Puppetnets:%20Misusing%20Web%20Browsers%20as%20a%20Distributed%20Attack%20Infrastructure - PowerPoint PPT Presentation

About This Presentation

Title:

Puppetnets:%20Misusing%20Web%20Browsers%20as%20a%20Distributed%20Attack%20Infrastructure

Description:

Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis ... Clients are the Puppets they can be controlled till they have the webpage open ... – PowerPoint PPT presentation

Number of Views:65

Avg rating:3.0/5.0

Slides: 28

Provided by: Ent65

Learn more at: http://www.cs.ucf.edu

Category:

more less

Transcript and Presenter's Notes

Title: Puppetnets:%20Misusing%20Web%20Browsers%20as%20a%20Distributed%20Attack%20Infrastructure

1
Puppetnets Misusing Web Browsers as a
DistributedAttack Infrastructure

Paper By V.T.Lam, S.Antonatos, P.Akritidis,
K.G.Anagnostakis
Conference ACM Conference on Computer and
Communications Security 2006
Presented By Ramanarayanan Ramani

2
Scenario
3.Clients Access Webpage and execute malicious
code
2.Embed Malicious Code in Webpage
Clients are the Puppets they can be controlled
till they have the webpage open in the browser.
3
Puppetnet vs Botnet

Not heavily dependent on the exploitation of
specific implementation flaws
The attacker does not have complete control over
the actions of the participating nodes
Participation in puppetnets is more dynamic

4
Overview

Attack Scenarios using Puppetnet
Analysis of attack scenarios
Defense against Puppetnets
Paper Review
Suggestions

5
DDoS (Distributed Denial of Service)
6
DDoS

Sample Code
ltscript languagejavascriptgt
setTimeout(pingVictim,1000)
Function pingVictim()
var image1 getElementById(img1)
image1.src www.victim.com/badurl.jpg
setTimeout(pingVictim,1000)
lt/scriptgt
ltbodygt ltimg idimg1 /gt lt/bodygt

7
Worm Propagation
8
Worm Propagation

Embed Worm Code in the Webpage
Perform scanning and try to propagate the worm
code
If outbound from server blocked it can
propagate using webpage
Client behind NAT/Firewall can propagate in the
secure network

9
Reconnaissance probes
10
Reconnaissance probes

Problem Browsers refuse access to the contents
of an inline frame, unless the source of the
frame is in the same domain with the parent page
Sandwich the probe request between two requests
to the malicious Web site
Use onLoad,onError event handlers to sandwich
request

11
Protocols other than HTTP

Limitation of Puppetnets Bound to use HTTP as
part of browser
Solution
Tunnel SMTP/IRC/FTP..
Protocol messages wrapped around the HTTP message
GET /index.html HTTP/1.1 Host
www.example.com25
HELO mydomain.com
(For SMTP)

12
Exploiting cookie authenticatedservices

Constraints
The inline frame needs to be able to post
cookies this works on Firefox, but not IE
Have knowledge about the structure and content of
the form to be posted, as well as the target URL
Able to instruct browsers to automatically post
such forms (Supported by all browsers)

13
Distributed malicious computations

Can be done through Javascript, Active-X or Java
applets
ActiveX Produces Accept or Deny box
Applets Instantiate JVM but can be placed
in hidden frames
Script Slower but can be hidden
Example MD5 computation
Javascript 380 checksums/sec
Applet 434K checksums/sec
1,000-node puppetnet can crack an MD5 hash as
fast as a 128-node cluster

14
Analysis - DDoS
15
Analysis - DDoS
16
Analysis - DDoS

Two types of attacks
A simple attack aiming to maximize SYN packets
(maxSYN)
One aiming to maximize the ingress bandwidth
consumed (maxURL)

17
Analysis - DDoS
Estimate for a 1000-node puppetnet
18
Analysis Worm PropagationCodeRed Worm

CodeRed attacks IIS server (Web Server)
A vulnerable population of 360,000 and a server
scanning rate of 358 scans/min
Browsers performing 36 scans/min

19
Analysis Worm PropagationCodeRed Worm
20
Analysis Worm PropagationCodeRed Worm
21
Analysis - Reconnaissance probes
22
Analysis - Reconnaissance probes
23
Defense