Cashing out the Great Cannon? On Browser-based DDoS Attacks and - - PowerPoint PPT Presentation

cashing out the great cannon on browser based ddos
SMART_READER_LITE
LIVE PREVIEW

Cashing out the Great Cannon? On Browser-based DDoS Attacks and - - PowerPoint PPT Presentation

May 02, 2023 159 likes •525 views

Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics G. Pellegrino (1) , C. Rossow (1) , F. J. Ryba (2) , T. C. Schmidt (3) , M. Whlisch (2) (1) CISPA / MMCI, Saarland University (2) Freie Universitt Berlin (3) HAW Hamburg

slide-1
SLIDE 1

Cashing out the Great Cannon? On Browser-based DDoS Attacks and Economics

  • G. Pellegrino(1), C. Rossow(1), F. J. Ryba(2), T. C. Schmidt(3), M. Wählisch(2)

(1)CISPA / MMCI, Saarland University (2)Freie Universität Berlin (3)HAW Hamburg

slide-2
SLIDE 2

August 14, 2015 2

Classical DDoS Botnets

Botmaster Infected hosts Target C&C server

HTTP flood HTTP flood GET / HTTP/1.1\r\n Host: target\r\n […] GET / HTTP/1.1\r\n Host: target\r\n […]

 DDoS is a severe threat to the Internet  In classical DDoS botnets:

  • Infection-based recruitment (Drive-by download, Browser vulns, ...)
  • Architecture-dependent malware
slide-3
SLIDE 3

August 14, 2015 3

Browser-based DDoS Botnet

Botmaster Browsers Target

GET / HTTP/1.1\r\n Host: target\r\n […] GET / HTTP/1.1\r\n Host: target\r\n […]

 Browser-based botnet a new type of botnet

  • Infectionless bots recruitment
  • Architecture-independent malware (e.g., OSX, Windows, Linux, Android)

The Web

slide-4
SLIDE 4

August 14, 2015 4

The Great Cannon

Botmaster Browsers Target

 In March 2015 first browser-based DDoS attacks [CitizenLab]  Recruitment: Powerful attacker injects JS into HTTP conversations

➔ We envision also less powerful attacker can launch similar attacks

The Web

slide-5
SLIDE 5

August 14, 2015 5

Threat Model

Botmaster Browsers Target

 No control of the network, e.g., no ISP  Infiltrate JS over the Web, e.g., as advertisement [Grossman]  Economic incentives

The Web

slide-6
SLIDE 6

August 14, 2015 6

Toward a Great Cannon for Cyber-Criminals?

Botmaster Target

GET / HTTP/1.1\r\n Host: target\r\n […] GET / HTTP/1.1\r\n Host: target\r\n […]

The Web Browsers

 GC showed that browsers can be used as bots

slide-7
SLIDE 7

August 14, 2015 7

Toward a Great Cannon for Cyber-Criminals?

Botmaster Target

GET / HTTP/1.1\r\n Host: target\r\n […] GET / HTTP/1.1\r\n Host: target\r\n […]

The Web Browsers

 GC showed that browsers can be used as bots

  • However, anecdotal knowledge only [Kuppan, Grossman]
slide-8
SLIDE 8

August 14, 2015 8

Toward a Great Cannon for Cyber-Criminals?

Botmaster Target

GET / HTTP/1.1\r\n Host: target\r\n […] GET / HTTP/1.1\r\n Host: target\r\n […]

The Web Browsers

 GC showed that browsers can be used as bots

  • However, anecdotal knowledge only [Kuppan, Grossman]

➔ To date, no systematic understanding of browser features to support DDoSes

slide-9
SLIDE 9

August 14, 2015 9

Toward a Great Cannon for Cyber-Criminals?

 Promising for less powerful attackers, i.e., criminals with economic incentives

Botmaster Target

GET / HTTP/1.1\r\n Host: target\r\n […] GET / HTTP/1.1\r\n Host: target\r\n […]

Browsers The Web

slide-10
SLIDE 10

August 14, 2015 10

Toward a Great Cannon for Cyber-Criminals?

 Promising for less powerful attackers, i.e., criminals with economic incentives

  • However, little is known about recruitment techniques and costs

Botmaster Target

GET / HTTP/1.1\r\n Host: target\r\n […] GET / HTTP/1.1\r\n Host: target\r\n […]

Browsers The Web

slide-11
SLIDE 11

August 14, 2015 11

Toward a Great Cannon for Cyber-Criminals?

 Promising for less powerful attackers, i.e., criminals with economic incentives

  • However, little is known about recruitment techniques and costs

➔ Hard to assess if criminals will jump on the wagon of GC-like attacks

Botmaster Target

GET / HTTP/1.1\r\n Host: target\r\n […] GET / HTTP/1.1\r\n Host: target\r\n […]

Browsers The Web

slide-12
SLIDE 12

August 14, 2015 12

Contents

 Review browser features  Browser features in DoS attacks  Cost estimation and comparison

slide-13
SLIDE 13

August 14, 2015 13

Browser Features

slide-14
SLIDE 14

August 14, 2015 14

Classical DDoS bots: Yoddos/DirtJumper

 Supports different DDoS attacks

  • TCP, UDP, and HTTP based flooding

 And attack variants:

  • HTTP reqs. with no recv()
  • Via TCP FIN or RST
  • HTTP custom Host and Referer
  • Bypass filters

Yoddos Attack Commands (Source [Welzel])

slide-15
SLIDE 15

August 14, 2015 15

Web Browsers as DDoS bots

 Offer communication APIs

  • e.g., XMLHttpRequest, WebSocket,

and Server-Sent Events

 Other DoS-enabling JS APIs

  • Image and WebWorker APIs

 However, less flexible

  • No direct access to TCP/UDP
  • restricted to extensions...
  • No IP spoofing

 Reviewed 4 APIs ...

Yoddos Attack Commands (Source [Welzel])

slide-16
SLIDE 16

August 14, 2015 16

XMLHttpRequest API (1/4)

 Send HTTP requests to arbitrary targets  Restrictions:

➔ SOP and CORS, but HTTP requests are sent

anyway

var target = "http://target/"; var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.send(); var target = "http://target/"; var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.send();

Send HTTP request Send HTTP request Yoddos Attack Commands (Source [Welzel])

slide-17
SLIDE 17

August 14, 2015 17

XMLHttpRequest API (2/4)

 Send HTTP requests to arbitrary targets  Restrictions:

➔ SOP and CORS, but HTTP requests are sent

anyway

var target = "http://target/"; var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.send(); var target = "http://target/"; var xhr = new XMLHttpRequest(); xhr.open("GET", target); xhr.send();

Send HTTP request Send HTTP request Yoddos Attack Commands (Source [Welzel])

slide-18
SLIDE 18

August 14, 2015 18

XMLHttpRequest API (3/4)

 Send HTTP requests to arbitrary targets  Restrictions:

➔ SOP and CORS, but HTTP requests are sent

anyway

 Additional behaviors:

➔ Partial control over the TCP socket

life-cycle → no rcvd()

var target = "http://target/"; var xhr = new XMLHttpRequest(); xhr.open("GET", target); setTimeout(function() { xhr.abort(); }, 10); xhr.send(); var target = "http://target/"; var xhr = new XMLHttpRequest(); xhr.open("GET", target); setTimeout(function() { xhr.abort(); }, 10); xhr.send();

RST after 10 ms RST after 10 ms Yoddos Attack Commands (Source [Welzel])

slide-19
SLIDE 19

August 14, 2015 19

XMLHttpRequest API (4/4)

 Send HTTP requests to arbitrary targets  Restrictions:

➔ SOP and CORS, but HTTP requests are sent

anyway

 Additional behaviors:

➔ Partial control over the TCP socket

life-cycle → no rcvd()

  • Set/modify request headers
  • Except for Host and Referer (and
  • thers)

var target = "http://target/"; var xhr = new XMLHttpRequest(); xhr.open("GET", target); setTimeout(function() { xhr.abort(); }, 10); xhr.send(); var target = "http://target/"; var xhr = new XMLHttpRequest(); xhr.open("GET", target); setTimeout(function() { xhr.abort(); }, 10); xhr.send();

RST after 10 ms RST after 10 ms Yoddos Attack Commands (Source [Welzel])

slide-20
SLIDE 20

August 14, 2015 20

Web Sockets (1/2)

 Extension of HTTP

  • Establish full-duplex stream-oriented client-server

communication channel via the WebSocket Handshake protocol

➔ Based on a HTTP request/response pair

var target = "ws://target/"; var ws = new WebSocket(target); var target = "ws://target/"; var ws = new WebSocket(target);

WebSocket Handshake WebSocket Handshake Yoddos Attack Commands (Source [Welzel])

slide-21
SLIDE 21

August 14, 2015 21

Web Sockets (2/2)

 Extension of HTTP

  • Establish full-duplex stream-oriented client-server

communication channel via the WebSocket Handshake protocol

➔ Based on a HTTP request/response pair

 Additional behaviors:

➔ Partial control over the TCP socket

life-cycle → no rcvd()

  • No access to request headers

var target = "ws://target/"; setTimeout(function () { ws.close(); }, 10); var ws = new WebSocket(target); var target = "ws://target/"; setTimeout(function () { ws.close(); }, 10); var ws = new WebSocket(target);

RST after 10ms RST after 10ms Yoddos Attack Commands (Source [Welzel])

slide-22
SLIDE 22

August 14, 2015 22

API Evaluation

slide-23
SLIDE 23

August 14, 2015 23

Aggressiveness

API Browser AVG Reqs/s MAX Reqs/s XMLHttpReq. Chrome 1,005 1,886 Firefox 2,165 2,892 WebSocket Chrome 34 73 Firefox Server-Sent Evts Chrome 210 941 Firefox 258 1,907 Image Chrome 84 109 Firefox 751 1,916

 Firefox shows a more aggressive behavior  18x faster than prior tests: ~170 XHR reqs/s [Kuppan]

slide-24
SLIDE 24

August 14, 2015 24

Aggressiveness

API Browser AVG Reqs/s MAX Reqs/s XMLHttpReq. Chrome 1,005 1,886 Firefox 2,165 2,892 WebSocket Chrome 34 73 Firefox Server-Sent Evts Chrome 210 941 Firefox 258 1,907 Image Chrome 84 109 Firefox 751 1,916

 Firefox shows a more aggressive behavior  18x faster than prior tests: ~170 XHR reqs/s [Kuppan]

Browser Workers AVG Reqs/s Chrome 1,359 2 966 3 689 Firefox 1,456 2 2,424 3 2,616

slide-25
SLIDE 25

August 14, 2015 25

Aggressiveness

API Browser AVG Reqs/s MAX Reqs/s XMLHttpReq. Chrome 1,005 1,886 Firefox 2,165 2,892 WebSocket Chrome 34 73 Firefox Server-Sent Evts Chrome 210 941 Firefox 258 1,907 Image Chrome 84 109 Firefox 751 1,916

 Firefox shows a more aggressive behavior  18x faster than prior tests: ~170 XHR reqs/s [Kuppan]

➔ ~3,000 reqs/s is a severe threat

Browser Workers AVG Reqs/s Chrome 1,359 2 966 3 689 Firefox 1,456 2 2,424 3 2,616

slide-26
SLIDE 26

August 14, 2015 26

Bot Recruitment and Cost Estimation

slide-27
SLIDE 27

August 14, 2015 27

Recruitment Technique

 Cost depends on the recruitment technique  Techniques

  • 1. Ad networks
  • Malicious JS as advertisment
  • 2. Typosquatting
  • Registration of domain misspellings
  • 3. Machine-generated visits
  • 4. Web application hijacking
  • Using vulns to spread malicious JS, e.g., Stored XSS
slide-28
SLIDE 28

August 14, 2015 28

Ad Networks

 Advertiser uploads Ad into an Ad Network  Ad Network distributes Ads to Publishers then to Visitors

Advertiser Visitors Ad Network

Blogs/Newspapers/...

Buy me! Buy me! Buy me! Buy me! Buy me! Buy me! Buy me! Buy me!

slide-29
SLIDE 29

August 14, 2015 29

Ad Networks

 Botmaster uploads malicious JS  Ad Network distributes malicious JS  Attack launched by displaying the Ad

Botmaster (Advertiser) Target

GET / HTTP/1.1\r\n Host: target\r\n […] GET / HTTP/1.1\r\n Host: target\r\n […]

Browsers Ad Network

Blogs/Newspapers/...

slide-30
SLIDE 30

August 14, 2015 30

Ad Networks: Cost Estimation

 Google Display Network (May 10-17, 2015)  Ad: ping our servers every 5 seconds  Cost per day: 2.4¢

Botmaster (Advertiser) Our server Browsers

Blogs/Newspapers/... HTTP request every 5 secs HTTP request every 5 secs ~27,000 reqs ~27,000 reqs

6 clicks = 4¢ 6 clicks = 4¢

slide-31
SLIDE 31

August 14, 2015 31

Ad Networks vs Classical botnets

 Estimation as combination of prior studies (i.e., [Caballero, Rossow])  Pay-per-Install: malware installation from $6 to $140 for 1000 infections [Caballero]

  • 0.6¢ and 14¢ per bot

 Zeus infiltration 2013: Bots stay up in ~20 days and online for ~11h a day [Rossow]

➔ Cumulative online time 10 days

 Cost per day between 0.06¢ and 1.4¢ (vs. 2.4¢ of browser-based botnet)

slide-32
SLIDE 32

August 14, 2015 32

Conclusion

slide-33
SLIDE 33

August 14, 2015 33

Conclusion

 Systematically reviewed browser features for DDoS attacks

  • Interesting firepower w/ variety of behaviors
  • However, less flexibility wrt. classical bots
  • New rich set of APIs in the near future

 Estimated costs of browser- vs classical botnets

  • slightly higher
slide-34
SLIDE 34

August 14, 2015 34

Limitations and Future work

 Cost: PPI vs 1 Ad Network

  • Use larger dataset and other Ad Networks
  • Explore other recruitment techniques, e.g., Typosquatting
  • Reduce the cost, e.g., less attractive ads

 Delay between Ad upload and view

  • Bot control/usability, e.g., C&C servers and responsiveness

 Botnet size less predictable

  • Study properties and influence
slide-35
SLIDE 35

August 14, 2015 35

Takeaway

 Browser-based DDoS botnets are a severe threat  Costs are comparable, however less flexibility  We do ongoing research on this topic

slide-36
SLIDE 36

August 14, 2015 36

References

[CitizenLab] “China's Great Cannon”, B. Marczak, N. Weaver, J. Dalek, R. Ensafi, D. Fifield, S. McKune, A. Rey, J. Scott-Railton, R. Deibert, V. Paxson. url: https://citizenlab.org/2015/04/chinas-great-cannon/ [Kuppan] “Attacking with HTML5”, L. Kuppan, Presentation at Black Hat USA 2010 [Grossmann] “Million Browser Botnet”, J. Grossmann and M. Johansen, Presentation at Black Hat USA 2013 [Akhawe] “Towards a Formal Foundation of Web Security”, D. Akhawe, A. Barth, P. E. Lam, J. Mitchell, D. Song, CSF'10 [Caballero] “The Commoditization of Malware Distribution”, J. Caballero, C. Grier, C. Kreibich, and V. Paxson, Usenix Security Symposioum 2011 [Rossow] “P2PWNED: Modeling and Evaluating the Resilience of Peer-to-Peer Botnets”, C. Rossow, D. Andriesse, T. Werner, B. Stone-Gross, D. Plohmann, C.J. Dietrich, H. Bos, IEEE S&P 2013 [Welzel] “On Measuring the Impact of DDoS Botnets”, A. Welzel, C. Rossow, H. Bos, EuroSec'14