Upload
rupali
View
38
Download
9
Embed Size (px)
DESCRIPTION
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure. Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM Conference on Computer and Communications Security 2006 Presented By : Ramanarayanan Ramani. Attacker. 1.Compromise. Scenario. - PowerPoint PPT Presentation
Citation preview
Puppetnets: Misusing Web Browsers as a Distributed
Attack Infrastructure
Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis
Conference : ACM Conference on Computer and Communications Security 2006
Presented By : Ramanarayanan Ramani
Scenario
Attacker
1.Compromise
2.Embed Malicious Code in Webpage
3.Clients Access Webpage and execute malicious code
Clients are the Puppets – they can be controlled till they have the webpage open in the browser.
Puppetnet vs Botnet Not heavily dependent on the exploitation
of specific implementation flaws
The attacker does not have complete control over the actions of the participating nodes
Participation in puppetnets is more dynamic
OverviewAttack Scenarios using
PuppetnetAnalysis of attack scenariosDefense against PuppetnetsPaper ReviewSuggestions
DDoS (Distributed Denial of Service)
DDoS Sample Code :
<script language=‘javascript’>setTimeout(pingVictim,1000);Function pingVictim(){
var image1 = getElementById(‘img1’);image1.src = “www.victim.com/badurl.jpg”;setTimeout(pingVictim,1000);
}</script><body> <img id=‘img1’ /> </body>
Worm Propagation
Worm Propagation Embed Worm Code in the Webpage Perform scanning and try to propagate the
worm code
If outbound from server blocked – it can propagate using webpage
Client behind NAT/Firewall can propagate in the secure network
Reconnaissance probes
Reconnaissance probes Problem : Browsers refuse access to the
contents of an inline frame, unless the source of the frame is in the same domain with the parent page
“Sandwich” the probe request between two requests to the malicious Web site
Use onLoad,onError event handlers to sandwich request
Protocols other than HTTP Limitation of Puppetnets : Bound to use HTTP as
part of browser
Solution : Tunnel SMTP/IRC/FTP.. Protocol messages wrapped around the HTTP
message
GET /index.html HTTP/1.1 Host: www.example.com:25HELO mydomain.com … (For SMTP)
Exploiting cookie authenticatedservices
Constraints : The inline frame needs to be able to post
cookies; this works on Firefox, but not IE Have knowledge about the structure and
content of the form to be posted, as well as the target URL
Able to instruct browsers to automatically post such forms (Supported by all browsers)
Distributed malicious computations Can be done through Javascript, Active-X or Java applets ActiveX : Produces ‘Accept’ or ‘Deny’ box Applets : Instantiate JVM – but can be placed in
hidden frames Script : Slower but can be hidden
Example : MD5 computation Javascript : 380 checksums/sec Applet : 434K checksums/sec
1,000-node puppetnet can crack an MD5 hash as fast as a 128-node cluster
Analysis - DDoS
Analysis - DDoS
Analysis - DDoS
Two types of attacks: • A simple attack aiming to maximize SYN packets (maxSYN)• One aiming to maximize the ingress bandwidth consumed (maxURL)
Analysis - DDoS
* Estimate for a 1000-node puppetnet
Analysis – Worm PropagationCodeRed Worm
CodeRed attacks IIS server (Web Server)• A vulnerable population of 360,000 and a server scanning rate of 358 scans/min• Browsers performing 36 scans/min
Analysis – Worm PropagationCodeRed Worm
Analysis – Worm PropagationCodeRed Worm
Analysis - Reconnaissance probes
Analysis - Reconnaissance probes
Defense Disabling Javascript Careful implementation of existing
defenses Filtering using attack signatures Client-side behavioral controls Server-side controls and puppetnet tracing Server-directed client-side controls
Advantages Simple and very effective to attack Light-weight compared to botnet Uses HTTP which makes detection difficult
Disadvantages No complete control over client Tough to compromise web servers (not
explained how to do it in the paper) View Source Command on HTML page will
reveal puppetnet code
Suggestions Look into hiding code using encoding or
embed code into objects like Flash Use puppetnet to create botnet in the
client machine Provide ideas to compromise the web
server
?Questions?