High Security Laboratory - Network Telescope Frédéric Beck, Olivier Festor, Radu State To cite this version: Frédéric Beck, Olivier Festor, Radu State. High Security Laboratory - Network Telescope. [Technical Report] 2008. inria-00337568 HAL Id: inria-00337568 https://hal.inria.fr/inria-00337568 Submitted on 7 Nov 2008 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. INSTITUT NATIONAL DE RECHERCHE EN INFORMATIQUE ET EN AUTOMATIQUE High Security Laboratory - Network Telescope Fr´ed´eric Beck, Olivier Festor and Radu State N° 9999 March 2007 Theme` COM High Security Laboratory - Network Telescope Fr´ed´eric Beck, Olivier Festor and Radu State Th`eme COM — Syst`emes communicants Projet MADYNES Rapport technique n° 9999 — March 2007 — 219 pages Abstract: Key-words: security, network, telescope, malware Unit´ede recherche INRIA Lorraine LORIA, Technopˆole de Nancy-Brabois, Campus scientifique, 615, rue du Jardin Botanique, BP 101, 54602 Villers-L`es-Nancy (France) Laboratoire de Haute S´ecurit´een Informatique - T´el´escope R´eseau R´esum´e: Mots-cl´es : s´ecurit´e, r´eseau, t´el´escope, malware LHSI - Network Telescope 3 Contents 1 Introduction 6 2 LHSI 7 2.1 Requirements .................................... 7 2.2 NetworkTelescope ................................ 7 2.2.1 Objective and Functionalities . .... 7 2.2.2 TelescopeArchitecture. .. 8 3 Physical Infrastructure 10 3.1 Material....................................... 10 3.1.1 Specifications................................ 10 3.1.2 Characteristics ............................... 14 3.2 PhysicalImplantation . ... 15 3.2.1 ServersRoom................................ 16 3.2.2 RacksandWeightRepartition . 17 4 Network Infrastructure 18 4.1 NetworkDSLConnections. .. 18 4.2 Cabling ....................................... 19 4.3 LogicalInfrastructures . ..... 23 4.3.1 PrivateNetwork .............................. 24 4.3.2 VLANs ................................... 25 4.3.3 Firewalling ................................. 26 5 Hardware and Operating Systems 32 5.1 PowerEdge2950 storage and PowerVault MD1000 . ...... 32 5.1.1 PE2950 ................................... 32 5.1.2 MD1000................................... 34 5.2 PowerEdge2950collectandanaslysis. ....... 36 5.3 KVM2161DS-2Switch............................... 36 5.3.1 Network................................... 36 5.3.2 AccessandConfiguration . 37 6 Softwares 38 6.1 LoggingServer ................................... 38 6.1.1 Overview .................................. 38 6.1.2 SurfIDSLogserver ............................. 39 6.1.3 Mailreporting ............................... 48 6.1.4 RRDscripts................................. 50 6.1.5 GoogleMap................................. 50 6.1.6 Antivirusanalysis ............................. 52 RT n° 9999 4 Beck & Festor & State 6.2 LowInteractionHoneypots . ... 55 6.2.1 Nepenthes.................................. 55 6.2.2 p0f-db.................................... 63 6.2.3 Argos .................................... 65 6.3 Virtualization.................................. .. 76 6.3.1 Xen ..................................... 76 6.3.2 Qemu .................................... 82 6.4 Netflow ....................................... 82 6.4.1 Probe .................................... 82 6.4.2 Collector .................................. 83 6.4.3 WEBInterface ............................... 83 6.5 Backup ....................................... 86 6.5.1 Database .................................. 86 6.5.2 Dailybackup ................................ 87 6.5.3 ManualSave ................................ 88 7 Deployment 90 7.1 SensorsDeployed................................. 90 7.2 Results........................................ 90 7.2.1 AttacksandBinariesDownloaded . .. 90 7.2.2 AntivirusScanning. .. .. .. .. .. .. .. .. .. .. .. .. 92 7.2.3 NetworkTraces............................... 92 7.2.4 Sandboxing ................................. 92 8 Maintenance 95 8.1 Startingtheservers.............................. ... 95 8.2 Shuttingdowntheplatform . ... 95 8.3 Dailystatuscheck ................................ 96 8.4 Communication................................... 97 9 Conclusion and Future Work 98 List of Figures 1 ArchitectureoftheNetworkTelescope . ..... 9 2 FirstRackSpecifications............................ .. 15 3 SecondRackSpecifications ........................... 16 4 PhysicalDeploymentintheServerRoom . ... 17 5 VideoExport.................................... 18 6 Network Infrastructure (Collecting Environment) . .......... 20 7 Network Infrastructure (Analysis environment) . ......... 21 8 NetworkArchitectureOverview. ... 24 INRIA LHSI - Network Telescope 5 9 VLANsDeployment ................................ 26 10 TransparentFirewall .............................. .. 28 11 FirewallRules.................................... 29 12 SurfnetIDSArchitecture . .. .. .. .. .. .. .. .. .. .. .. .. 38 13 DailyMailreport.................................. 49 14 NetworkandMemoryUsageGraphs . 51 15 AttackersGeolocalisation . .... 52 16 BinariesScanningResults . ... 55 17 CreatinganArgosImageTemplate . ... 75 18 NfSen-Packetspersecond ........................... 86 19 EvolutionoftheAttacks. .. .. .. .. .. .. .. .. .. .. .. .. 91 20 NetworkTraces................................... 93 21 SensorStatus.................................... 97 RT n° 9999 6 Beck & Festor & State 1 Introduction The 2nd November of 1988, the worm Morris attacked successfully about 6 000 computers connected to the Internet. 15 years later, the 25th of January 2003 at 5:30 UTC, the Slammer worm paralyzed the Internet by exploiting an Operating System vulnerability discovered 6 months earlier. In no more than 10 minutes, this worm duplicated itself and infected 90% of the vulnerable computers. Nowadays, a well programed worm could possibly freeze the Internet in only a few seconds (flashworms). Reality meets fiction, as the scenario of the Terminator 3 movie, where the Skynet system takes control of the defense networks by injecting a virus, is technically realistic today, our dependency to computers being each day more important and the systems interconnection being beyond human control. Viruses, malwares and worms spreading over the Internet, cause billions euros of dam- ages to our economy. They are a real threat for our society. Actual infrastructures, like communications or energy transport, highly depend on computer networks. A bug, espe- cially due toe a malicious act, can keep us from benefiting from them. A viral attack, such as Slammer, forbids the access to the resources spreaded all over the Internet. For example, the supervision network of the nuclear power plant of Besse-Davis in Ohio was paralyzed for almost 24 hours after Slammer’s attack. Other kind of attacks can change the aspect of a website, modify some informations, steal private data, or even worse, use our own systems to commit crimes, incriminating ourselves behind our awareness. If such an attack is not detected, a person using the altered information may take a false decision. The dramatic consequences that can result from that are easily understandable. These threats examples show the trend reversal we are facing. After the big pirates and hackers invasions of the 2000s, malicious codes are keeping low profile to succeed in their wrongdoings, acting as spies in our systems. Viruses are weapons, and depending on who is controlling them, they can be deadly weapons. Thereby, the french newspaper Le Monde revealed the 5th of October 2007 that several countries, including the USA, Germany, France and New-Zealand, had announced that they suffered cyber-attacks coming from China. While attacks are widespread, network data related to them is rarely available to academies for investigation. In this context, the MADYNES team, which develops research activities on security management, decided to build an infrastructure capable of collecting the nec- essary data to enable analysis and modeling of malicious systems from a network point of view. This infrastructure is now part of the LORIA High Security Laboratory. INRIA LHSI - Network Telescope 7 2 LHSI In this section we will present and motivate the High Security Laboratory (LHSI). 2.1 Requirements A High Security Laboratory (LHSI) should permit to perform certain experiments under a legal umbrella, with the possibility to publish results and data. The experiments consid- ered are the deployment of attack and defense systems against malicious programs (viruses, malwares...), the usage of viral technologies to develop new technologies, vulnerabilities detection, security audit, and systems certification. Indeed, any design or deployment error can lead to an uncontrolled propagation, theo- retically over the whole Internet, with important legal and operational consequences. We are aware that flashworms like viral propagation methods could paralyze the Internet in less than 10 seconds. therefore, the safety and security issues of the emissioned laboratory are critical. The High Security Lab is composed of two distinct projects, closely