Alternative (ab)uses for HTTP Alternative Services Trishita Tiwari Ari Trachtenberg [email protected] [email protected] Boston University Boston University Abstract The web community now has almost thirty years of experi- The HTTP Alternative Services header (Alt-Svc) was intro- ence with the HTTP protocol, and mature browser development duced in 2013 in a bid to streamline load balancing, protocol teams span a multitude of companies, some with market capi- optimizations, and client segmentation, and it has since been talizations approaching one billion dollars each [10]. And yet, subsequently implemented in almost all mobile and desktop despite all this knowledge and experience, we aim to show browsers. We show that the major implementations of the that it is still extremely difficult to introduce even simple header are independently susceptible to a variety of stealthy improvements to the HTTP protocol without introducing a abuse. Indeed, we demonstrate how Alternative Services may variety of security vulnerabilities. be leveraged to scan ports blacklisted by browsers, probe fire- Specifically, in this work we evaluate HTTP Alternative Ser- walled hosts, and mount Distributed Denial of Service attacks. vices header (Alt-Svc), a simple optimization introduced These services may also be misused to bypass popular phish- in 2013 with three potential use-cases in mind: streamlin- ing and malware protection services like Safe Browsing, and ing server load-balancing without the need for fine-grained also online site checkers like VirusTotal, URLVoid, Sucuri Domain-Name-Service (DNS) maintenance, readily making and IPVoid. In the privacy realm, the Alt-Svc header may clients aware of endpoints supporting newer protocols (e.g., be abused for user tracking: at the network layer by Internet HTTP/2 or QUIC), when available, and segmenting clients Service Providers (ISPs), and at the application layer by first into groups with prescribed capabilities [26]. We show that, and third party websites (where we bypass third-party track- though well-intentioned and apparently straightforward, this ing protections on Firefox, Chrome and Brave). In a similar new header may be leveraged for a variety of less innocuous manner, the header may be used by transiently connected ISPs purposes, including third-party network reconnaissance and to exfiltrate parts of a victim’s browser history. Our attacks service denial, bypassing phishing and malware protections, work, to varying extents, on Firefox, Tor, Chrome, and Brave and user tracking. Indeed, the fundamental reason behind all browser, and have been disclosed accordingly–so far, one of these attacks is that the Alt-Svc header introduces unchecked our vulnerabilities been patched by Mozilla as CVE-2019- background connection attempts from the victim’s browser to 11728. We conclude with proposed mitigations for some of attacker specified endpoints. Worse yet, these endpoints may these abuses. also be cached to enable automatic future connections. 1 Introduction 1.1 Overview of abuse HyperText Transfer Protocol (HTTP) headers date back to the Network reconnaissance is one of the first steps in many elec- very earliest web servers, providing an out-of-band mech- tronic attacks, and it is often initiated with a scan of accessible anism for clients and servers to exchange metadata. Early ports on the target. Defenders typically impede port scans in a headers included basic information about the HTTP request number of ways, including (i) using an anomaly detection sys- context, like the domain name of the server or the name of the tem to recognize scans coming from a common startpoint, and client’s browser. However, as web content grew in complexity, (ii) placing hosts behind firewalls or Network Address Trans- so did the the the scope of HTTP headers, expanding to include lators (NATs). Unfortunately, the current implementations of expiration dates, user-side cached data (cookies), and control Alt-Svc allow attackers to instigate stealthy distributed port options for connection reuse. Accompanying this growth in scans from a web server under their control. The scans are header complexity was a proliferation of attacks to the privacy initiated by victim machines that connect to the controlled and security of user data, and corresponding mitigations [43]. server, and thus are both distributed across many startpoints and able to target any machine visible from the victim, even if a suspicious site. Indeed, various online tools like VirusTotal, the victim is behind a firewall. Unlike known JavaScript ver- URLVoid, Sucuri and IPVoid also help to identify unsafe web- sions of this attack, the victim sees no indication of the attack sites [35, 48, 50, 54]. The general approach of these blocking within her browser, and the attack can target ports that are mechanisms is to check website domains against an inde- otherwise blocked by the browser due to security concerns. pendently generated blacklist of suspicious content. Unfor- Indeed, this scanning ability can also be translated into tunately, this domain checking can be rather simply evaded a Distributed Denial of Service (DDoS) attack, wherein an with the use of the Alt-Svc header. Alt-Svc connection from a browser opens long-lasting con- nections on a target server, or a short client message leads Main Contributions The main browser-based attacks pre- to a much larger server response against an intended target. sented in this work are thus: Unlike existing DDoS approaches [6,28,29,36,53], our meth- ods allow an attacker to target any arbitrary port of the target 1. Distributed TCP and UDP port scanning; host by means of client web browsers. The distributed nature 2. Bypass of malware and phishing protections; of such attacks, coming from a variety of seemingly unre- lated and otherwise typical clients, make them very hard to 3. Distributed Denial of Service of generic services; and, attribute to a root cause or mitigate; indeed, distributed attack mitigation has become the expertise of niche providers such 4. Tracking and history exfiltration. as Cloudflare [1]. The same scanning ability also carries the potential of confusing Intrusion Detection Systems by trigger- We note that different browsers are affected to varying extents ing anomalies that are tied to unusual patterns of IP or port by these different attacks. Further, most of these attacks have accesses. direct impact to modern browsers, but others serve as caution- ary threats toward future adoption of full Alternative Services Another potential abuse of Alt-Svc that we highlight in functionality. this work relates to user tracking. Privacy concerns have Our attacks have been disclosed to Firefox, Tor, Chrome, also lead to a proliferation of client-side blocking tools such and Brave browser development teams. as AdBlock, Ghoster, Disconnect, Privacy-Badger and other tracker/advertisement blockers [18]. Indeed, most modern browsers either block third-party trackers by default, or offer Roadmap The remainder of this paper is organized as the option to do so [37]. Furthermore, a number of security- follows: in Section2 we discuss the background of the focused browsers have been introduced from both industry Alt-Svc header. We then discuss prior works that relate to and academia, including Tor, Brave Browser, FuzzyFox [38] our contributions in Section3. Section4 describes our various and DeterFox [17]. On the network layer, privacy protections Alt-Svc header attacks, together with potential mitigations include web traffic encryption (HTTPS), MAC address random- for some of them. Finally we conclude in Section5. ization [3, 12], and elimination of other trackable network identifiers (for instance, TLS resumption cache isolation in 2 Background Tor [4]). Unfortunately, Alt-Svc can be abused to circumvent a variety of these protections, allowing, for example, tracking We next provide some historic and current context for the by first- and third-party websites, network-layer tracking, and Alternative Services header. bypass of some standard third-party blocking mechanisms in common use [37]. 2.1 Why Alt-Svc? Similar Alternative Service attacks can be used to perform network-layer browser history exfiltration. Unlike most prior Under the older HTTP/1.1 regimen, servers would typically works based on third-party websites [14,46,56], our approach load balance their clients by means of short-lifetime DNS query for this attack targets a network-level adversary (e.g., an In- responses; as one server would get loaded, the DNS responses ternet Service Provider or an owner of a Wifi router) that would shift toward a different, less busy, server. This worked exfiltrates a user’s browser history, including web accesses well because HTTP/1.1 involved many short-lived TCP con- performed outside the observation window of the attacker. nections, each with individual HTTP/1.1-requests. However, Finally, Alternative Services also provide a mechanism for HTTP/2 introduced various optimizations, most notably the bypassing browser defenses against phishing. The prevalence use of longer TCP connections to multiplex multiple HTTP/2 and damage of phishing sites, which impersonate well-known requests. In these cases, clients could bind to DNS queries for company sites for the purpose of gathering sensitive personal longer periods of time, thereby complicating load-balancing user data [9, 45, 47], has led browsers to implement a vari- efforts among servers. ety of blocking filters [15, 41], which, for example, display The Alternative Services HTTP-header (Alt-Svc) was de- conspicuous warnings if the user navigates to a suspicious signed, in part, to help alleviate this problem by allowing a website, or even a clean website that draws some content from server to specify alternative endpoints for client loads [26]. For example, a client loading a page from www.example.com is eventually deemed as valid) is ripe for exploitation, as we could receive a server response specifying an Alt-Svc header demonstrate in Sections 4.1 and 4.3. When the endpoint spec- pointing to another endpoint, say other.example.com.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages12 Page
-
File Size-