cashing out the great cannon on browser based ddos
play

Cashing out the Great Cannon? On Browser-based DDoS Attacks and - PowerPoint PPT Presentation

May 02, 2023 •159 likes •520 views

Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C. Rossow (1) , F. J. Ryba (2) , T. C. Schmidt (3) , M. Whlisch (2) (1) CISPA / MMCI, Saarland University (2) Freie Universitt Berlin (3) HAW Hamburg

  1. Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C. Rossow (1) , F. J. Ryba (2) , T. C. Schmidt (3) , M. Wählisch (2) (1) CISPA / MMCI, Saarland University (2) Freie Universität Berlin (3) HAW Hamburg

  2. Classical DDoS Botnets Target Botmaster Infected hosts GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] C&C server HTTP flood HTTP flood  DDoS is a severe threat to the Internet  In classical DDoS botnets: ● Infection-based recruitment (Drive-by download, Browser vulns, ...) ● Architecture-dependent malware August 14, 2015 2

  3. Browser-based DDoS Botnet Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  Browser-based botnet a new type of botnet ● Infectionless bots recruitment ● Architecture-independent malware (e.g., OSX, Windows, Linux, Android) August 14, 2015 3

  4. The Great Cannon Target Botmaster Browsers The Web  In March 2015 first browser-based DDoS attacks [CitizenLab]  Recruitment: Powerful attacker injects JS into HTTP conversations ➔ We envision also less powerful attacker can launch similar attacks August 14, 2015 4

  5. Threat Model Target Botmaster Browsers The Web  No control of the network, e.g., no ISP  Infiltrate JS over the Web, e.g., as advertisement [Grossman]  Economic incentives August 14, 2015 5

  6. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  GC showed that browsers can be used as bots August 14, 2015 6

  7. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  GC showed that browsers can be used as bots ● However, anecdotal knowledge only [Kuppan, Grossman] August 14, 2015 7

  8. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  GC showed that browsers can be used as bots ● However, anecdotal knowledge only [Kuppan, Grossman] ➔ To date, no systematic understanding of browser features to support DDoSes August 14, 2015 8

  9. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  Promising for less powerful attackers, i.e., criminals with economic incentives August 14, 2015 9

  10. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  Promising for less powerful attackers, i.e., criminals with economic incentives ● However, little is known about recruitment techniques and costs August 14, 2015 10

  11. Toward a Great Cannon for Cyber-Criminals? Target Botmaster Browsers GET / HTTP/1.1\r\n GET / HTTP/1.1\r\n Host: target\r\n Host: target\r\n […] […] The Web  Promising for less powerful attackers, i.e., criminals with economic incentives ● However, little is known about recruitment techniques and costs ➔ Hard to assess if criminals will jump on the wagon of GC-like attacks August 14, 2015 11

  12. Contents  Review browser features  Browser features in DoS attacks  Cost estimation and comparison August 14, 2015 12

  13. Browser Features August 14, 2015 13

  14. Classical DDoS bots: Yoddos/DirtJumper Yoddos Attack Commands (Source [Welzel])  Supports different DDoS attacks ● TCP, UDP, and HTTP based flooding  And attack variants: ● HTTP reqs. with no recv() ● Via TCP FIN or RST ● HTTP custom Host and Referer ● Bypass filters August 14, 2015 14

  15. Web Browsers as DDoS bots Yoddos Attack Commands (Source [Welzel])  Offer communication APIs ● e.g., XMLHttpRequest, WebSocket, and Server-Sent Events  Other DoS-enabling JS APIs ● Image and WebWorker APIs  However, less flexible ● No direct access to TCP/UDP ● restricted to extensions... ● No IP spoofing  Reviewed 4 APIs ... August 14, 2015 15

  16. XMLHttpRequest API (1/4)  Send HTTP requests to arbitrary targets var target = "http://target/"; var target = "http://target/";  Restrictions: var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.open("GET", target); ➔ SOP and CORS, but HTTP requests are sent xhr.send(); xhr.send(); Send HTTP Send HTTP anyway request request Yoddos Attack Commands (Source [Welzel]) August 14, 2015 16

  17. XMLHttpRequest API (2/4)  Send HTTP requests to arbitrary targets var target = "http://target/"; var target = "http://target/";  Restrictions: var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.open("GET", target); ➔ SOP and CORS, but HTTP requests are sent xhr.send(); xhr.send(); Send HTTP Send HTTP anyway request request Yoddos Attack Commands (Source [Welzel]) August 14, 2015 17

  18. XMLHttpRequest API (3/4)  Send HTTP requests to arbitrary targets var target = "http://target/"; var target = "http://target/";  Restrictions: var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.open("GET", target); ➔ SOP and CORS, but HTTP requests are sent RST RST setTimeout(function() { anyway setTimeout(function() { after 10 ms after 10 ms xhr.abort(); xhr.abort();  Additional behaviors: }, 10); }, 10); ➔ Partial control over the TCP socket xhr.send(); xhr.send(); life-cycle → no rcvd() Yoddos Attack Commands (Source [Welzel]) August 14, 2015 18

  19. XMLHttpRequest API (4/4)  Send HTTP requests to arbitrary targets var target = "http://target/"; var target = "http://target/";  Restrictions: var xhr = new XMLHttpRequest(); var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.open("GET", target); ➔ SOP and CORS, but HTTP requests are sent RST RST setTimeout(function() { anyway setTimeout(function() { after 10 ms after 10 ms xhr.abort(); xhr.abort();  Additional behaviors: }, 10); }, 10); ➔ Partial control over the TCP socket xhr.send(); xhr.send(); life-cycle → no rcvd() ● Set/modify request headers Yoddos Attack Commands (Source [Welzel]) ● Except for Host and Referer (and others) August 14, 2015 19

  20. Web Sockets (1/2)  Extension of HTTP var target = "ws://target/"; var target = "ws://target/"; ● Establish full-duplex stream-oriented client-server var ws = new WebSocket(target); var ws = new WebSocket(target); communication channel via the WebSocket Handshake protocol WebSocket Handshake WebSocket Handshake ➔ Based on a HTTP request/response pair Yoddos Attack Commands (Source [Welzel]) August 14, 2015 20

  21. Web Sockets (2/2)  Extension of HTTP var target = "ws://target/"; var target = "ws://target/"; RST ● Establish full-duplex stream-oriented client-server RST after 10ms setTimeout(function () { after 10ms setTimeout(function () { communication channel via the WebSocket ws.close(); ws.close(); Handshake protocol }, 10); }, 10); ➔ Based on a HTTP request/response pair var ws = new WebSocket(target); var ws = new WebSocket(target);  Additional behaviors: ➔ Partial control over the TCP socket life-cycle → no rcvd() Yoddos Attack Commands (Source [Welzel]) ● No access to request headers August 14, 2015 21

  22. API Evaluation August 14, 2015 22

  23. Aggressiveness API Browser AVG Reqs/s MAX Reqs/s XMLHttpReq. Chrome 1,005 1,886 Firefox 2,165 2,892 WebSocket Chrome 34 73 Firefox 0 0 Server-Sent Evts Chrome 210 941 Firefox 258 1,907 Image Chrome 84 109 Firefox 751 1,916  Firefox shows a more aggressive behavior  18x faster than prior tests: ~170 XHR reqs/s [Kuppan] August 14, 2015 23

  24. Aggressiveness Browser Workers AVG Reqs/s API Browser AVG Reqs/s MAX Reqs/s Chrome 0 1,359 XMLHttpReq. Chrome 1,005 1,886 2 966 Firefox 2,165 2,892 3 689 WebSocket Chrome 34 73 Firefox 0 1,456 Firefox 0 0 2 2,424 Server-Sent Evts Chrome 210 941 3 2,616 Firefox 258 1,907 Image Chrome 84 109 Firefox 751 1,916  Firefox shows a more aggressive behavior  18x faster than prior tests: ~170 XHR reqs/s [Kuppan] August 14, 2015 24

  25. Aggressiveness Browser Workers AVG Reqs/s API Browser AVG Reqs/s MAX Reqs/s Chrome 0 1,359 XMLHttpReq. Chrome 1,005 1,886 2 966 Firefox 2,165 2,892 3 689 WebSocket Chrome 34 73 Firefox 0 1,456 Firefox 0 0 2 2,424 Server-Sent Evts Chrome 210 941 3 2,616 Firefox 258 1,907 Image Chrome 84 109 Firefox 751 1,916  Firefox shows a more aggressive behavior  18x faster than prior tests: ~170 XHR reqs/s [Kuppan] ➔ ~3,000 reqs/s is a severe threat August 14, 2015 25

  26. Bot Recruitment and Cost Estimation August 14, 2015 26

  27. Recruitment Technique  Cost depends on the recruitment technique  Techniques 1. Ad networks ● Malicious JS as advertisment 2. Typosquatting ● Registration of domain misspellings 3. Machine-generated visits 4. Web application hijacking ● Using vulns to spread malicious JS, e.g., Stored XSS August 14, 2015 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks

DDOS: DDos and DDonts DrupalCon 2016 Agenda What is DDoS Detecting DDoS Attacks DDoS Prevention Improving Performance Questions Glossary DDoS - Attempt to make a server or network resource unavailable to Internet

549 views • 30 slides
Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent

Catch me if you can A cloud based DdoS defense Mikal Fourrier DDoS attacks Goal: prevent the access to a computer system to it's legitimate users. DDoS: DoS attack on the network using a lot of different source IP Why:

327 views • 16 slides
Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation

Introduction: Filtering Based Techniques DDOS Attacks: Target CPU / Bandwidth for DDOS Mitigation Attacker signals slaves to launch an attack on a specific target address (victim). Slaves then respond by Comp290: Network

275 views • 9 slides
On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens

On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens

On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens nses Mu Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA Transit-link DDoS

548 views • 29 slides
On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao,

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao,

On the Feasibility of Rerouting-based DDoS Defenses Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA Transit-link DDoS attack: a powerful type of volumetric DDoS attack

438 views • 25 slides
Encouraging Savings at the Check Cashing Window Preliminary Results from an Evaluation of a

Encouraging Savings at the Check Cashing Window Preliminary Results from an Evaluation of a

Encouraging Savings at the Check Cashing Window Preliminary Results from an Evaluation of a Savings US Finance Initiative January 17, 2017 Product for Check Cashing Clients in NYC usfi@poverty-action.org Introductions & Agenda

477 views • 21 slides
Training Manual Google Docs and the Chrome browser work great together! If you do not have the

Training Manual Google Docs and the Chrome browser work great together! If you do not have the

Freehold Borough Schools Technology Department Training Manual Google Docs and the Chrome browser work great together! If you do not have the Chrome browser on your laptop, please put in a helpdesk ticket. Go to the district website

575 views • 18 slides
.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary

.tr DDoS A)ack December 2015 A4la zgit .tr ccTLD Manager Dec, 2015 .tr DDoS A)ack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS A)ack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos A)acks Few Qmes

150 views • 13 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology

1 DDoS Mitigation collection TL;DR: DDOS STRATEGISTS DO DRUGS Agenda 2 Intro Methodology of work DDoS tactics in-the-wild and how to improve Ready, set, FACEPALM! Q&A ~$ whoami 3 Moshe Zioni, Head of Research,

656 views • 47 slides
Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim

Transport choice for Co-operative DDoS Mitigation 1 DDoS Transport Choice Message: DDoS victim to DDoS mitigation service SOS "I am getting DoSd" 2 DDoS Transport Choice SOS : Requirements Emergency signal.

247 views • 5 slides
Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense

Ca Catch ch M Me If Ca e If Can: A Cl A Clou oud-En -Enabled ed DDoS DDoS De Defen ense e Quan Jia, Huangxin Wang, Dan Fleck, Fei Li, Angelos Stavrou, Walter Powell Presented by Surya Mani Content u Motivation u Related Work u

262 views • 23 slides
Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster

Universal DDoS Mitigation Bypass DDoS Mitigation Lab About Us Industry body formed to foster synergy among stakeholders to promote advancement in DDoS defense knowledge. Independent academic R&D division of Nexusguard building next

764 views • 44 slides
Bypassing ISP and Enterprise Anti- DDoS with 90s technology Dennis Rand

Bypassing ISP and Enterprise Anti- DDoS with 90s technology Dennis Rand

So you think IoT DDoS botnets are dangerous Bypassing ISP and Enterprise Anti- DDoS with 90s technology Dennis Rand https://www.ecrimelabs.com @DennisRand About me Im a security researcher and founder of eCrimeLabs, based out of Denmark.

674 views • 48 slides
DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How

DDoS Last Class Fault tolerance Concurrency Naming This Class Networking How DDoS works UDP Data Client Server Response TCP DDoS Distributed denial-of-service attack Attacker targets a victim from a number of

356 views • 22 slides
What is a good pen based application? The windows desktop and browser are HCI For Pen Based

What is a good pen based application? The windows desktop and browser are HCI For Pen Based

What is a good pen based application? The windows desktop and browser are HCI For Pen Based Computing NOT good pen based apps! Richard Anderson CSE 481 B Winter 2007 What is a good UI? How do you measure it? Mechanical Properties

208 views • 8 slides
How to be a paranoid Dates of birth or just think like one Exposure to identity theft

How to be a paranoid Dates of birth or just think like one Exposure to identity theft

Leaking information Stealing 26.5 million veteran s data Pro rotection a and S d Securi rity Data on laptop stolen from employee s home (5/06) Veterans names Social Security numbers How to be a paranoid Dates of birth or

337 views • 5 slides
CSE543 - Introduction to Computer and Network Security Module: Botnets Professor Patrick

CSE543 - Introduction to Computer and Network Security Module: Botnets Professor Patrick

287 views • 25 slides
3 Sep 2019 to 24 Feb 2020 Colin Strutt Dave Piscitello ECAINA Proof of Concept Feasibility

3 Sep 2019 to 24 Feb 2020 Colin Strutt Dave Piscitello ECAINA Proof of Concept Feasibility

Exposing Criminal Abuse of Internet Names and Addresses Proof of Concept 3 Sep 2019 to 24 Feb 2020 Colin Strutt Dave Piscitello ECAINA Proof of Concept Feasibility study begun 3 September 2019 Gathering daily blocklist data for 23

431 views • 14 slides
1. Webinar Instructions 2. Overview of Chesapeake Bay Stewardship Fund 3. Intro to 2017

1. Webinar Instructions 2. Overview of Chesapeake Bay Stewardship Fund 3. Intro to 2017

1. Webinar Instructions 2. Overview of Chesapeake Bay Stewardship Fund 3. Intro to 2017 Chesapeake Bay Stewardship Fund RFP - Special opportunities for PA Ag conservation partners - Corodination with NRCS CIG program Fine Print and

519 views • 23 slides
Dawn Song dawnsong@cs.berkeley.edu 1 Introduction MW 1-2:30pm (starts at 1:10pm)

Dawn Song dawnsong@cs.berkeley.edu 1 Introduction MW 1-2:30pm (starts at 1:10pm)

294-24 Privacy and Security Enhancing Technologies Dawn Song dawnsong@cs.berkeley.edu 1 Introduction MW 1-2:30pm (starts at 1:10pm) Website: http://www.cs.berkeley.edu/~dawnsong/teaching/f07 Prerequisite: Grad students: none

499 views • 6 slides
Meeting 98 // Virtual Machines // If Youre New! Join our Slack: cyberatuc.slack.com SIGN

Meeting 98 // Virtual Machines // If Youre New! Join our Slack: cyberatuc.slack.com SIGN

Meeting 98 // Virtual Machines // If Youre New! Join our Slack: cyberatuc.slack.com SIGN IN! (Slackbot will post the link in slack) Feel free to get involved with one of our committees: Content Finance Public Affairs Outreach

549 views • 16 slides
Requesting data from Entrez in different formats We can request data as text or as XML We can

Requesting data from Entrez in different formats We can request data as text or as XML We can

Requesting data from Entrez in different formats We can request data as text or as XML We can request data as text or as XML handle = Entrez.efetch(db="nucleotide", id="KT220438", rettype="gb", \

317 views • 18 slides
Kingston and Richmond CCGs Winter plan 2018/19 The Kingston, Richmond and Surrey Downs Accident

Kingston and Richmond CCGs Winter plan 2018/19 The Kingston, Richmond and Surrey Downs Accident

Winter plan including communications and engagement plan Kingston and Richmond CCGs Winter plan 2018/19 The Kingston, Richmond and Surrey Downs Accident & Emergency (A&E) delivery board aims to: Sustain a safe and stable urgent and

332 views • 12 slides

More recommend