Passive Fingerprinting of HTTP/2 Clients by Ory Segal

PASSIVE FINGERPRINTING OF
HTTP/2 CLIENTS
CODEBLUE
@TOKYO
Ory Segal
Sr. Director, Threat Research
Akamai
@orysegal

AGENDA
▸Data collection, and background on the Akamai Intelligent
Platform
▸HTTP/2 overview
▸Passive client & device fingerprinting
▸HTTP/2 passive client fingerprinting
▸Use cases for client fingerprinting
▸HTTP/2 threat landscape
© 2017 AKAMAI | FASTER FORWARD™

The Intelligent Platform
▸220,000+ Edge Servers
▸3,315+ Locations
▸1200+ Cities
▸129 Countries
▸1,227+ Networks
▸60 Tbps at last peak
The Data
▸3 trillion hits per day
▸1 Billion unique IPs seen quarterly
▸13+ trillion log lines per day
▸260+ TB of compressed daily logs
15 - 30% of all web traffichttp://wwwnui.akamai.com/gnet/globe/
http://tech.akamai.com/attack-globe/
AKAMAI

1,000,000,000+ Hits
25,600,000 IP Addresses
13,200 Hosts
632,900 User-Agents
413,400,000 Logins
HTTP/2 [ DAILY ] USAGE STATISTICS
10%Daily Traffic

HTTP/2 OVERVIEW
▸Based on the SPDY protocol (developed by )
▸Published during 2015:
▸RFC 7540: Hypertext Transfer Protocol Version 2 (HTTP/2)
▸RFC 7541: HPACK: Header Compression for HTTP/2
▸Addresses (performance) challenges in HTTP/1.1

HTTP/1.1 CHALLENGES
Concurrency
Compression
HTTP/1.0 allowed only one request to be outstanding at a time
on a given TCP connection. HTTP/1.1 added request pipelining,
but this only partially addressed request concurrency and still
suffers from head-of-line blocking
HTTP header fields are often repetitive and verbose, causing
unnecessary network traffic as well as causing the initial TCP
congestion window to quickly fill
In HTTP/1.x, the server never initiates traffic push. It has to be
passive and wait for the client to request resources, even
when it knows which resources the client is about to request
next
Passive server< / >

ENTER HTTP/2...
Concurrency
Compression
Allows interleaving of request and response messages on the
same TCP connection
Uses an efficient coding for HTTP header fields, as well as
header compression
Adds a new interaction mode whereby a server can push
responses to a client, if it thinks the client will need them
Server push< / >

CONCURRENCY
TCP CONNECTION
STREAM 0
STREAM 1
STREAM 2
STREAM n
STREAM 1
A Stream is an independent, bidirectional sequence of frames
exchanged between the client and server
Frame
FrameFrame
FrameFrame
Frame
Frame Frame

HTTP/2 KEY ELEMENTS
▸Connection: a transport-layer connection between two
endpoints
▸Stream: a bidirectional flow of frames within the HTTP/2
connection
▸Frame: the smallest unit of communication within an
HTTP/2 connection. Consists of a header and a variable-
length sequence of octets structured according to the
frame type
▸Message: a sequence of one or more frames (maps to a
request or response)

FRAME STRUCTURE
Length (24 bit)
Type (8 bit) Flags (8 bit)
R Stream Identifier (31 bit)
Frame payload (0...)

HEADERS FRAME - EXAMPLE
Length (24 bit) = XXXXX
Type = 0x1
HEADERS_FRAME
Flags = 0x25
END_HEADERS (0x4) ,
END_STREAM (0x1),
PRIORITY (0x20)
R Stream Identifier (Stream ID = 73)
Pad Length = 0
E = 1
Weight = 220
Stream Dependency = 0
:method: GET
:authority: http2.akamai.com
:scheme: https
:path: /resources/h2.css
user-agent: Mozilla/5.0 (......) Chrome/62.0.3202.75

HTTP/2 FRAME TYPES
▸DATA {type = 0x0}
▸HEADERS {type = 0x1}
▸PRIORITY {type = 0x2}
▸RST_FRAME {type = 0x3}
▸SETTINGS {type = 0x4}
▸PUSH_PROMISE {type = 0x5}
▸PING {type = 0x6}
▸GOAWAY {type = 0x7}
▸WINDOW_UPDATE {type = 0x8}
▸CONTINUATION {type = 0x9}

HTTP/2 INSPECTION TOOLS
Server side
Web server debug logs

HTTP INSPECTION TOOLS
Client side
Chrome://net-internals

HTTP/2 SESSION INITIALIZATION

HTTP (GET) REQUEST

HTTP RESPONSE

KEEP IN MIND
▸HTTP/2 is binary (you can’t use netcat to draft traffic)
▸HTTP/2 implementations use TLS
▸Most intercepting proxies (e.g. Burp) don’t support H2

PASSIVE CLIENT
FINGERPRINTING

PASSIVE CLIENT FINGERPRINTING
▸Passive collection of attributes that might expose
consistent unique behavior
▸Fingerprinting software clients, not end users
▸Transport layer, Session layer, Application layer
▸Deduce information about:
▸Operating system (type and version)
▸System uptime
▸Software client type

HTTP/2 FRAME TYPES USED IN
FINGERPRINT
▸DATA {type = 0x0}
▸RST_FRAME {type = 0x3}
▸PUSH_PROMISE {type = 0x5}
▸PING {type = 0x6}
▸GOAWAY {type = 0x7}
▸CONTINUATION {type = 0x9}

SETTINGS FRAME
The SETTINGS frame conveys configuration parameters
that affect how endpoints communicate. It MUST be sent
by both endpoints at the start of a connection
Fingerprint = [ 1:65536; 3:1000; 4:6291456 ]

SETTINGS FRAME - ENTROPY

THE WINDOW_UPDATE FRAME
▸The WINDOW_UPDATE frame is used to implement flow
control
▸Flow control operates at two levels: on each individual stream
and on the entire connection
▸The RFC defines a default window size of 65,535 octets
▸The connection flow-control window can only be changed
using WINDOW_UPDATE frames

ADDING ‘WINDOW_UPDATE’ TO THE
FINGERPRINT
Fingerprint = [ 1:65536; 3:1000; 4:6291456 | 15663105 ]

PRIORITY FRAME
▸Sets stream dependencies and priorities
▸Priority is set by assigning weights to
streams
▸Weights express preference of resources
allocation
▸Used by some at the beginning of each
connection
▸Each frame has three fields:
▸Weight
▸Stream Dependency
▸Exclusivity Bit
index.html
<stream 1>
theme.css
<stream 9>
jquery.js
<stream 3>
fonts.js
<stream 5>
main.js
<stream 7>

FIREFOX PRIORITY FRAME
<3>
201
<5>
101
<7>
1
0
<9>
1
<11>
1
Priority = 3:0:0:201, 5:0:0:101, 7:0:0:1, 9:0:7:1, 11:0:3:1

SUMMARY
User-Agent SETTINGS WINDOW UPDATE PRIORITY
okhttp/3.6.0 4:16777216 16711681 0
curl/7.54.0 3:100;4:1073741824 1073676289 0
nghttp2/1.22.0 3:100;4:65535 00
3:0:0:20,5:0:0:101,
7:0:0:1,9:0:7:1,11:0:3:1
Fingerprint = [3:100;4:65535|00|3:0:0:20,5:0:0:101,7:0:0:1,9:0:7:1,11:0:3:1]

PSEUDO-HEADERS
▸HTTP/1.x used the message to convey the target URI,
the method of the request, and the status code for the
response
▸HTTP/2 uses special pseudo-header fields beginning
with ':' character for this purpose
GET / HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0
Accept: text/html
:method: GET
:path: /
:authority: www.example.com
:scheme: https
Accept: text/html
GET / HTTP/1.1
Host: www.example.com
Accept: text/html

PSEUDO-HEADER ENTROPY
CONTRIBUTION

[1:65535;3:100;4:131072 | 00 | 3:0:0:20,5:0:0:101,7:0:0:1,9:0:7:1,11:0:3:1 | m,p,a,s]
SETTINGS WINDOW_UPDATE PRIORITY PSEUDO-HEADER-ORDER
HTTP/2 FINGERPRINT FORMAT

PASSIVE HTTP/2 FINGERPRINTING USE
CASES
▸Detection of spoofed web clients:
▸Spoofed clients’ fingerprint will be inconsistent with known
fingerprints
▸Detection of attack tools & bots:
▸Use a dictionary of “known” tool signatures
▸Positive enforcement of web clients
▸E.g. mobile apps accessing APIs
▸Anonymous proxy & VPN detection
▸Traffic & fingerprint statistical analysis

HTTP/2 THREAT
LANDSCAPE

Most security tools lack H2 support:
✘ Burp Suite
✘ Zed Attack Proxy
✘ Fiddler
✘ SQLmap
✘ Acunetix
✘ AppScan
✘ NetSparker
✘ SentryMBA
✘ THC-Hydra

BUT WHY?
No real incentive for
attackers - Web servers
support both HTTP/1.x and
HTTP/2
Not all common and simple
HTTP libraries support
HTTP/2 at the moment.
Adoption will require code
refactoring
Some server implementation weaknesses were found in 2016 - Handling
of Compression, Stream management, however these do not require tool
adoption.

Passive Fingerprinting of HTTP/2 Clients by Ory Segal

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Passive Fingerprinting of HTTP/2 Clients by Ory Segal

Similar to Passive Fingerprinting of HTTP/2 Clients by Ory Segal (20)

More from CODE BLUE

More from CODE BLUE (20)

Recently uploaded

Recently uploaded (20)

Passive Fingerprinting of HTTP/2 Clients by Ory Segal

Editor's Notes