Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm

1. Scalability, Fidelity, and Containment in the Potemkin Virtual Honeyfarm Michael Vrable, Justin Ma, Jay Chen, David Moore, Erik Vandekieft, Alex C. Snoeren, Geoffrey M. Voelker, Stefan Savage Symposium on Operating Systems Principles, 2005 Tracy Wagner CDA 6938 February 8, 2007

2. Outline • Introduction • Potemkin Virtual Honeyfarm • Evaluation • Contributions/Strengths • Weaknesses • Further Research

3. Introduction • Problem: Sharp tradeoff between scalability, fidelity, and containment when deploying a honeyfarm. • Scalability – how well a solution works when the size of the problem increases • Fidelity – adherence to fact or detail; accuracy or exactness • Containment – the act of containing, keeping something from spreading

4. Introduction • Inherent tension between: • Scalability and Fidelity • Low Interaction  High Scalability • High Interaction  High Fidelity • Containment and Fidelity • Strict Containment Policies  Loss of Fidelity • Example: No outbound packets allowed/Will not let a trojan “phone home”

5. Introduction • Proposal: A honeyfarm system architecture that can • Monitor hundreds of thousands of IP addresses, providing scalability • Offer high fidelity, similar to high-interaction honeypots • Support customized containment policies

6. Potemkin Virtual Honeyfarm • Prototype Honeyfarm System • Virtual Machines • Physical Memory Sharing • Idleness • Major Components • Gateway • Virtual Machine Monitor (VMM)

7. Gateway • Direct Inbound Traffic • Contain Outbound Traffic • Implement Resource Management • Interface With Other Components

8. Gateway • Direct Inbound Traffic • Traffic Arrival • Routing, Tunneling • Load Balance Backend Honeyfarm servers • Random, Based on Platform • Programmable Filters • Eliminate short-lived VMs as a result of same-service port scans across large IP range

9. Gateway • Contain Outbound Traffic • Only physical connection between honeyfarm servers and Internet • Customizable Containment Policies • DNS Traffic • Traffic that does not pass containment filter may be reflected back into honeyfarm

10. Gateway • Implement Resource Management • Dedicate only a subset of servers to reflection • Limit number of reflections with identical payload • Determine when to reclaim VM resources • Interface With Other Components • Detection • Analysis • User-Interface

11. Virtual Machine Monitor • Flash Cloning • Instantiates Virtual Machines Quickly • Copies and modifies a host reference image • Delta Virtualization • Optimizes the Flash Cloning Operation • Utilizes Copy-on-Write

12. Virtual Machine Monitor

13. Architecture

14. Evaluation - /16 network • 156 destination addresses multiplexed per active VM instance • Hundreds of honeypot VMs per physical server • Hundreds of distinct VMs can be supported running simple services • Live deployment created 2100 VMs dynamically in a 10-minute period; possible to create honeyfarms with both scale and fidelity!

15. Contributions/Strengths • Flash Cloning and Delta Virtualization allows for a highly scalable system with high fidelity • Improvement in scale of up to six orders of magnitude; as implemented can support 64K addresses • Internal Reflection can offer significant insight into spreading dynamics of new worms • Customizable containment policies allow testing of various scenarios

16. Weaknesses • Reflection must be carefully managed to avoid resource starvation • VM cannot respond until cloning is complete (too long may cause loss of traffic) • Scalability depends upon Gateway • Router function renders honeyfarm visible to anyone using traceroute • Attacker techniques exist for determining virtualized honeyfarm

17. Further Research • Defer creation of new VM until a complete session is established • Optimization of all aspects of flash cloning • Optimization of gateway • Offer support for disk devices • Develop support for Windows hosts