The Dark Side of the Web: An Open Proxy’s View
advertisement
The Dark Side of the Web: An Open Proxy’s View Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson Princeton University Origins: Surviving Heavy Loads Surviving flash crowds, DDoS attacks Absorb via massive resources Raise the bar for attacks Tolerate smaller crowds Survive larger attacks Existing approach: Content Distribution Networks Nov 20, 2003 CoDeeN Security - HotNets II 2 Building an Academic CDN Flash crowds are real We have the technology OSDI’02 paper on CDN performance USITS’03 proxy API PlanetLab provides the resources Continuous service, decentralized control Seeing real traffic, reliability, etc We use it ourselves Open access = more traffic Nov 20, 2003 CoDeeN Security - HotNets II 3 How Does CoDeeN Work? Server surrogates (proxies) on most North American sites Originally everywhere, but we cut back Clients specify proxy to use Cache hits served locally Cache misses forwarded to CoDeeN nodes • Maybe forwarded to origin servers Nov 20, 2003 CoDeeN Security - HotNets II 4 How Does CoDeeN Work? origin Request Cache hit CoDeeN Proxy Cache hit Each CoDeeN proxy is a forward proxy, reverse proxy, & redirector Nov 20, 2003 CoDeeN Security - HotNets II 5 Steps For Inviting Trouble Use a popular protocol HTTP Emulate a popular tool/interface Web proxy servers Allow open access With HTTP’s lack of accountability Be more attractive than competition Uptime, bandwidth, anonymity Nov 20, 2003 CoDeeN Security - HotNets II 6 Hello, Trouble! Spammers Bandwidth hogs High request rates Content Thieves Worrisome anonymity Commonality: using CoDeeN to do things they would not do directly Nov 20, 2003 CoDeeN Security - HotNets II 7 The Root of All Trouble origin CoDeeN Proxy (Malicious) Client No End-To-End Authentication Nov 20, 2003 CoDeeN Security - HotNets II 8 Spammers SMTP (port 25) tunnels via CONNECT Relay via open mail server POST forms (formmail scripts) Exploit website scripts IRC channels (port 6667) via CONNECT Captive audience, high port # Nov 20, 2003 CoDeeN Security - HotNets II 9 Attempted SMTP Tunnels/Day Nov 20, 2003 CoDeeN Security - HotNets II 10 Bandwidth Hogs Webcam trackers Mass downloads of paid cam sites Cross-Pacific traffic Simultaneous large file downloads Steganographers Large files small images All uniform sizes Nov 20, 2003 CoDeeN Security - HotNets II 11 High Request Rates Password crackers Attacking random Yahoo! accounts Google crawlers Dictionary crawls – baffles Googlians Click counters Defeat ad-supported “game” Nov 20, 2003 CoDeeN Security - HotNets II 12 Content Theft Licensed content theft Journals and databases are expensive Intra-domain access Protected pages within the hosting site Nov 20, 2003 CoDeeN Security - HotNets II 13 Worrisome Anonymity Request spreaders Use CoDeeN as a DDoS platform! TCP over HTTP Non-HTTP Port 80 Access logging insufficient Vulnerability testing Low rate, triggers IDS Nov 20, 2003 CoDeeN Security - HotNets II 14 Goals, Real & Otherwise Desired: allow only “safe” accesses Ideally An oracle tells you what’s safe “Your” users are not impacted Open proxies considered inherently bad NLANR requires accounts, proxy-auth JANET closed to outsiders No research in “partially open” proxies Nov 20, 2003 CoDeeN Security - HotNets II 15 Privilege Separation Remote Proxy Remote Client Unprivileged Request Local Server Local Proxy Local Client Nov 20, 2003 Privileged Request CoDeeN Security - HotNets II 16 Rate Limiting Minute Hour Day 3 scales capture burstiness Exceptions Login attempts Vulnerability tests Nov 20, 2003 CoDeeN Security - HotNets II 17 Other Techniques Limiting methods – GET, (HEAD) Local users not restricted Sanity checking on requests Browsers, machines very different Modifying request stream Most promising future direction Nov 20, 2003 CoDeeN Security - HotNets II 18 By The Numbers… Running 24/7 since May, ~40 nodes Over 400,000 unique IPs as clients Over 150 million requests serviced Valid rates up to 50K reqs/hour Roughly 4 million reqs/day aggregate About 4 real abuse incidents Availability: high uptimes, fast upgrades Nov 20, 2003 CoDeeN Security - HotNets II 19 Num of Unique IP . Daily Client Population Count Daily Client Population of CoDeeN 10000 9000 8000 7000 6000 5000 4000 3000 2000 1000 0 6/1 Nov 20, 2003 7/1 8/1 9/1 CoDeeN Security - HotNets II 10/1 clients 11/1 20 Daily Request Volume rejected requests Daily Traffic on CoDeeN 4500000 num of requests . 4000000 3500000 3000000 2500000 2000000 1500000 1000000 500000 0 6/1 Nov 20, 2003 7/1 8/1 9/1 CoDeeN Security - HotNets II 10/1 11/1 21 Monitors & Other Venues Routinely trigger open proxy alerts Educating sysadmins, others Really good honeypots 6000 SMTP flows/minute at CMU Spammers do ~1M HTTP ops/day Early problem detection Failing PlanetLab nodes Compromised university machines Nov 20, 2003 CoDeeN Security - HotNets II 22 Lessons & Directions Few substitutes for reality Non-dedicated hardware really interesting Failure modes not present in NS-2 Stopgap measures pretty effective Very slow arms race Breathing time for better solutions Next: more complex techniques Machine learning, high-dim clustering Nov 20, 2003 CoDeeN Security - HotNets II 23 More Info http://codeen.cs.princeton.edu Thanks: Intel, HP, iMimic, PlanetLab Central Nov 20, 2003 CoDeeN Security - HotNets II 24
