Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C. Rossow (1) , F. J. Ryba (2) , T. C. Schmidt (3) , M. Wählisch (2) (1) CISPA / MMCI, Saarland University (2) Freie Universität Berlin (3) HAW Hamburg
Classical DDoS Botnets Target Botmaster Infected hosts GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] C&C server HTTP flood HTTP flood DDoS is a severe threat to the Internet In classical DDoS botnets: ● Infection-based recruitment (Drive-by download, Browser vulns, ...) ● Architecture-dependent malware August 14, 2015 2
Browser-based DDoS Botnet Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web Browser-based botnet a new type of botnet ● Infectionless bots recruitment ● Architecture-independent malware (e.g., OSX, Windows, Linux, Android) August 14, 2015 3
The Great Cannon Target Botmaster Browsers The Web In March 2015 first browser-based DDoS attacks [CitizenLab] Recruitment: Powerful attacker injects JS into HTTP conversations ➔ We envision also less powerful attacker can launch similar attacks August 14, 2015 4
Threat Model Target Botmaster Browsers The Web No control of the network, e.g., no ISP Infiltrate JS over the Web, e.g., as advertisement [Grossman] Economic incentives August 14, 2015 5
Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web GC showed that browsers can be used as bots August 14, 2015 6
Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web GC showed that browsers can be used as bots ● However, anecdotal knowledge only [Kuppan, Grossman] August 14, 2015 7
Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web GC showed that browsers can be used as bots ● However, anecdotal knowledge only [Kuppan, Grossman] ➔ To date, no systematic understanding of browser features to support DDoSes August 14, 2015 8
Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web Promising for less powerful attackers, i.e., criminals with economic incentives August 14, 2015 9
Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web Promising for less powerful attackers, i.e., criminals with economic incentives ● However, little is known about recruitment techniques and costs August 14, 2015 10
Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web Promising for less powerful attackers, i.e., criminals with economic incentives ● However, little is known about recruitment techniques and costs ➔ Hard to assess if criminals will jump on the wagon of GC-like attacks August 14, 2015 11
Contents Review browser features Browser features in DoS attacks Cost estimation and comparison August 14, 2015 12
Browser Features August 14, 2015 13
Classical DDoS bots: Yoddos/DirtJumper Yoddos Attack Commands (Source [Welzel]) Supports different DDoS attacks ● TCP, UDP, and HTTP based flooding And attack variants: ● HTTP reqs. with no recv() ● Via TCP FIN or RST ● HTTP custom Host and Referer ● Bypass filters August 14, 2015 14
Web Browsers as DDoS bots Yoddos Attack Commands (Source [Welzel]) Offer communication APIs ● e.g., XMLHttpRequest, WebSocket, and Server-Sent Events Other DoS-enabling JS APIs ● Image and WebWorker APIs However, less flexible ● No direct access to TCP/UDP ● restricted to extensions... ● No IP spoofing Reviewed 4 APIs ... August 14, 2015 15
XMLHttpRequest API (1/4) Send HTTP requests to arbitrary targets var target = "http://target/"; var target = "http://target/"; Restrictions: var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.open("GET", target); ➔ SOP and CORS, but HTTP requests are sent xhr.send(); xhr.send(); Send HTTP Send HTTP anyway request request Yoddos Attack Commands (Source [Welzel]) August 14, 2015 16
XMLHttpRequest API (2/4) Send HTTP requests to arbitrary targets var target = "http://target/"; var target = "http://target/"; Restrictions: var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.open("GET", target); ➔ SOP and CORS, but HTTP requests are sent xhr.send(); xhr.send(); Send HTTP Send HTTP anyway request request Yoddos Attack Commands (Source [Welzel]) August 14, 2015 17
XMLHttpRequest API (3/4) Send HTTP requests to arbitrary targets var target = "http://target/"; var target = "http://target/"; Restrictions: var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.open("GET", target); ➔ SOP and CORS, but HTTP requests are sent RST RST setTimeout(function() { anyway setTimeout(function() { after 10 ms after 10 ms xhr.abort(); xhr.abort(); Additional behaviors: }, 10); }, 10); ➔ Partial control over the TCP socket xhr.send(); xhr.send(); life-cycle → no rcvd() Yoddos Attack Commands (Source [Welzel]) August 14, 2015 18
XMLHttpRequest API (4/4) Send HTTP requests to arbitrary targets var target = "http://target/"; var target = "http://target/"; Restrictions: var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.open("GET", target); ➔ SOP and CORS, but HTTP requests are sent RST RST setTimeout(function() { anyway setTimeout(function() { after 10 ms after 10 ms xhr.abort(); xhr.abort(); Additional behaviors: }, 10); }, 10); ➔ Partial control over the TCP socket xhr.send(); xhr.send(); life-cycle → no rcvd() ● Set/modify request headers Yoddos Attack Commands (Source [Welzel]) ● Except for Host and Referer (and others) August 14, 2015 19
Web Sockets (1/2) Extension of HTTP var target = "ws://target/"; var target = "ws://target/"; ● Establish full-duplex stream-oriented client-server var ws = new WebSocket(target); var ws = new WebSocket(target); communication channel via the WebSocket Handshake protocol WebSocket Handshake WebSocket Handshake ➔ Based on a HTTP request/response pair Yoddos Attack Commands (Source [Welzel]) August 14, 2015 20
Web Sockets (2/2) Extension of HTTP var target = "ws://target/"; var target = "ws://target/"; RST ● Establish full-duplex stream-oriented client-server RST after 10ms setTimeout(function () { after 10ms setTimeout(function () { communication channel via the WebSocket ws.close(); ws.close(); Handshake protocol }, 10); }, 10); ➔ Based on a HTTP request/response pair var ws = new WebSocket(target); var ws = new WebSocket(target); Additional behaviors: ➔ Partial control over the TCP socket life-cycle → no rcvd() Yoddos Attack Commands (Source [Welzel]) ● No access to request headers August 14, 2015 21
API Evaluation August 14, 2015 22
Aggressiveness API Browser AVG Reqs/s MAX Reqs/s XMLHttpReq. Chrome 1,005 1,886 Firefox 2,165 2,892 WebSocket Chrome 34 73 Firefox 0 0 Server-Sent Evts Chrome 210 941 Firefox 258 1,907 Image Chrome 84 109 Firefox 751 1,916 Firefox shows a more aggressive behavior 18x faster than prior tests: ~170 XHR reqs/s [Kuppan] August 14, 2015 23
Aggressiveness Browser Workers AVG Reqs/s API Browser AVG Reqs/s MAX Reqs/s Chrome 0 1,359 XMLHttpReq. Chrome 1,005 1,886 2 966 Firefox 2,165 2,892 3 689 WebSocket Chrome 34 73 Firefox 0 1,456 Firefox 0 0 2 2,424 Server-Sent Evts Chrome 210 941 3 2,616 Firefox 258 1,907 Image Chrome 84 109 Firefox 751 1,916 Firefox shows a more aggressive behavior 18x faster than prior tests: ~170 XHR reqs/s [Kuppan] August 14, 2015 24
Aggressiveness Browser Workers AVG Reqs/s API Browser AVG Reqs/s MAX Reqs/s Chrome 0 1,359 XMLHttpReq. Chrome 1,005 1,886 2 966 Firefox 2,165 2,892 3 689 WebSocket Chrome 34 73 Firefox 0 1,456 Firefox 0 0 2 2,424 Server-Sent Evts Chrome 210 941 3 2,616 Firefox 258 1,907 Image Chrome 84 109 Firefox 751 1,916 Firefox shows a more aggressive behavior 18x faster than prior tests: ~170 XHR reqs/s [Kuppan] ➔ ~3,000 reqs/s is a severe threat August 14, 2015 25
Bot Recruitment and Cost Estimation August 14, 2015 26
Recruitment Technique Cost depends on the recruitment technique Techniques 1. Ad networks ● Malicious JS as advertisment 2. Typosquatting ● Registration of domain misspellings 3. Machine-generated visits 4. Web application hijacking ● Using vulns to spread malicious JS, e.g., Stored XSS August 14, 2015 27
Recommend
More recommend