Blacklisting Malicious Web Sites using a Secure Version of the DHT - - PowerPoint PPT Presentation

blacklisting malicious web sites using a secure version
SMART_READER_LITE
LIVE PREVIEW

Blacklisting Malicious Web Sites using a Secure Version of the DHT - - PowerPoint PPT Presentation

Nov 11, 2023 243 likes •555 views

Blacklisting Malicious Web Sites using a Secure Version of the DHT Protocol Kademlia Philipp C. Heckel, University of Mannheim, 5/26/09 1 Road Map 1. General Idea 2. Application Design 3. Implementation 4. Testing Philipp C. Heckel,

slide-1
SLIDE 1

Philipp C. Heckel, University of Mannheim, 5/26/09 1

Blacklisting Malicious Web Sites using a Secure Version of the DHT Protocol Kademlia

slide-2
SLIDE 2

Philipp C. Heckel, University of Mannheim, 5/26/09 2

Road Map

  • 1. General Idea
  • 2. Application Design
  • 3. Implementation
  • 4. Testing
slide-3
SLIDE 3

Philipp C. Heckel, University of Mannheim, 5/26/09 3

Motivation

  • 1. General Idea

2004 2005 2006 2007 2008

50 100 150 200 250 300

Total Dollar Loss linked to Internet Fraud

in the USA in 2004-2008

Loss in Mio. US Dollar

Source: Internet Crime Complaint Center (IC3) 2008 Annual Report www.ic3.gov/media/2009/090331.aspx

  • Rising Internet crime rates
  • Less phishing, less virus-infected attachments
  • More malicious Web sites → more drive by-downloads
slide-4
SLIDE 4

Philipp C. Heckel, University of Mannheim, 5/26/09 4

Initial Situation / Problem Description

  • 1. General Idea

www.infected.com

malware-infected site GET / HTTP/1.1 Host: www.infected.com

Browser

slide-5
SLIDE 5

Philipp C. Heckel, University of Mannheim, 5/26/09 5

Solution

  • 1. General Idea

Is “www.infected.com” infected? Yes!

URL Blacklisting Service Warning! “www.infected.com” is infected! Do you really want to open it?

Display warning message

Browser

(with according plug-in)

slide-6
SLIDE 6

Philipp C. Heckel, University of Mannheim, 5/26/09 6

Blacklisting Service

  • 1. General Idea

Query the service

URL Blacklisting Service Honeynet

collects information about malicious Web sites

Add blacklist entries

Browser

(with according plug-in)

slide-7
SLIDE 7

Philipp C. Heckel, University of Mannheim, 5/26/09 7

Related Work

  • 1. General Idea

Microsoft SmartScreen (IE 8+) Google Safe Browsing (FF 3+ / Safari 3.2+)

slide-8
SLIDE 8

Philipp C. Heckel, University of Mannheim, 5/26/09 8

Client-Server vs. Peer-to-Peer

  • 1. General Idea
  • Problems in a client-server-based environment:
  • Limited scalability
  • Resource limitations (CPU time, RAM,

bandwidth, ...)

  • Synchronization between servers
  • Data replication
  • Single point of failure/attack
  • Peer-to-Peer (P2P):
  • Scalability by design
  • Resource flexibility
  • No single point of failure/attack, no replication, no

synchronization

slide-9
SLIDE 9

Philipp C. Heckel, University of Mannheim, 5/26/09 9

Distributed Hash Tables

  • 1. General Idea
  • are structured P2P networks
  • define a logical position for each

node and entry

  • store content at specific positions in

the network, redundantly

  • are fault-tolerant and reliable

Distributed Hash Tables (DHT) ...

nodes := locateResponsibleNodes(“infected.com”); foreach nodes as node do node.store(“infected.com”, “infected”);

Example (Pseudo-Code):

slide-10
SLIDE 10

Philipp C. Heckel, University of Mannheim, 5/26/09 10

DHT-based Blacklisting Service

  • 1. General Idea

Add blacklist entries Query the service

Browser Plug-in DHT-based Blacklisting Service Honeynet

collects information about malicious Web sites

slide-11
SLIDE 11

Philipp C. Heckel, University of Mannheim, 5/26/09 11

DHT-based Blacklisting Service

  • 1. General Idea

Add blacklist entries Query the service

Browser Plug-in Access-restricted DHT-based Blacklisting Service with encrypted communication Honeynet

collects information about malicious Web sites

Access Restriction Encrypted Communication

Encrypted and Access-Restricted Distributed Hash Table

slide-12
SLIDE 12

Philipp C. Heckel, University of Mannheim, 5/26/09 12

Goals and Requirements

  • 2. Application Design
  • Use the honeynet-provided data to create a URL

blacklisting service

  • Handle large amounts of users (concurrency)
  • Fast queries, low round-trip time (RTT)
  • Scalable, extendable, reliable
  • Create a secure and trustworthy DHT protocol,

called Kademlia Secure (KadS)

  • Restricted access
  • Communication encryption
slide-13
SLIDE 13

Philipp C. Heckel, University of Mannheim, 5/26/09 13

Underlying DHT Protocol: Kademlia

  • 2. Application Design
  • Fault-tolerant design, provable

consistency, good performance

  • Assigns a 160-bit ID to
  • each node (nodeID)
  • each DHT entry (key)
  • Distance is based on the XOR metric
  • Provides four RPCs:
  • PING(nodeID)
  • STORE(key, value)
  • FIND_NODE(nodeID or key)
  • FIND_VALUE(key)

10101... 10111... 00111... 10110... 10100... 11100...

id1 := 10111... id2 := 10001... d(id1, id2) = id1 ⨁ id2

= 00110...

Example (XOR metric):

slide-14
SLIDE 14

Philipp C. Heckel, University of Mannheim, 5/26/09 14

Extending Kademlia: PKI-supported DHT

  • 2. Application Design
  • One root CA certificate per network
  • Each node must possess
  • a copy of the network's CA
  • a CA-signed public key certificate
  • a matching private key

→ Provable Node Identity

Kademlia Secure (KadS):

slide-15
SLIDE 15

Philipp C. Heckel, University of Mannheim, 5/26/09 15

Extending Kademlia: PKI-supported DHT

  • 2. Application Design
  • KadS handshake (TCP)
  • Exchange public key certificates
  • Verify each other's identity
  • Exchange a random session key
  • Encrypted Messaging (UDP)
  • Exchange messages using the

previously negotiated session key

Protocol Extensions:

slide-16
SLIDE 16

Philipp C. Heckel, University of Mannheim, 5/26/09 16

Using the KadS Network to create the Blacklisting Service

  • 2. Application Design
  • KadS node (as distributed data

storage)

  • Client interfaces
  • for the honeyclients
  • for the browser plug-ins
  • Business rules to enforce a specific

data structure

Blacklisting Service:

  • Domain
  • Expiry Date
  • Analysis Code
  • UNKNOWN
  • FAILED
  • CLEAN
  • PARTIALLY_INFECTED
  • INFECTED
  • Path List

Blacklist Data Structure:

  • Domain: infected.com
  • Expiry Date: 01/01/2010
  • Analysis Code:

PARTIALLY_INFECTED

  • Path List:

</bad.html, /worse.html>

Example:

slide-17
SLIDE 17

Philipp C. Heckel, University of Mannheim, 5/26/09 17

Schematic Design of a Blacklist Node

  • 2. Application Design
slide-18
SLIDE 18

Philipp C. Heckel, University of Mannheim, 5/26/09 18

Interface DistributedHashMap

  • 3. Implementation

public interface DistributedHashMap { public void connect(InetSocketAddress address); public boolean contains(Identifier key); public Serializable get(Identifier key); public void put(Identifier key, Serializable value); public void remove(Identifier key); public void close(); } public class KadS implements DistributedHashMap { ... }

slide-19
SLIDE 19

Philipp C. Heckel, University of Mannheim, 5/26/09 19

nodes/499/config.cfg

Example: Using the KadS class

  • 3. Implementation

Config config = new Config(new File("nodes/499/config.cfg")); KadS kads = new KadS(config); /* Connect to existing KadS network (KadS handshake, SK-Exchange) */ kads.connect(new InetSocketAddress("node1.kads.dyndns.org", 6852)); /* Add/Update a DHT entry */ kads.put("cities", new String[] { "Mannheim", "Heidelberg" }); /* Perform FIND_VALUE-Operation */ List<Country> countries = (List<Country>) kads.get("countries"); kads.close(); kads.ca = nodes/ca.cer kads.node.cer = nodes/499/node.cer kads.node.key = nodes/499/node.key kads.port = 6852 kads.boot.sleep = 2000-10000 kads.boot.nodelist = nodes/bootstrap.list kads.boot.tries = 5

slide-20
SLIDE 20

Philipp C. Heckel, University of Mannheim, 5/26/09 20

Message Flow in a KadS Node

  • 3. Implementation

while (..) { serverSocket.receive(packet); queue.put(packet); }

Encrypted Payload Sender ID

slide-21
SLIDE 21

Philipp C. Heckel, University of Mannheim, 5/26/09 21

Example: Using the TrustworthyClient class

  • 3. Implementation

TrustworthyClient client = new TrustworthyClient("Honey1.cer", "Honey1.key", "BlacklistCA.cer"); /* Connect to a blacklist node in the network (SSL-Handshake) */ client.connect(new InetSocketAddress("node1.blacklist.dyndns.org", 7001)); if (!client.getAccessRights().hasWriteAccess()) throw new Exception("No write access!"); /* Store a blacklist entry (via TCP/SSL socket) */ client.store(new Entry("uni-mannheim.de", Entry.CLEAN)); client.store(new Entry("uni-heidelberg.de", Entry.INFECTED)); client.store(new Entry("spiegel.de", Entry.PARTIALLY_INFECTED, Arrays.asList(new String[] {“/bad.html”, “/infected.html”}))); /* After all entries are stored, the TCP/SSL socket can be closed */ client.disconnect();

slide-22
SLIDE 22

Philipp C. Heckel, University of Mannheim, 5/26/09 22

Example: Using the UntrustworthyClient class

  • 3. Implementation

/* Called once when the browser starts */ public void onBrowserStart() { blacklistClient = new UntrustworthyClient("BlacklistCA.cer"); /* Connect to a blacklist node in the network */ blacklistClient.connect( new InetSocketAddress("node1.blacklist.dyndns.org", 7001) ); } /* Called every time code is loaded from a so far foreign page */ public void onBeforeOpenWebsite(String domain, String path, ...) { Entry entry = blacklistClient.query(domain); if (entry.getAnalysisCode() == Entry.INFECTED) throw new MaliciousWebsiteException(...); ... }

slide-23
SLIDE 23

Philipp C. Heckel, University of Mannheim, 5/26/09 23

Average RTT of KadS' put-Operation

  • 4. Testing

5 10 15 20 25 30 35 40 10-node network 45-node network 225-node network ms per put-operation

  • Avg. put-Speed relative to the Network Size

in a LAN of 10, 45 and 225 nodes

  • How fast is the KadS network?
  • Is the speed dependent of the network size?
slide-24
SLIDE 24

Philipp C. Heckel, University of Mannheim, 5/26/09 24

Static Load Test of a Single Blacklist Node

  • 4. Testing

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

10 20 30 40 50 60 70 80 0% 20% 40% 60% 80% 100% 120%

Error Rate Requests / Second

Number of concurrently attacking clients Successful requests per second

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

50 100 150 200 250 300 350 Number of concurrently attacking clients ms per successful request

Static Load Test on a Blacklist Node

in a LAN of 45 nodes

Average RTT during the Load Test

in a LAN of 45 nodes

  • How many requests can a single node handle?
slide-25
SLIDE 25

Philipp C. Heckel, University of Mannheim, 5/26/09 25

Conclusion

  • Trustworthy, secure DHT Protocol KadS
  • Prototypical implementation
  • Satisfactory results
  • No logarithmic scalability
  • Enables possibility of further research
  • KadS-based Blacklisting Service
  • Not yet tested with real data
slide-26
SLIDE 26

Philipp C. Heckel, University of Mannheim, 5/26/09 26

EOF

slide-27
SLIDE 27

Philipp C. Heckel, University of Mannheim, 5/26/09 27

Query-Process of a Browser Client

  • 3. Implementation
slide-28
SLIDE 28

Philipp C. Heckel, University of Mannheim, 5/26/09 28

Kademlia's FIND_NODE-Operation

  • 2. Application Design

The node 0011. . . tries to locate the identifier 1100. . .

slide-29
SLIDE 29

Philipp C. Heckel, University of Mannheim, 5/26/09 29

Example: Behind the put-Operation

  • 3. Implementation

/* Find K closest nodes */ List<VerifiedNode> closestNodes = new FindNodeOperation(key, ..).execute(); /* Send STORE requests to each of them */ for (VerifiedNode recipientNode : closestNodes) { StoreRequest storeRequest = new StoreRequest(key, value); ... messenger.addResponseListener(storeRequest.getId(), recipientNode, this); messenger.send(recipientNode, storeRequest); }