Transcript Protecting Web 2.0 Services from Botnet Exploitations

Protecting Web 2.0 Services from
Botnet Exploitations
Cybercrime and Trustworthy Computing Workshop (CTC), 2010 Second
Nguyen H Vo, Josef Pieprzyk
Department of Computing, Macquarie University, Australia
Reporter: 游明軒
Outline
 Introduction
 API Verifier
 Security analysis
 Conclusion & discussion
Introduction
 Web 2.0
 Blog, RSS, Social networking sites, etc.
 Web based bots
 Use web 2.0 service as a C&C channel
 Instead of traditional bots sitting on IRC channel, the connections between web based
bots are not permanent
 The authors implement a tool, API Verifier, to detect web based bots
Web based botnet
Botnet detection methods
 Analysis of network traffic flows
 Network traceback
 Honeypots
 These techniques do not cover web based botnet because the bot activities
are indistinguishable and legitimate users and websites
API Verifier
 Motivation
 Because a web based bot must use Web 2.0 service APIs, API Verifier is
implemented to verify whether a user is a person or a bot
 Approach
 Completely Automated Public Turing test to tell Computers and Humans Apart
(CAPTCHA)
 MAC address as identifier
API Verifier - architecture
 Components
 API Verifier Client
 API Verifier Server
API Verifier - functionality
 Authentication
 User profile
 Session key
 Encrypt MAC address
 Be generated independently each time when an API call is made
 Permanent MAC address
 CAPTCHA verification
API Verifier – work flow
Security analysis
 Spoofing MAC address
 API Verifier Client fraud
 DDoS attack
 By-passing CAPTCHA
verification
Spoofing MAC address
 Change MAC address (1a)
 Hijacking OS kernel and modifying the OS communication with NIC is expensive
 Cause the high risk of being detection
 Change the encrypted MAC address (1b)
 session key is generated each API call and is a combination
of the secret key and a time token
API Verifier Client fraud
 It is hard to recover the secret key of the API Verifier Client
 AES 128-bit
 it is hard to disassemble the API Verifier Client
 Obfuscation technique
DDoS attack
 Set limit on the number of verification attempts
 Finite times to solve CAPTCHA
 A time interval for next MAC address verification
By-passing CAPTCHA verification
 Analyze the picture and extract characters on the image
 send the image to attacker to solve it
System short coming
 API Verifier cannot get permanent MAC address on virtual machine
Conclusion & discussion
 Propose a novel approach against web based botnet. The main concept is
to identify whether a user is a person or a bot
 Implement a system, API Verifier, to detect the bots before they access to
web service API
 For security, the authors consider all possible attacks and defend
 DDoS attack issue still exists
 Lack for a convincing proof of statistics in real world
Thanks