Presenter: Chen Chih-Ming

sweetlipscasteSecurity

Nov 2, 2013 (3 years and 5 months ago)

54 views

ACM Conference on Computer and
Communications Security 2006

Puppetnet: Misusing web browsers as a
distributed attack infrastructure

Network Seminar

Presenter: Chen Chih
-
Ming

2

Outline


Introduction


Term


Design and Analysis


Defenses


Related work


Concluding remarks

3

Term


Puppetnet code


Infected Server


Puppet client


Victim

4

Introduction


To coerce web browsers to
participate in malicious activities


Not heavily dependent on the
exploitation of specific flaws


Not control over participating
nodes completely


Dynamic, short live target


Indirect attack


5

Design and Analysis


DDoS


Worm propagation


Reconnaissance probes


Protocol other than HTTP


Exploiting cookie
-
authenticated


Distributed malicious
computations

6

DDoS


Hidden frame


JavaScript loop


Embed object


Cache


Add GET


Connect limit of browser


Use different host name


7

8

9

10

11

12

Worm propagation


Code Red


Attack IIS server


Infecting process


Server


Viewer


Victim

13

14

15

16

17

Reconnaissance probes


Timing attack

18

19

20

21

Protocol other than HTTP


SMTP


IRC


Trigging botnet

22

Exploiting cookie
-
authenticated


Web mail


Send victim’s mail to attacker

23

Distributed malicious
computations


JavaScript or Applet


Crack password

24

Defenses


Disabling JavaScript


Careful implementation of existing
defenses


Filtering using attack signatures


Client
-
side behavioral controls


Server
-
side controls and puppetnet
tracing


Server
-
directed client
-
side controls

25

Disabling JavaScript


Most sites employ JavaScript


Just enable trusted site


Reduce one order magnitude, but
not eliminate


Not attractive


26

Careful implementation of
existing defenses


Connection rate limiter


Reduce one order magnitude, but
not eliminate


Still insufficient

27

Filtering using attack
signatures


For spam is ok


DDoS is hard to make


Not like string matching


Need additional HTML parser


Obfuscation of HTML


Too complex

28

Client
-
side behavioral
controls


DDoS


Impose controls on foreign request
from a web page


Affect web viewing, not good enough


Worm


Impose limiting amount of objects
from different site


Can evading by dns

29

30

31

Server
-
side controls and
puppetnet tracing


Block referrer, but still waste band


Find referrer to take down
attacking


Not effective

32

Server
-
directed client
-
side
controls


Embed access control token in
header


Restrict requests per session


Need public key to verify


Modify server & client

33

34

Related work


Web security


XSS


X
-
flash attack, like puppetnets

35

Concluding remark


New class of web
-
based attack


None of the strategies were
complete satisfying


Only partial solution

36

End


Bye~