Defending Against the Wily Surfer-Web-based Attacks and Defenses

Intrusions are often viewed as catastrophic events which destroy systems, wreak havoc on data through corruption or substitution, yield access to closely guarded sensitive information, or provide a springboard for hackers to attack other systems. Yet not all intrusions on the Web are the blatant, smash-and-grab, trash-the-site kind of attacks. Many attacks are more subtle, and some involve what appears to be normal access to the site (but appearances are deceiving!) This paper presents a compendium of some of the dirty tricks on the Web. These are used to steal bandwidth and server load (as well as revenue) from web sites around the Internet. Other tricks funnel hits to sites other than the intended destination, while additional, more obvious techniques are used to bypass payment schemes and gain free access to sites. A different class of attacks targets the client, instead of the server. Some of the dirty tricks are preventable upfront, while others can only be detected after the security holes have been exploited – and always, there needs to be a balance between accessibility and vulnerability. We present a compendium of problems, attacks, and solutions. Many of the attacks and preventions seem “obvious” once known – this paper aims to forearm by forewarning the reader. 1. Explanation (and expiation) Many of the intrusion techniques cited in this paper are prevalent in the adult web site domain, although this is not to say that they don’t exist elsewhere. The reasons for the prevalence of attacks on the adult market are: 1) The adult market is one in which content is actually worth money. Although E-Commerce is roaring along strongly in other arenas, it is usually material product which is being sold (e.g., although eBay and Amazon.com have huge amounts of traffic, they sell hard commodities, whereas adult web sites generally sell streams of bits). 2) Although some non-adult sites sell data (e.g. programs or stock market tips), few of these are interchangeable, but a lot of smut is. 3) People will share passwords to adult sites, because there is rarely any personal information associated with the account. People are far less likely to share their account on a stock investment site, since electronic stock trades are legally binding to the account holder. 4) Computer enabled teenagers (and there are an awful lot of them on the net today) generally couldn’t care less about stocks, bonds, news, or books. Sex, on the other hand, occupies a substantial fraction of their attention. None of these reasons make the information in this paper less valuable to non-adult web sites. As the electronic medium becomes more and more available to the general public, attacks of the kind outlined here will become more prevalent in every marketplace. The experiences of the adult market are hard won victories that can forewarn, and thus forearm other markets. 2. Domain name spoofing If you have a new site with a hot new domain name, what kind of traffic can you expect? Who will come to your existing site, and who will visit it based on the advertisements you take out? The more difficult the name is to spell, the more likely it will be that surfers mistype the name. The more popular the site, the greater the chance that someone will try to imitate your site, or simply steal hits by parasitizing your domain name. When AT&T introduced their 1-800OPERATOR collect-call system, MCI diverted a noticeable fraction of the income stream by activating a similar service on 1-800-OPERATER (a number they conveniently already owned). There is a whole set of Internet domain names that capitalize on surfers’ inability to spell. Domains like n e t s c a p e . c o m have their typographical-error equivalents netscpae.com and netscap.com, taken by a British and California group of entrepreneurs. Although neither currently have active web pages, there is income potential from either of these sites. Even more income potential can be realized by the clever Russians who registered quiken.com, since the real quicken.com sells advertisements, and thus is an income generating site itself. Were any of these domain name parasites to create a site that visually appeared the same as their host company’s site, they could easily steal credit card information or disseminate false information with the cachet of a real-looking web site.1 Most newbie surfers have been indoctrinated with www.something.com . Regardless of the real address, a web site simply must be prefixed with www and every domain must end in .com (as if a “domain” is a term that is readily understood outside of hacker circles). Smart companies register their domain in all of the available top-level domains (e.g., webtv.com and w e b t v . n e t , or u s e n i x . o r g and usenix.com), and both with and without hyphens, where appropriate. Uninformed groups fail to do so, and lose traffic, name recognition, and money. In 1995 a local web-based company created pittsburgh.net, with the marketing slogan of “Pittsburgh on the Net”. I asked myself how many people would type .com instead of .net , and promptly registered pittsburgh.com. I also aliased it to my fledgling Pittsburgh-based web-hosting company. Without ever advertising the domain name, I started getting hits, and within 3 months (thanks to my competitor’s aggressive advertising campaign), fully 40% of my hits were coming to pittsburgh.com. Perhaps the most renowned of these domain name “thefts” are the hits redirected from whitehouse.gov to the similarly named whitehouse.com. Far from being the governmental information site that most surfers probably expect, it is an adult-oriented site instead. The proliferation of top-level domains only makes this problem worse. The Pacific island nations of Niue and Tonga have gotten into the domain name business, so you can register domains like who.nu and incogni.to for $35/year. The island nation of Tuvalu auctions domain names2, ostensibly for television-related companies, so you can also register 1 Prior to the transfer of the altavista.com domain name to Digital/Compaq, Altavista would pass queries through to the “real” altavista.digital.com, while selling their own ad space and rewriting the search engine's page content. 2 According to their web site, the minimum bid is $1000. Tuvalu is also a “discriminating” registry in that it does not allow registration of pornography, hatred, or gambling content sites. color.tv. The Cocos Islands sells domains like mail.cc (with premium prices being charged for 2letter domain names), the British Indian Ocean Territory does the same with domains like scenar.io, and until recently, Turkmenistan was also selling domain names. However, the TMNIC realized that some of the names it registered may be legally obscene in Turkmenistan, and as a result the TMNIC registry is reviewing its naming policy for future registrations (and has suspended registrations until a new policy can be implemented). But domains such as trademark.tm were up for grabs until the suspension took effect. I shudder to think the confusion that will be sown when it will be possible to have not only a foo.com , foo.org , and foo.net , but also foo.web , foo.shop, foo.firm, foo.info, foo.arts, foo.rec, and foo.nom.3 The potential for content misdirection and identity theft is stunning. Regrettably, there is only one defense against domain name spoofing. First, have a domain name which is difficult to misspell (and that can cost a lot of money if you want a common, readily recognizable name that someone else already owns). Second, you need to spend more money and register the domain in each one of the of the possible top-level domains (although realistically, you can probably skip Turkmenistan and the various islands). 3. Domain name stealing The NIC provides a number of mechanisms for protecting your domain registration. Unfortunately, few novice web registrants are aware of them. Once a domain is registered, its attributes can only be changed by the administrative, technical, or billing contact. By default, the identity of the person submitting a change request is validated via email address, and notification of changes to the domain is made after the fact (a PGP signature verification option is also available, but newbies often don’t understand it). Unscrupulous individuals can readily forge an email message that appears to originate from one of the contacts. If the change request is to modify the primary 3 As proposed by the Department of Commerce, National Telecommunications and Information Administration, Statement of Policy, “Management of Internet Names and Addresses”, Docket Number: 980212036-8146-02 (see http://www.gtld-mou.org/ for more details). and secondary domain name servers, the original registrant is still financially responsible for the domain without benefiting from its use. The best way for a thief to do this is adjust their reverse IP lookups, such that the name of the counterfeit DNS server is the same as the real thing. When the domain change confirmation is mailed to the legitimate contacts, they are likely to miss the change in IP numbers, and see only that the DNS names are the same. Since contact email addresses are often obsolete and non-functional, when confirmation email is sent, the confirmation may go completely unnoticed. If the email addresses are valid, a clever domain thief can even maintain MX records while changing A records, redirecting the web hits while preserving email identity.4 4. Password hacking and sharing The reason aphorisms are so often repeated is not because we have all heard them so often – it is because they are correct. An aphorism for web site maintenance is “Member site passwords are a weak point”. Passwords on a web site are as vulnerable to hacking as they are anywhere, and password sharing is the same problem as it is on any computer. And as with any computer system, a good site administrator needs to check for hackers and password sharing. The advantage to the web is that log files (which are often examined daily as a matter of course) contain information that can be used to readily identify both problems. There are numerous sites on the web dedicated to publishing accounts and passwords, and there are at least half a dozen newsgroups dedicated to nothing else.5 The newsgroups and web sites are a mix of three things, and as with most newsgroups, the signal-to-noise ratio is fairly low. The first group consists of people actually publishing passwords. A second group is people seeking passwords (or offering to trade them, but generally only if you give away your secrets first). Finally, there are numerous shameless marketing ploys 4 Although it sounds implausible, a number of very large adult web sites have been stolen in this way, and the theft was only noticed months later when someone finally decided to check server logs. As we will see over and over again, log files are your friend. 5 A search for “pass” in newsgroup names yielded the following 6 newsgroups: alt.etc.passwd,alt.ipl.passwords, alt.japanese.neojapan.shareware.password-exchange, alt.sex.commercial-sites.password-exchange, alt.sex.password, and alt.sex.passwords. Searching for “crack” resulted in 15 more newsgroups related to cracking commercial and shareware programs. So much for honesty and integrity on the Net. disguised as password postings. This latter group entices you to visit a web site with promises of free passwords, when in fact the supplicant is greeted with either a membership site and/or a plethora of banner ads and pop-up windows (either of which having the potential to make money for the web site maintainer). But because valid passwords are often posted by unscrupulous individuals, the threat of password sharing is indeed real. The following chart shows 6.5 months of HTTP transfers from one member-based web site (from site-launch until just before this paper went to press). The load on the system varies throughout the week, with troughs generally occurring on the weekends, and with an average network load of 500Mb of data per day (with a recent surge up to 1Gb per day, due to a successful advertising campaign). As adult sites go, this one is a relatively small one – large sites can easily push 100 times this much data (or more) out the pipe every day. Bytes Transferred per Day, Password Publication Incidents 0 Gb 1 Gb 2 Gb 3 Gb 4 Gb 5 Gb 6 Gb At the middle (14 Nov 1998) and just at the end of the graph (8 Feb 1999), an account/password pair was published on a password web site (by persons unknown), and the load on the server surged to nearly ten times it’s normal value, almost completely filling my T1 link. While an intrusion can rarely be considered fortuitous, the timing of the second event was such that this paper benefited from an significant additional data point. Raw Hits per Day, assword Publication Incidents 0 K 100 K 200 K 300 K 400 K 500 K 600 K Cutting off the password in question roughly 20 hours after it was posted alleviated the server load, and restored operating parameters back to normal within a day or so. The hit rate stayed high for a slightly longer time period than the byte transfer rate, since surfers were still attempting to access the site via the now-disabled account. A couple of statistics are worth noting on these incidents. For the previous two years (on this, and all other member sites I maintain), an average account was visited from no more than 3 domain addresses (as defined in the script in the following section), and generally one of those domains accounted for over 85% of the total hits for an account. In the second event, over 2,675 domains in 85 countries were evident (comprising an unknown number of individuals). The chart below shows the number of hits for the top-10 domains visiting the site: 47207 bellatlantic.net 8359 com.au 35687 aol.com 7874 home.com 31429 tele.dk 7668 net.au 11769 edu.tw 6373 ripe.net 8762 uu.net 5673 dfn.de It is not at all surprising that the big ISPs account for the vast majority of the hits. What is perhaps a little more surprising is that the University system in Taiwan accounts for such a large fraction of this hits. When the top-20 TLDs are listed, we see the following distribution of accesses: 171906 .net 6922 .fr