Not-A-Bot: Improving Service Availability in the Face of Botnet Attacks

Transcription

1 Not-A-Bot: Improving Service Availability in the Face of Botnet Attacks R. Gummadi, H. Balakrishnan, P. Maniatis, S. Ratnasamy Presented by: Ashish Vulimiri Images lifted from paper/authors NSDI09 slides. All hail the fair use exception. Gummadi et al (MIT/Intel Research) Not-A-Bot 1 / 14

2 Motivation CS 598-PBG Gummadi et al (MIT/Intel Research) Not-A-Bot 2 / 14

3 Motivation CS 598-PBG Botnets: bad Gummadi et al (MIT/Intel Research) Not-A-Bot 2 / 14

4 Motivation CS 598-PBG Botnets: bad Spam DDoS Click-fraud Gummadi et al (MIT/Intel Research) Not-A-Bot 2 / 14

5 Motivation Botnets: bad Spam DDoS Click-fraud Problem: cannot distinguish bot/human requests Gummadi et al (MIT/Intel Research) Not-A-Bot 2 / 14

6 Motivation Botnets: bad Spam DDoS Click-fraud Problem: cannot distinguish bot/human requests Will solving this issue always help? Gummadi et al (MIT/Intel Research) Not-A-Bot 2 / 14

7 Related Work CS 598-PBG Application-specific schemes Bandwidth/computation based payment schemes for DoS Sender authentication schemes like SPF, DomainKeys for spam control Human-activity detection CAPTCHAs Gummadi et al (MIT/Intel Research) Not-A-Bot 3 / 14

8 Related Work CS 598-PBG Application-specific schemes Bandwidth/computation based payment schemes for DoS Sender authentication schemes like SPF, DomainKeys for spam control Human-activity detection CAPTCHAs Secure execution environments Pioneer XOM TPM, vtpm Gummadi et al (MIT/Intel Research) Not-A-Bot 3 / 14

9 TPM Trusted base Cryptographic coprocessor Not-A-Bot uses: Platform configuration registers Sealed storage Can seal values, signed by TPM s internal key, along with guard conditions on the value of PCRs Direct anonymous attestation Gummadi et al (MIT/Intel Research) Not-A-Bot 4 / 14

10 Not-A-Bot CS 598-PBG Chain of trust from attester to verifier When requested, attester checks and signs off on human originated actions Guaranteed human requests can be given higher priority at server Granularity is request level, not host level human requests from compromised hosts might benefit Gummadi et al (MIT/Intel Research) Not-A-Bot 5 / 14

11 Chain of Trust CS 598-PBG Gummadi et al (MIT/Intel Research) Not-A-Bot 6 / 14

12 Chain of Trust CS 598-PBG PCRs are used to provide verifiable bootup Gummadi et al (MIT/Intel Research) Not-A-Bot 6 / 14

13 Chain of Trust CS 598-PBG PCRs are used to provide verifiable bootup When attester is installed, private information sealed using TPM, with BIOS and attester code hashes as guards. Private info includes: Private key κ priv Information needed to create a signed certificate for DAA. This is NOT a shared secret Gummadi et al (MIT/Intel Research) Not-A-Bot 6 / 14

14 Chain of Trust PCRs are used to provide verifiable bootup When attester is installed, private information sealed using TPM, with BIOS and attester code hashes as guards. Private info includes: Private key κ priv Information needed to create a signed certificate for DAA. This is NOT a shared secret TPM allows unsealing only if BIOS and attester hashes match so if attester code is changed, key can t be accessed Gummadi et al (MIT/Intel Research) Not-A-Bot 6 / 14

15 Chain of Trust CS 598-PBG Gummadi et al (MIT/Intel Research) Not-A-Bot 7 / 14

16 Chain of Trust CS 598-PBG Application (at client) must request attestation locally from the attester and send to verifier to authenticate that a request is human-generated Gummadi et al (MIT/Intel Research) Not-A-Bot 7 / 14

17 Chain of Trust Application (at client) must request attestation locally from the attester and send to verifier to authenticate that a request is human-generated An attestatation is of the form a, sign(κ priv, a), C, where a is the attestation information and C is a certificate that attester uses with the DAA protocol to prove integrity to the verifier Gummadi et al (MIT/Intel Research) Not-A-Bot 7 / 14

18 Chain of Trust Application (at client) must request attestation locally from the attester and send to verifier to authenticate that a request is human-generated An attestatation is of the form a, sign(κ priv, a), C, where a is the attestation information and C is a certificate that attester uses with the DAA protocol to prove integrity to the verifier Necessary component of a: nonce n, which the verifier stores to ensure client is not replaying authentications Gummadi et al (MIT/Intel Research) Not-A-Bot 7 / 14

19 Attester Operation Request is considered human-generated if it occurs within m, k distance of a mouse/keyboard click, where the parameters are application specific Attestation may either include time since last mouse click/keypress directly, or merely state an upper-bound on them (the first leaks some timing information which may be significant) Choice left to application Attestation information a is d, n, δ m, δ k, where d is a digest of the message (e.g. , HTTP GET/POST etc), n is the nonce used to ensure client cannot replay attestations, δ is timing information Gummadi et al (MIT/Intel Research) Not-A-Bot 8 / 14

20 Verifier Operation Spam In attestation, entire message is hashed: including sender, recipient, timestamp and content Server stores nonces for a month Together, these two factors severely restrict replayability: spammer can reuse authentication only after a month (only one replay per authenticated ) But because timestamp is also hashed, it can t be changed. Server will reject even this lone replayed as too old. Gummadi et al (MIT/Intel Research) Not-A-Bot 9 / 14

21 Verifier Operation Spam Additional notes: For mailing lists, auth sent to each address in the To: field Offline mode: store an auth when user clicks Send, hold it until connected to the network Script mode: similar to offline mode. User manually authorizes a certain number of human-authentications when writing a script Gummadi et al (MIT/Intel Research) Not-A-Bot 10 / 14

22 Verifier Operation DDoS/Click Fraud Browser sends authentication for document root (e.g. ) Server stores auth for 10 minutes In this time, the authentication also grants access to any embedded links/documents Note: unlike with , incentive structure is asymmetric. Much more useful to website owners/content providers than to users Gummadi et al (MIT/Intel Research) Not-A-Bot 11 / 14

23 Verifier Operation DDoS/Click Fraud Browser sends authentication for document root (e.g. ) Server stores auth for 10 minutes In this time, the authentication also grants access to any embedded links/documents Note: unlike with , incentive structure is asymmetric. Much more useful to website owners/content providers than to users Authors suggest that verifiers push attesters onto users through other means, for example browser toolbars Gummadi et al (MIT/Intel Research) Not-A-Bot 11 / 14

24 Experimental Evaluation Spam Client: reduced false negatives in inbox from 1.5% to 0.15%, false positives from 0.08% to 0% Server: of all spam traffic, 8% was attested as human-originated DDoS 11% of all DDoS requests attested as human-originated Click-fraud 13% of all click-fraud traffic attested as human-originated Gummadi et al (MIT/Intel Research) Not-A-Bot 12 / 14

25 Discussion CS 598-PBG Gummadi et al (MIT/Intel Research) Not-A-Bot 13 / 14

26 Discussion CS 598-PBG What else (apart from non-human origin) characterizes botnet requests? Gummadi et al (MIT/Intel Research) Not-A-Bot 13 / 14

27 Discussion What else (apart from non-human origin) characterizes botnet requests? Better human-identification algorithm? Gummadi et al (MIT/Intel Research) Not-A-Bot 13 / 14

28 Discussion What else (apart from non-human origin) characterizes botnet requests? Better human-identification algorithm? How reasonable is it to assume hardware safety? Gummadi et al (MIT/Intel Research) Not-A-Bot 13 / 14

29 Discussion What else (apart from non-human origin) characterizes botnet requests? Better human-identification algorithm? How reasonable is it to assume hardware safety? Trusted computing issues Gummadi et al (MIT/Intel Research) Not-A-Bot 13 / 14

30 Questions? Gummadi et al (MIT/Intel Research) Not-A-Bot 14 / 14