The Dark Side of the Web: An Open Proxy’s View Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson Princeton University
Feb 14, 2016
The Dark Side of the Web:An Open Proxy’s View
Vivek S. Pai, Limin Wang, KyoungSoo Park, Ruoming Pang, Larry Peterson
Princeton University
Nov 20, 2003 CoDeeN Security - HotNets II 2
Origins: Surviving Heavy LoadsSurviving flash crowds, DDoS attacksAbsorb via massive resources
Raise the bar for attacksTolerate smaller crowdsSurvive larger attacks
Existing approach: Content Distribution Networks
Nov 20, 2003 CoDeeN Security - HotNets II 3
Building an Academic CDNFlash crowds are realWe have the technology
OSDI’02 paper on CDN performanceUSITS’03 proxy APIPlanetLab provides the resources
Continuous service, decentralized controlSeeing real traffic, reliability, etc
We use it ourselvesOpen access = more traffic
Nov 20, 2003 CoDeeN Security - HotNets II 4
How Does CoDeeN Work?Server surrogates (proxies) on most North American sites
Originally everywhere, but we cut backClients specify proxy to use
Cache hits served locallyCache misses forwarded to CoDeeN nodes• Maybe forwarded to origin servers
Nov 20, 2003 CoDeeN Security - HotNets II 5
How Does CoDeeN Work?
CoDeeN Proxy
origin
RequestRespons
e
Cache hit
Each CoDeeN proxy is a forward proxy, reverse proxy, & redirector
Cache missResponse
Cache hit
Cache missResponse Reques
tCache Miss
Nov 20, 2003 CoDeeN Security - HotNets II 6
Steps For Inviting TroubleUse a popular protocol
HTTPEmulate a popular tool/interface
Web proxy serversAllow open access
With HTTP’s lack of accountabilityBe more attractive than competition
Uptime, bandwidth, anonymity
Nov 20, 2003 CoDeeN Security - HotNets II 7
Hello, Trouble!SpammersBandwidth hogsHigh request ratesContent ThievesWorrisome anonymity
Commonality: using CoDeeN to do things they would not do directly
Nov 20, 2003 CoDeeN Security - HotNets II 8
The Root of All Trouble
originCoDeeN Proxy
(Malicious) Client
http/tcp http/tcp
No End-To-EndAuthentication
Nov 20, 2003 CoDeeN Security - HotNets II 9
SpammersSMTP (port 25) tunnels via CONNECT
Relay via open mail serverPOST forms (formmail scripts)
Exploit website scriptsIRC channels (port 6667) via CONNECT
Captive audience, high port #
Nov 20, 2003 CoDeeN Security - HotNets II 10
Attempted SMTP Tunnels/Day
Nov 20, 2003 CoDeeN Security - HotNets II 11
Bandwidth HogsWebcam trackers
Mass downloads of paid cam sitesCross-Pacific traffic
Simultaneous large file downloadsSteganographers
Large files small imagesAll uniform sizes
Nov 20, 2003 CoDeeN Security - HotNets II 12
High Request RatesPassword crackers
Attacking random Yahoo! accountsGoogle crawlers
Dictionary crawls – baffles GoogliansClick counters
Defeat ad-supported “game”
Nov 20, 2003 CoDeeN Security - HotNets II 13
Content TheftLicensed content theft
Journals and databases are expensiveIntra-domain access
Protected pages within the hosting site
Nov 20, 2003 CoDeeN Security - HotNets II 14
Worrisome AnonymityRequest spreaders
Use CoDeeN as a DDoS platform!TCP over HTTPNon-HTTP Port 80
Access logging insufficientVulnerability testing
Low rate, triggers IDS
Nov 20, 2003 CoDeeN Security - HotNets II 15
Goals, Real & OtherwiseDesired: allow only “safe” accessesIdeally
An oracle tells you what’s safe“Your” users are not impacted
Open proxies considered inherently bad
NLANR requires accounts, proxy-authJANET closed to outsiders
No research in “partially open” proxies
Nov 20, 2003 CoDeeN Security - HotNets II 16
Privilege Separation
Local Proxy
LocalServer
Remote Proxy
RemoteClient
Unprivileged Request
LocalClient Privileged
Request
Nov 20, 2003 CoDeeN Security - HotNets II 17
Rate Limiting
3 scales capture burstinessExceptions
Login attemptsVulnerability tests
DayHour
Minute
Nov 20, 2003 CoDeeN Security - HotNets II 18
Other TechniquesLimiting methods – GET, (HEAD)
Local users not restrictedSanity checking on requests
Browsers, machines very differentModifying request stream
Most promising future direction
Nov 20, 2003 CoDeeN Security - HotNets II 19
By The Numbers…Running 24/7 since May, ~40 nodes
Over 400,000 unique IPs as clientsOver 150 million requests servicedValid rates up to 50K reqs/hourRoughly 4 million reqs/day aggregateAbout 4 real abuse incidents
Availability: high uptimes, fast upgrades
Nov 20, 2003 CoDeeN Security - HotNets II 20
Daily Client Population of CoDeeN
0100020003000400050006000700080009000
10000
6/1 7/1 8/1 9/1 10/1 11/1
Num
of U
niqu
e IP
.
clients
Daily Client Population Count
Nov 20, 2003 CoDeeN Security - HotNets II 21
Daily Traffic on CoDeeN
0500000
10000001500000200000025000003000000350000040000004500000
6/1 7/1 8/1 9/1 10/1 11/1
num
of r
eque
sts
.
rejectedrequests
Daily Request Volume
Nov 20, 2003 CoDeeN Security - HotNets II 22
Monitors & Other VenuesRoutinely trigger open proxy alerts
Educating sysadmins, othersReally good honeypots
6000 SMTP flows/minute at CMUSpammers do ~1M HTTP ops/day
Early problem detectionFailing PlanetLab nodesCompromised university machines
Nov 20, 2003 CoDeeN Security - HotNets II 23
Lessons & DirectionsFew substitutes for reality
Non-dedicated hardware really interestingFailure modes not present in NS-2
Stopgap measures pretty effectiveVery slow arms raceBreathing time for better solutions
Next: more complex techniquesMachine learning, high-dim clustering
24CoDeeN Security - HotNets IINov 20, 2003
More Infohttp://codeen.cs.princeton.edu
Thanks:Intel, HP, iMimic, PlanetLab Central