More Web Proxy on the site http://driver.im/

research-article

Mitigating Browser-based DDoS Attacks using CORP

Authors:

Akash Agrawall,

Krishna Chaitanya,

Arnav Kumar Agrawal,

Venkatesh ChoppellaAuthors Info & Claims

ISEC '17: Proceedings of the 10th Innovations in Software Engineering Conference

Pages 137 - 146

https://doi.org/10.1145/3021460.3021477

Published: 05 February 2017 Publication History

Abstract

On March 27, 2015, Github witnessed a massive DDoS attack, the largest in Github's history till date. In this incident, browsers and users were used as vectors to launch the attack. In this paper, we analyse such browser-based DDoS attacks and simulate them in a lab environment. Existing browser security policies like Same Origin Policy (SOP), Content Security Policy (CSP) do not mitigate these attacks by design. In this paper we observe that CORP (Cross Origin Request Policy), a browser security policy, can be used to mitigate these attacks. CORP enables a server to control cross-origin interactions initiated by a browser. The browser intercepts the cross-origin requests and blocks unwanted requests by the server. This takes the load off the server to mitigate the attack.

References

[1]

Cross-Site Request Forgery (CSRF)). https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF).

[2]

Cross-site scripting (XSS). https://en.m.wikipedia.org/wiki/Cross-site_scripting.

[3]

Denial of Service attacks and mitigation techniques: Real time implementation with detailed analysis. https://www.insinuator.net/2016/02/denial-of-service-attacks-on-volte/.

[4]

DNSSEC - What Is It and Why Is It Important? https://www.icann.org/resources/pages/dnssec-qaa-2014-01-29-en.

[5]

Github API: Get all repositories. https://developer.github.com/v3/repos/#list-all-public-repositories.

[6]

Github API: Get all users. https://developer.github.com/v3/users/#get-all-users.

[7]

Same-origin policy. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy.

[8]

Signature based Subresource Integrity. https://lists.w3.org/Archives/Public/public-webappsec/2014Jul/0097.html.

[9]

Subresource Integrity. https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity.

[10]

Hackers Strike at N.Y. Internet Access Company, September 1996. https://www.washingtonpost.com/archive/business/1996/09/12/hackers-strike-at-ny-internet-access-company/7db752cc-03f9-4aab-95e2-a0fe70eab609/.

[11]

Georgia President's Web Site Falls Under DDOS Attack, July 2008. http://www.pcworld.com/article/148675/article.html.

[12]

Hackers Hit Scientology With Online Attack, January 2008. http://www.washingtonpost.com/wp-dyn/content/article/2008/01/25/AR2008012503399.html.

[13]

DDoS Impact Survey Reveals the Actual Cost of DDoS Attacks, November 2014. https://www.incapsula.com/blog/ddos-impact-cost-of-ddos-attack.html.

[14]

An introduction to JavaScript-based DDoS, April 2015. https://blog.cloudflare.com/an-introduction-to-javascript-based-ddos/.

[15]

DDoS Attack on GitHub Significantly Affects Site, April 2015. https://www.promisec.com/blog/ddos-attack-on-github-significantly-affects-site/.

[16]

GitHub hit by DDoS attack-Hacker News, Mar 2015.

[17]

Github Status Messages, March 2015. https://status.github.com/messages/2015-03-31.

[18]

Pin-pointing China's attack against GitHub, Mar 2015. http://blog.erratasec.com/2015/04/pin-pointing-chinas-attack-against.html#.ViObwfkrKhc.

[19]

602 Gbps! This May Have Been the Largest DDoS Attack in History, January 2016. http://thehackernews.com/2016/01/biggest-ddos-attack.html.

[20]

Denial of Service attacks on VoLTE, February 2016. https://www.insinuator.net/2016/02/denial-of-service-attacks-on-volte/.

[21]

KrebsOnSecurity Hit With Record DDoS, September 16, 2016. http://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/.

[22]

Bortz, Andrew and Boneh, Dan. Exposing private information by timing web applications. In Proceedings of the 16th international conference on World Wide Web (2007), ACM, pp. 621--628.

Digital Library

[23]

Chu, Yang-Hua and Feigenbaum, Joan and LaMacchia, Brian and Resnick, Paul and Strauss, Martin. REFEREE: Trust management for Web applications. Computer Networks and ISDN systems 29, 8 (1997), 953--964.

Digital Library

[24]

Dave Neal. Smartphone browser-based DDoS attack is your latest threat. Blog, Sept 2015. http://www.theinquirer.net/inquirer/news/2427872/smartphone-browser-based-ddos-attack-is-your-latest-threat.

[25]

Day, John D and Zimmermann, Hubert. The OSI reference model. Proceedings of the IEEE 71, 12 (1983), 1334--1340.

[26]

Marek Majkowski. Mobile Ad Networks as DDoS Vectors: A Case Study. Blog, Sept 2015. https://blog.cloudflare.com/mobile-ad-networks-as-ddos-vectors/.

[27]

Matthew Prince. Technical Details Behind a 400Gbps NTP Amplification DDoS Attack. Blog, Feb 2014. https://blog.cloudflare.com/technical-details-behind-a-400gbps-ntp-amplification-ddos-attack/.

[28]

Miu, Tony TN and Hui, Albert KT and Lee, WL and Luo, Daniel XP and Chung, Alan KL and Wong, Judy WS. Universal DDoS Mitigation Bypass. Black Hat USA (2013).

[29]

Newland, Jesse. Large Scale DDoS Attack on github.com, March 2015. https://github.com/blog/1981-large-scale-ddos-attack-on-github-com.

[30]

Pellegrino, Giancarlo and Rossow, Christian and Ryba, Fabrice J and Schmidt, Thomas C and Wählisch, Matthias. Cashing out the Great Cannon? On Browser-Based DDoS Attacks and Economics. In 9th USENIX Workshop on Offensive Technologies (WOOT 15) (2015).

[31]

Robert Hansen and Jeremiah Grossman. Clickjacking. Blog, Dec 2008. http://www.sectheory.com/clickjacking.htm.

[32]

Ronen Atias. Headless-browser DDoS: How to Flush Out a T-1000. Blog, Nov 2013. https://www.incapsula.com/blog/headless-browser-ddos.html.

[33]

Sood, Aditya K and Enbody, Richard J. The Conundrum of Declarative Security HTTP Response Headers: Lessons Learned. In CollSec (2010).

[34]

Telikicherla, Krishna Chaitanya and Choppella, Venkatesh and Bezawada, Bruhadeshwar. CORP: A Browser Policy to Mitigate Web Infiltration Attacks. In International Conference on Information Systems Security (2014), Springer, pp. 277--297.

[35]

Wikipedia. Netscape Navigator 2, 1995. http://en.wikipedia.org/wiki/Netscape_Navigator_2.

[36]

Zalewski, Michal. Browser Security Handbook. Tech. rep., 2011. https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy.

Cited By

Agrawall AMaheshwari SBandyopadhyay PChoppella V(2017)Modelling and Mitigation of Cross-Origin Request Attacks on Federated Identity Management Using Cross Origin Request PolicyInformation Systems Security10.1007/978-3-319-72598-7_16(263-282)Online publication date: 2-Dec-2017
https://doi.org/10.1007/978-3-319-72598-7_16

Recommendations

DDoS detection and defense: client termination approach
CUBE '12: Proceedings of the CUBE International Information Technology Conference

A Denial-of-Service attack (DoS) or Distributed Denial-of-Service (DDoS) is an attempt by an attacker to make a computer or network resource unavailable to its legitimate users. In general it is specified by an event in which legitimate user(s) is/are ...
Machine learning combating DOS and DDOS attacks

In recent years, technology is booming at a breakneck speed as so the need of security. Vulnerabilities in the layers of the OSI model and the networks are paving new ways for intruders and hackers to steal the confidential information. Security attacks ...
Misusing Kademlia Protocol to Perform DDoS Attacks
ISPA '08: Proceedings of the 2008 IEEE International Symposium on Parallel and Distributed Processing with Applications

Kademlia-based DHT has been deployed in many P2P applications and it is reported that there are millions of simultaneous users in Kad network. For such a protocol that significantly involves so many peers, its robustness and security must be evaluated ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ISEC '17: Proceedings of the 10th Innovations in Software Engineering Conference

February 2017

235 pages

ISBN:9781450348560

DOI:10.1145/3021460

General Chair:
Ravi Prakash Gorthi
LNMIIT, Jaipur
,
Program Chairs:
Santonu Sarkar
BITS Pilani, K.K.Birla Goa Campus
,
Nenad Medvidovic
University of Southern California, LA, USA
,
Vinay Kulkarni
TCS, Pune
,
Atul Kumar
IBM Research, Banagalore
,
Padmaja Joshi
C-DAC, Mumbai
,
Paola Inverardi
University of L'Aquila, Italy
,
Publications Chairs:
Ashish Sureka
ABB Corporate Research Center, India
,
Richa Sharma
BML Munjal University, India

Copyright © 2017 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

iSOFT: iSOFT

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 February 2017

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Conference

ISEC '17

ISEC '17: Innovations in Software Engineering Conference

February 5 - 7, 2017

Jaipur, India

Acceptance Rates

ISEC '17 Paper Acceptance Rate 25 of 81 submissions, 31%;

Overall Acceptance Rate 76 of 315 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
286
Total Downloads

Downloads (Last 12 months)9
Downloads (Last 6 weeks)0

Reflects downloads up to 14 Dec 2024

Other Metrics

View Author Metrics

Citations

Cited By

Agrawall AMaheshwari SBandyopadhyay PChoppella V(2017)Modelling and Mitigation of Cross-Origin Request Attacks on Federated Identity Management Using Cross Origin Request PolicyInformation Systems Security10.1007/978-3-319-72598-7_16(263-282)Online publication date: 2-Dec-2017
https://doi.org/10.1007/978-3-319-72598-7_16

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents