The Dark Side of the Web: An Open Proxy’s View Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming...
24
The Dark Side of the Web: An Open Proxy’s View Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson Princeton University
-
Upload
quentin-hunt -
Category
Documents
-
view
225 -
download
0
Transcript of The Dark Side of the Web: An Open Proxy’s View Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming...
The Dark Side of the Web:An Open Proxy’s View
Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson
Princeton University
Nov 20, 2003 CoDeeN Security - HotNets II 2
Origins: Surviving Heavy Loads
Surviving flash crowds, DDoS attacksAbsorb via massive resources
Raise the bar for attacksTolerate smaller crowdsSurvive larger attacks
Existing approach: Content Distribution Networks
Nov 20, 2003 CoDeeN Security - HotNets II 3
Building an Academic CDNFlash crowds are realWe have the technology
OSDI’02 paper on CDN performanceUSITS’03 proxy APIPlanetLab provides the resources
Continuous service, decentralized controlSeeing real traffic, reliability, etc
We use it ourselvesOpen access = more traffic
Nov 20, 2003 CoDeeN Security - HotNets II 4
How Does CoDeeN Work?
Server surrogates (proxies) on most North American sites
Originally everywhere, but we cut back
Clients specify proxy to useCache hits served locallyCache misses forwarded to CoDeeN nodes• Maybe forwarded to origin servers
Nov 20, 2003 CoDeeN Security - HotNets II 5
How Does CoDeeN Work?
CoDeeN Proxy
origin
RequestRespons
e
Cache hit
Each CoDeeN proxy is a forward proxy, reverse proxy, & redirector
Cache miss
Response
Cache hit
Cache missRespons
eRequest
Cache Miss
Nov 20, 2003 CoDeeN Security - HotNets II 6
Steps For Inviting Trouble
Use a popular protocolHTTP
Emulate a popular tool/interfaceWeb proxy servers
Allow open accessWith HTTP’s lack of accountability
Be more attractive than competitionUptime, bandwidth, anonymity
Nov 20, 2003 CoDeeN Security - HotNets II 7
Hello, Trouble!
SpammersBandwidth hogsHigh request ratesContent ThievesWorrisome anonymity
Commonality: using CoDeeN to do things they would not do directly
Nov 20, 2003 CoDeeN Security - HotNets II 8
The Root of All Trouble
origin
CoDeeN Proxy
(Malicious) Client
http/tcp http/tcp
No End-To-EndAuthentication
Nov 20, 2003 CoDeeN Security - HotNets II 9
Spammers
SMTP (port 25) tunnels via CONNECT
Relay via open mail server
POST forms (formmail scripts)Exploit website scripts
IRC channels (port 6667) via CONNECT
Captive audience, high port #
Nov 20, 2003 CoDeeN Security - HotNets II 10
Attempted SMTP Tunnels/Day
Nov 20, 2003 CoDeeN Security - HotNets II 11
Bandwidth Hogs
Webcam trackersMass downloads of paid cam sites
Cross-Pacific trafficSimultaneous large file downloads
SteganographersLarge files small imagesAll uniform sizes
Nov 20, 2003 CoDeeN Security - HotNets II 12
High Request Rates
Password crackersAttacking random Yahoo! accounts
Google crawlersDictionary crawls – baffles Googlians
Click countersDefeat ad-supported “game”
Nov 20, 2003 CoDeeN Security - HotNets II 13
Content Theft
Licensed content theftJournals and databases are expensive
Intra-domain accessProtected pages within the hosting site
Nov 20, 2003 CoDeeN Security - HotNets II 14
Worrisome Anonymity
Request spreadersUse CoDeeN as a DDoS platform!
TCP over HTTPNon-HTTP Port 80
Access logging insufficient
Vulnerability testingLow rate, triggers IDS
Nov 20, 2003 CoDeeN Security - HotNets II 15
Goals, Real & Otherwise
Desired: allow only “safe” accessesIdeally
An oracle tells you what’s safe“Your” users are not impacted
Open proxies considered inherently bad
NLANR requires accounts, proxy-authJANET closed to outsiders
No research in “partially open” proxies
Nov 20, 2003 CoDeeN Security - HotNets II 16
Privilege Separation
Local Proxy
LocalServer
Remote Proxy
RemoteClient
Unprivileged Request
LocalClient Privileged
Request
Nov 20, 2003 CoDeeN Security - HotNets II 17
Rate Limiting
3 scales capture burstinessExceptions
Login attemptsVulnerability tests
DayHour
Minute
Nov 20, 2003 CoDeeN Security - HotNets II 18
Other Techniques
Limiting methods – GET, (HEAD)Local users not restricted
Sanity checking on requestsBrowsers, machines very different
Modifying request streamMost promising future direction
Nov 20, 2003 CoDeeN Security - HotNets II 19
By The Numbers…
Running 24/7 since May, ~40 nodesOver 400,000 unique IPs as clientsOver 150 million requests servicedValid rates up to 50K reqs/hourRoughly 4 million reqs/day aggregateAbout 4 real abuse incidents
Availability: high uptimes, fast upgrades
Nov 20, 2003 CoDeeN Security - HotNets II 20
Daily Client Population of CoDeeN
0100020003000400050006000700080009000
10000
6/1 7/1 8/1 9/1 10/1 11/1
Num
of
Uni
que
IP
.
clients
Daily Client Population Count
Nov 20, 2003 CoDeeN Security - HotNets II 21
Daily Traffic on CoDeeN
0
500000
1000000
1500000
2000000
2500000
3000000
3500000
4000000
4500000
6/1 7/1 8/1 9/1 10/1 11/1
nu
m o
f re
qu
ests
.
rejectedrequests
Daily Request Volume
Nov 20, 2003 CoDeeN Security - HotNets II 22
Monitors & Other Venues
Routinely trigger open proxy alertsEducating sysadmins, others
Really good honeypots6000 SMTP flows/minute at CMUSpammers do ~1M HTTP ops/day
Early problem detectionFailing PlanetLab nodesCompromised university machines
Nov 20, 2003 CoDeeN Security - HotNets II 23
Lessons & Directions
Few substitutes for realityNon-dedicated hardware really interestingFailure modes not present in NS-2
Stopgap measures pretty effectiveVery slow arms raceBreathing time for better solutions
Next: more complex techniquesMachine learning, high-dim clustering
24CoDeeN Security - HotNets IINov 20, 2003
More Info
http://codeen.cs.princeton.edu
Thanks:Intel, HP, iMimic, PlanetLab Central
