August 14, 2015 23

  24. Aggressiveness Browser Workers AVG Reqs/s API Browser AVG Reqs/s MAX Reqs/s Chrome 0 1,359 XMLHttpReq. Chrome 1,005 1,886 2 966 Firefox 2,165 2,892 3 689 WebSocket Chrome 34 73 Firefox 0 1,456 Firefox 0 0 2 2,424 Server-Sent Evts Chrome 210 941 3 2,616 Firefox 258 1,907 Image Chrome 84 109 Firefox 751 1,916  Firefox shows a more aggressive behavior  18x faster than prior tests: ~170 XHR reqs/s [Kuppan] August 14, 2015 24

  25. Aggressiveness Browser Workers AVG Reqs/s API Browser AVG Reqs/s MAX Reqs/s Chrome 0 1,359 XMLHttpReq. Chrome 1,005 1,886 2 966 Firefox 2,165 2,892 3 689 WebSocket Chrome 34 73 Firefox 0 1,456 Firefox 0 0 2 2,424 Server-Sent Evts Chrome 210 941 3 2,616 Firefox 258 1,907 Image Chrome 84 109 Firefox 751 1,916  Firefox shows a more aggressive behavior  18x faster than prior tests: ~170 XHR reqs/s [Kuppan] ➔ ~3,000 reqs/s is a severe threat August 14, 2015 25

  26. Bot Recruitment and Cost Estimation August 14, 2015 26

  27. Recruitment Technique  Cost depends on the recruitment technique  Techniques 1. Ad networks ● Malicious JS as advertisment 2. Typosquatting ● Registration of domain misspellings 3. Machine-generated visits 4. Web application hijacking ● Using vulns to spread malicious JS, e.g., Stored XSS August 14, 2015 27

Recommend


More recommend