the dark side of the web: an open proxy’s view

24
The Dark Side of the Web: An Open Proxy’s View Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson Princeton University

Upload: arion

Post on 14-Feb-2016

29 views

Category:

Documents


1 download

DESCRIPTION

The Dark Side of the Web: An Open Proxy’s View. Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson Princeton University. Origins: Surviving Heavy Loads. Surviving flash crowds, DDoS attacks Absorb via massive resources Raise the bar for attacks Tolerate smaller crowds - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: The Dark Side of the Web: An Open Proxy’s View

The Dark Side of the Web:An Open Proxy’s View

Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson

Princeton University

Page 2: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 2

Origins: Surviving Heavy LoadsSurviving flash crowds, DDoS attacksAbsorb via massive resources

Raise the bar for attacksTolerate smaller crowdsSurvive larger attacks

Existing approach: Content Distribution Networks

Page 3: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 3

Building an Academic CDNFlash crowds are realWe have the technology

OSDI’02 paper on CDN performanceUSITS’03 proxy APIPlanetLab provides the resources

Continuous service, decentralized controlSeeing real traffic, reliability, etc

We use it ourselvesOpen access = more traffic

Page 4: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 4

How Does CoDeeN Work?Server surrogates (proxies) on most North American sites

Originally everywhere, but we cut backClients specify proxy to use

Cache hits served locallyCache misses forwarded to CoDeeN nodes• Maybe forwarded to origin servers

Page 5: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 5

How Does CoDeeN Work?

CoDeeN Proxy

origin

RequestRespons

e

Cache hit

Each CoDeeN proxy is a forward proxy, reverse proxy, & redirector

Cache missResponse

Cache hit

Cache missResponse Reques

tCache Miss

Page 6: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 6

Steps For Inviting TroubleUse a popular protocol

HTTPEmulate a popular tool/interface

Web proxy serversAllow open access

With HTTP’s lack of accountabilityBe more attractive than competition

Uptime, bandwidth, anonymity

Page 7: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 7

Hello, Trouble!SpammersBandwidth hogsHigh request ratesContent ThievesWorrisome anonymity

Commonality: using CoDeeN to do things they would not do directly

Page 8: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 8

The Root of All Trouble

originCoDeeN Proxy

(Malicious) Client

http/tcp http/tcp

No End-To-EndAuthentication

Page 9: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 9

SpammersSMTP (port 25) tunnels via CONNECT

Relay via open mail serverPOST forms (formmail scripts)

Exploit website scriptsIRC channels (port 6667) via CONNECT

Captive audience, high port #

Page 10: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 10

Attempted SMTP Tunnels/Day

Page 11: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 11

Bandwidth HogsWebcam trackers

Mass downloads of paid cam sitesCross-Pacific traffic

Simultaneous large file downloadsSteganographers

Large files small imagesAll uniform sizes

Page 12: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 12

High Request RatesPassword crackers

Attacking random Yahoo! accountsGoogle crawlers

Dictionary crawls – baffles GoogliansClick counters

Defeat ad-supported “game”

Page 13: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 13

Content TheftLicensed content theft

Journals and databases are expensiveIntra-domain access

Protected pages within the hosting site

Page 14: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 14

Worrisome AnonymityRequest spreaders

Use CoDeeN as a DDoS platform!TCP over HTTPNon-HTTP Port 80

Access logging insufficientVulnerability testing

Low rate, triggers IDS

Page 15: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 15

Goals, Real & OtherwiseDesired: allow only “safe” accessesIdeally

An oracle tells you what’s safe“Your” users are not impacted

Open proxies considered inherently bad

NLANR requires accounts, proxy-authJANET closed to outsiders

No research in “partially open” proxies

Page 16: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 16

Privilege Separation

Local Proxy

LocalServer

Remote Proxy

RemoteClient

Unprivileged Request

LocalClient Privileged

Request

Page 17: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 17

Rate Limiting

3 scales capture burstinessExceptions

Login attemptsVulnerability tests

DayHour

Minute

Page 18: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 18

Other TechniquesLimiting methods – GET, (HEAD)

Local users not restrictedSanity checking on requests

Browsers, machines very differentModifying request stream

Most promising future direction

Page 19: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 19

By The Numbers…Running 24/7 since May, ~40 nodes

Over 400,000 unique IPs as clientsOver 150 million requests servicedValid rates up to 50K reqs/hourRoughly 4 million reqs/day aggregateAbout 4 real abuse incidents

Availability: high uptimes, fast upgrades

Page 20: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 20

Daily Client Population of CoDeeN

0100020003000400050006000700080009000

10000

6/1 7/1 8/1 9/1 10/1 11/1

Num

of U

niqu

e IP

.

clients

Daily Client Population Count

Page 21: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 21

Daily Traffic on CoDeeN

0500000

10000001500000200000025000003000000350000040000004500000

6/1 7/1 8/1 9/1 10/1 11/1

num

of r

eque

sts

.

rejectedrequests

Daily Request Volume

Page 22: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 22

Monitors & Other VenuesRoutinely trigger open proxy alerts

Educating sysadmins, othersReally good honeypots

6000 SMTP flows/minute at CMUSpammers do ~1M HTTP ops/day

Early problem detectionFailing PlanetLab nodesCompromised university machines

Page 23: The Dark Side of the Web: An Open Proxy’s View

Nov 20, 2003 CoDeeN Security - HotNets II 23

Lessons & DirectionsFew substitutes for reality

Non-dedicated hardware really interestingFailure modes not present in NS-2

Stopgap measures pretty effectiveVery slow arms raceBreathing time for better solutions

Next: more complex techniquesMachine learning, high-dim clustering

Page 24: The Dark Side of the Web: An Open Proxy’s View

24CoDeeN Security - HotNets IINov 20, 2003

More Infohttp://codeen.cs.princeton.edu

Thanks:Intel, HP, iMimic, PlanetLab Central