"Oh what a tangled
web we weave, when first we practice to deceive."
Sir Walter Scott
| "Oh what a tangled
web we weave, when first we practice to deceive." |
||
|
|
|
| WMM New Issue | WMM Archives |
| Markus Jakobsson
received his Ph.D. in Computer Science from University of California at
San Diego in 1997. He held a joint appointment at San Diego Supercomputer
Center and General Atomics during 1996 and 1997, and joined Bell Laboratories
as a Member of the Technical Staff in 1997. In 2001, he joined RSA Laboratories
as a Principal Research Scientist. He is an Adjunct Associate Professor
at New York University.
A whitepaper written by Markus Jakobsson and agent expert Filippo Menczer detailing the findings described herein can be found on www.markus-jakobsson.com. |  |
Untraceable Email Cluster Bombs: On Agent-Based Distributed Denial of Service
Imagine you were to call up a restaurant and make a reservation for four at eight o’clock, in the name of a hypothetical Mr. Smith, but then never show up. Later on, a friend of yours calls up the same restaurant and makes another reservation for four at eight o’clock – in the name of Mrs. Jones. Still later, another friend makes a similar call, in the end resulting in all tables being reserved for eight o’clock, but without any guests showing up. This type of attack is referred to as a denial of service attack (here the service is to obtain a table, and legitimate restaurant-goers are denied this service as a result of the attack). More in particular, it is referred to as distributed denial of service attack, since the attack is being performed from many directions (the different people placing phone calls in our example), an aspect which makes it harder to detect and avoid. Denial of service attacks are well-known in the context of computers, and in particular in the context of sites and servers. A recent example of a site that was attacked using a denial of service attack (or DoS attack) is that of El Jazeera, which was attacked by groups of hackers as it began offering news on the Internet. However, it is not only politically-questionable cable stations that can be attacked, but any person or organization. Moreover – and as we show – it also does not take a large group of skilled hackers to perform such an attack. The attacks, which are not traceable, can be performed from public computers in very short time, and with devastating results to anybody using email, text messaging – or even – a phone.
The simplicity of the attack makes it quite powerful. However, simple defenses exist, and can easily be deployed.
We describe a vulnerability that allows for an attacker to perform an email-based attack on selected victims, using only standard scripts and software agents. What differentiates the attack we describe from other, already known forms of distributed denial of service (DDoS) attacks is that an attacker does not need to infiltrate the network in any manner - as is normally required to launch a DDoS attack, which makes it more dangerous. Not only is the attack easy to mount, but it is also almost impossible to trace back to the perpetrator. Along with descriptions of our attack, we demonstrate its destructive potential with (limited and contained) experimental results. We illustrate the potential impact of our attack by describing how an attacker can disable an email account by flooding its inbox; block competition during on-line auctions; harm competitors with an on-line presence; disrupt phone service to a given victim; cheat in SMS-based games; disconnect mobile corporate leaders from their networks; and disrupt electronic elections. Finally, we propose a set of countermeasures that are light-weight, do not require modifications to the infrastructure, and can be deployed in a gradual manner.
The attack involves Web crawling agents that, posing as the victim associated with the primary target, fill forms on a large set of third party Web sites (the “launch pads”) causing them to send emails or SMSs to the victim, or have phone calls placed. The launch pads do not intend to do any damage --- they are merely tools in the hands of the attacker. Our attack takes advantage of the absence in the current infrastructure of a (non-interactive) technique for verifying that the submitted email address or phone number corresponds to the user who fills in the form. This allows an automated attacker to enter a victim's email or number in a tremendous number of forms, causing a huge volume of messages to be directed to the victim's mailbox. Depending on the quantity of generated messages, this may cost the victim anything from lost time (sorting out what messages to delete); to lost messages (if the mailbox fills up, causing the ISP to bounce legitimate emails); to a crash or other unavailability of some of its machines.
In particular, the attack works as follows: In a first phase, the attacker collects forms by performing web searches, and in a second phase, he fills these forms, requesting information for the unsuspecting victim of the attack. Both of these steps are performed by a piece of software – the agent – and at a very high speed. Let us now consider the two phases in more detail.
Phase I: Many Web sites use forms to execute scripts that will collect one or more email addresses and add them to one or more lists. There are many legitimate ways in which the collected emails can be used: mailing lists for newsletters, alert services, postcards, sending articles or pages to friends, etc. There are less legitimate uses as well, for example many sites collect emails by advertising freebies of various sorts, and then sell the email lists to spammers as "opt-in" requests.
One way for an attacker to automatically locate and collect forms to be used as launch pads is by employing a topic-driven crawler. Such a software searches the Web in a focused way trying to find pages similar to a given description. The description could be a query that yields many pages with email-collecting forms.
An even more straightforward approach is for an agent to harvest forms from the Web by posting appropriate queries directly to some search engine. The agent can then fetch the hit pages to extract forms. For example MSN reports about 5 million hits for the query “free email newsletter” and over 800,000 hits for “send free SMS.” However, search engines often do not return more than some maximum number of hits (say, 1,000). One way for the attacker's software to get around this obstacle is to create many query combinations by including positive and/or negative term requests. These combinations can be designed to yield large sets of hits with little overlap.
Phase II: A form can be filled and submitted automatically, either immediately upon discovery, or at a later time based on the stored form's information. Heuristics can be used to assign values to the various input fields. These include the victim's email address and, optionally, other information such as name, phone, etc. Other text fields can be left blank or filled with junk. Fields that require a single value from a set (radio buttons, drop-down menus) can be filled with a random option. Fields that allow multiple values (checkboxes, lists) can be filled in with all options.
These two phases are described in more detail in our white paper, along with experimental results that show just how quickly a typical email account, cellular phone, etc, can be disabled. As is shown, it does not take more than an hour for a small-scale attack to successfully overflow a typical email account, and much less if the attack is large or the victim is a cellular phone or PDA.
Countermeasures: What complicates the design of countermeasures is the fact that there is nothing per se that distinguishes a malicious request for information from a desired request in the eyes of the launch pad site, making the latter oblivious to the fact that it is being used in an attack. This also makes legislation against unwanted emails, SMSs and phone calls a meaningless deterrent: without the appropriate technical mechanisms to distinguish valid requests from malicious ones, how could a site be held liable when used as a launch pad? To further aggravate the issues, and given that our attack is a type of Distributed Denial of Service (DDoS) attack, it will not be possible for the victim (or nodes acting on its behalf) to filter out high-volume traffic emanating from a suspect IP address, even if we ignore the practical problems associated with spoofing of such addresses.
The standard defense against impersonation of users is not useful to avoid the generation of network traffic. In particular, some sites attempt to establish that a request emanated with a given user by sending the user an email to which he is to respond in order to complete the registration or request. However, as far as our email-based attack is concerned, it makes little difference whether the emails sent to a victim are responses to requests, or simply emails demanding an acknowledgement.
While it may appear that the simplicity and generality of the attack would make it difficult to defend against, this is fortunately not the case. We propose (1) simple extensions of known techniques whereby well-intentioned Web sites can protect themselves from being exploited as launch pads for our attack, and (2) a set of heuristic techniques whereby users can protect themselves against becoming victims of our attack.
Our countermeasures are light-weight and simple, require no modifications of the communication infrastructure, and can be deployed gradually.
Our suggestd countermeasures are described in our white paper, "Untraceable Email Cluster Bombs: On Agent-Based Distributed Denial of Service," which is available at www.markus-jakobsson.com.
Copyright 2003 by Markus Jakobsson
| "Oh what a tangled
web we weave, when first we practice to deceive." |
||
|
|
|
| WMM New Issue | WMM Archives |