Reducing Attack Surface with VM-Based Phantom Server

Online servers are the primary target of the attack due to their high exposure of various attack surfaces. In this paper, we present a phantom server architecture to reduce the attack surfaces of online servers by separating the protected content from the interface that may be accessed by both regular users and potential attackers. We call the server running the interfaces as Portal Server, and the server providing the protected services as Phantom Server. Only authenticated clients are able to get services from the phantom server. The phantom server architecture reduces the attack surfaces by hiding the phantom server from being detected by the attackers. Moreover, even if the portal server is compromised, the attacker still cannot locate the phantom server and perform further attacks. Our system architecture can be deployed without any hardware or software changes on the legacy servers. We implement a virtual machine (VM) based on phantom server prototype to protect online web and database servers. The experimental results show a low overhead on our phantom server architecture.

[1]  A. Kivity,et al.  kvm : the Linux Virtual Machine Monitor , 2007 .

[2]  George Danezis,et al.  Mixminion: design of a type III anonymous remailer protocol , 2003, 2003 Symposium on Security and Privacy, 2003..

[3]  Paul F. Syverson,et al.  Proxies for anonymous routing , 1996, Proceedings 12th Annual Computer Security Applications Conference.

[4]  Yi Wang,et al.  Virtual routers on the move: live router migration as a network-management primitive , 2008, SIGCOMM '08.

[5]  David Mosberger,et al.  httperf—a tool for measuring web server performance , 1998, PERV.

[6]  Paul F. Syverson,et al.  Locating hidden servers , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[7]  Renzo Davoli VDE: virtual distributed Ethernet , 2005, First International Conference on Testbeds and Research Infrastructures for the DEvelopment of NeTworks and COMmunities.

[8]  Martín Casado,et al.  Extending Networking into the Virtualization Layer , 2009, HotNets.

[9]  David Evans,et al.  N-Variant Systems: A Secretless Framework for Security through Diversity , 2006, USENIX Security Symposium.

[10]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[11]  Yakov Rekhter,et al.  Address Allocation for Private Internets , 1994, RFC.

[12]  M. Casado,et al.  Virtual Switching in an Era of Advanced Edges , 2010 .

[13]  Paul F. Syverson,et al.  Hiding Routing Information , 1996, Information Hiding.