A Virtual Distributed Honeynet at KFUPM: A Case Study

Build a high-interaction honeynet environment at KFUPM’s two main campuses:

• The students’ living dorms.• The Computer Engineering College campus

•Most enthusiastic and computer-literate intruders are found in the Computer Science and Engineering College.

The aim of our experiment is to explore:• The type of attacks the campuses are exposed to. (DoS, port scanning, …etc).• The most common tools for these attacks. (rsh, ssh, parallel ping, …etc)• The most common source(s) and destination(s) for these attacks.• The feasibility of the design and tools used.

High-interaction honeypots were used:• Collect as much information as possible.

Aim

Experimental Results

Developed a wrapper that checks these logs, and informs the system administrator for any successful intrusion incident. The script sends emails containing these matched logs.

Conclusion and Future Work

In terms of severity, around 65% of the traffic was considered medium risk, while the remaining 35% was considered low. The high percentage of the medium-level category was due to the fact that the system classifies BitTorrents file sharing, which makes around 70% of the total traffic, as medium risk. This percentage is of no surprise since BitTorrent accounts for an astounding 40-55% of all the traffic on the Internet, and it is expected to be high in the students’ living campuses.

Our experience shows that Honeywall CDROM proved to be a solid tool that is capable of capturing great deal of information and assisting in analyzing traffic on the distributed honeypots. The honeynet designer, nevertheless, needs to consider few issues related to scalability and resource utilization.

Out future work includes expanding our honeynet network to include other colleges and campuses in the university and have wider honeynet coverage. This will also require increasing our logging disk space to allow for more logging time, longer logging intervals and thus broader analysis.

Mohammed Sqalli*, Raed AlShaikh**, Ezzat Ahmed*

* Department of Computer Science and Engineering

King Fahd University of Petroleum and MineralsDhahran, Saudi Arabia

** ECC Network Operations DepartmentEXPEC Computer Center (ECC)

Saudi AramcoDhahran 31311, Saudi Arabia

Further Enhancements

Internet

The Computer Engineering College campus

The

stud

ents

’ livin

g ca

mpu

s

Loggingserver

private network

Fedora Windows XP

Fedora

Windows XP

Honeywall CDROM

VLAN1

VLAN2

High interaction honeypots

Name Protocol Severity Total

IIS view script source code vulnerability attack

TCP Medium 8

MS Uni Plug and Play UDP UDP Medium 30

NBT(NetBIOS) Datagram Service

UDP Low 399

Bit Torrent requests TCP Medium 19098

DHCP requests UDP Low 9938

Random traffic -------- ------- 357

To: admin@localhostFrom: root@localhost Subject: ------ ALERT!: OUTBOUND CONN --------Apr 6 17:19:05 honeywall FIREWALL:OUTBOUND CONN UDP:IN=br0 PHYSIN=eth1 OUT=br0 PHYSOUT=eth2 SRC=192.168.1.101 DST=63.107.222.112 LEN=123 TOS=0x00 PREC=0x00 TTL=255 ID=43147 PROTO=UDP SPT=5353 DPT=79 LEN=103

A honeynet is a network set up with intentional vulnerabilities to invite attack, so that an attacker's activities and methods can be studied.

• Two commonly used Implementations were tested:•The Honeywall CDROM•KFSensor

• VMWare virtualization was used since it offers several advantages as opposed to the use of physical machines:

• VMs can be modified more easily than physical machines (software layer).• An administrator can start, stop or clone a VM very easily which is especially important in the case of security.

Introduction

Moreover, we detected a vulnerability attack on the Internet Information Service (IIS) that was installed on the Windows-based honeypots. This vulnerability has the signature KFAGC165421, and indicates that IIS contains a flaw that allows an attacker to cause IIS to return the source code for a script file instead of processing the script. This vulnerability attack traffic was generated by one of the systems in the students’ living campus.