Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University USENIX Security 2004

Outline  Motivation  Collapsar architecture and features  Collapsar design, implementation, and performance  Collapsar deployment and real-world incidents  Conclusion and on-going work

Motivation  Need for network attack containment and monitoring  Worm outbreaks (MSBlaster, Sasser…)  Debian project servers hacked (Nov. 2003)  PlanetLab nodes compromised (Dec. 2003)  And more

Motivation  Promise of honeypots  Providing insights into intruders’ motivations, tactics, and tools  Highly concentrated datasets w/ low noise  Low false-positive and false negative rate  Discovering unknown vulnerabilities/exploitations  Example: CERT advisory CA (solaris CDE subprocess control daemon – dtspcd)

Current Honeypot Operation  Individual honeypots  Limited local view of attacks  Federation of distributed honeypots  Deploying honeypots in different networks  Exchanging logs and alerts  Problems  Difficulties in distributed management  Lack of honeypot expertise  Inconsistency in security and management policies  Example: log format, sharing policy, exchange frequency

Our Solution: Collapsar  Based on the HoneyFarm idea of Lance Spitzner  Achieving two (seemingly) conflicting goals  Distributed honeypot presence  Centralized honeypot operation  Key ideas  Leveraging unused IP addresses in each network  Diverting corresponding traffic to a “detention” center (transparently)  Creating VM-based honeypots in the center

VM-based Honeypot Collapsar Architecture Redirector Correlation Engine Management Station Production Network Collapsar Center Attacker Front-End

Comparison with Current Approaches  Overlay-based approach (e.g., NetBait, Domino overlay)  Honeypots deployed in different sites  Logs aggregated from distributed honeypots  Data mining performed on aggregated log information  Key difference: where the attacks take place (on-site vs. off-site)

Comparison with Current Approaches  Sinkhole networking approach (e.g., iSink )  “Dark” space to monitor Internet abnormality and commotion (e.g. msblaster worms)  Limited interaction for better scalability  Key difference: contiguous large address blocks (vs. scattered addresses)

Comparison with Current Approaches  Low-interaction approach (e.g., honeyd, iSink )  Highly scalable deployment  Low security risks  Key difference: emulated services (vs. real things)  Less effective to reveal unknown vulnerabilities  Less effective to capture 0-day worms

Collapsar Design  Functional components  Redirector  Collapsar Front-End  Virtual honeypots  Assurance modules  Logging module  Tarpitting module  Correlation module

Functional Components  Redirector  Running in each participating network  Capturing traffic toward unused IP addresses  Redirecting to Collapsar Front-End  Two implementation options  Proxy-ARP approach  Longer latency  Minimum change to network infrastructure  GRE (Generic Routing Encapsulation) approach  Lower latency  Requiring router re-configuration  Missing attack traffic from inside a domain

Functional Components  Collapsar Front-End  Dispatching incoming traffic to different honeypots  Transparent bridging  Mitigating security risks  Transparent firewalling  Packet re-writing  Assurance module plug-in  Logging modules  Tarpitting modules

Functional Components  Virtual honeypots  VM-based high-interaction honeypots  VMware  Enhanced User-Mode Linux (UML)  Commodity OS and popular services  Linux, Windows, Solaris, FreeBSD  Apache, samba, sendmail, named  Capability of forensic analysis  System image snapshot / restoration

Assurance Modules  Logging module  Traffic logging  Where: Front-End and honeypots  Keystroke logging  Where: honeypots  Tarpitting module  Mitigating security risks  Where: Front-End  Correlation module  Mining and correlation (e.g., tcpdump, snort) (e.g., sebek) (e.g., snort-inline)

 Measurement set-up  Metrics  TCP throughput  Nock (  ICMP latency Performance Measurement Dell PowerEdge Server (2.6GHz Xeon/2GB Memory) Dell Desktop PC (1.8GHz Pentium 4/768MB Memory) Collapsar Center A VMware or UML H Redirector Front-End

TCP throughput Measurement Results

ICMP latency

Collapsar Deployment  Deployed in a local environment for a two-month period in 2003  Traffic redirected from five networks  Three wired LANs  One wireless LAN  One DSL network  ~ 40 honeypots analyzed so far  Internet worms (MSBlaster, Enbiei, Nachi )  Interactive intrusions (Apache, Samba)  OS: Windows, Linux, Solaris, FreeBSD

Incident: Apache Honeypot/VMware  Vulnerabilities  Vul 1: Apache (CERT® CA )  Vul 2: Ptrace (CERT® VU )  Time-line  Deployed: 23:44:03pm, 11/24/03  Compromised: 09:33:55am, 11/25/03  Attack monitoring  Detailed log 

[ :33:55 aaa.bb.c sh 48]export HISTFILE=/dev/null; echo; echo ' >>>> GAME OVER! Hackerz Win ;) <<<<'; echo; echo; echo "****** I AM IN '`hostname -f`' ******"; echo; if [ -r /etc/redhat-release ]; then echo `cat /etc/redhat- release`; elif [ -r /etc/suse-release ]; then echo SuSe `cat /etc/suse- release`; elif [ -r /etc/slackware-version ]; then echo Slackware `cat /etc/slackware-version`; fi; uname -a; id; echo [ :34:01 aaa.bb.c sh 48]cd /tmp [ :34:07 aaa.bb.c sh 48]wget ptrace-kmod.c -o p;./p 1. Gaining a regular account: apache 2. Escalating to the root privilege Incident: Apache Honeypot/VMware

[ :35:46 aaa.bb.c sh 0]wget -xzf shv4.tar.gz;cd shv4;./setup rooter 1985 [ :36:16 aaa.bb.c xntps 0]SSH-1.5-PuTTY- Release-0.53b [ :36:57 aaa.bb.c xntps 0]cd /home;adduser ftpd;su ftpd [ :37:00 aaa.bb.c xntps 0]cd ftpd; mkdir.logs;cd.logs [ :37:04 aaa.bb.c xntps 0]wget -zvxf iroffer1.2b22.tgz;cd iroffer1.2b22;./Configure;make [ :37:50 aaa.bb.c xntps 0]mv iroffer syst [ :37:52 aaa.bb.c xntps 0]pico rpm [ :38:01 aaa.bb.c xntps 0]./syst -b rpm/dev/null & 3. Installing a set of backdoors 4. Adding the ftp user and installing a IRC-based ftp server Incident: Apache Honeypot/VMware

Incident: Windows XP Honeypot/VMware  Vulnerability  RPC DCOM Vul. (Microsoft Security Bulletin MS03-026)  Time-line  Deployed: 22:10:00pm, 11/26/03  MSBlaster: 00:36:47am, 11/27/03  Enbiei: 01:48:57am, 11/27/03  Nachi: 07:03:55am, 11/27/03

Log Correlation: Stepping Stone iii.jjj.kkk.11 compromised a honeypot & installed a rootkit, which contained an ssh backdoor xx.yyy.zzz.3 connected to the ssh backdoor using the same passwd

Log Correlation: Network Scanning

Conclusions  A new architecture for attack containment and monitoring  Distributed presence and centralized operation of honeypots  Good potential in attack correlation and log mining  Unique features  Aggregation of Scattered unused IP addresses  Off-site (relative to participating networks) attack occurrences and monitoring  Real services for unknown vulnerability revelation

On-going Work  Integration into trusted server architectures (SODA and Poly 2 )  On-demand honeypot customization  Collapsar center federation  Scalability  Testbed for worm containment (coming soon)

Thank you. For more information: {dxu, URL: Google: “Purdue Collapsar friends”