honey pots
TRANSCRIPT
![Page 1: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/1.jpg)
HoneyPots
Malware Class Presentation
Xiang Yin, Zhanxiang Huang, Nguyet Nguyen
November 2nd 2004
![Page 2: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/2.jpg)
ProblemsWhy?
![Page 3: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/3.jpg)
Problems (2)
• The Internet security is hard– New attacks every day– Our computers are static targets
• What should we do?• The more you know about your enemy, the better
you can protect yourself
• Fake target?
![Page 4: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/4.jpg)
Solutions? Air Attack
Real Fake
A Detected….
![Page 5: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/5.jpg)
Honeypots?
• Fake Target
• Collect Infomation
![Page 6: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/6.jpg)
Agenda
• Honeypots: an whitepaper
• Honeyd
• Honeynet
• Discussion
![Page 7: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/7.jpg)
History of Honeypots
• 1990/1991 The Cuckoo’s Egg and Evening with Berferd
• 1997 - Deception Toolkit• 1998 - CyberCop Sting• 1998 - NetFacade (and Snort)• 1998 - BackOfficer Friendly• 1999 - Formation of the Honeynet Project• 2001 - Worms captured
![Page 8: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/8.jpg)
Definition
A honeypot is an information system resource whose value lies in unauthorized or illicit
use of that resource.• Has no production value; anything going to/from a
honeypot is likely a probe, attack or compromise
• Used for monitoring, detecting and analyzing attacks
• Does not solve a specific problem. Instead, they are a highly flexible tool with different applications to security.
![Page 9: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/9.jpg)
Classification
• By level of interaction• High• Low• Middle?
• By Implementation• Virtual• Physical
• By purpose• Production• Research
![Page 10: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/10.jpg)
Level of Interaction
• Low Interaction• Simulates some aspects of the system• Easy to deploy, minimal risk• Limited Information• Honeyd
• High Interaction• Simulates all aspects of the OS: real systems• Can be compromised completely, higher risk• More Information• Honeynet
![Page 11: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/11.jpg)
Level of Interaction
Operating system
Fake D
aemon
Disk
Other local resource
Low
Medium
High
![Page 12: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/12.jpg)
Physical V.S. Virtual Honeypots
• Two types– Physical
• Real machines• Own IP Addresses• Often high-interactive
– Virtual• Simulated by other machines that:
– Respond to the traffic sent to the honeypots– May simulate a lot of (different) virtual honeypots at the
same time
![Page 13: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/13.jpg)
HoneyPot A
Gateway
Attackers
Attack Data
How do HPs work?Prevent
DetectResponse
Monitor
No connection
![Page 14: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/14.jpg)
Production HPs: Protect the systems
• Prevention• Keeping the bad guys out
• not effective prevention mechanisms.
• Deception, Deterence, Decoys do NOT work against automated attacks: worms, auto-rooters, mass-rooters
• Detection• Detecting the burglar when he breaks in.
• Great work
• Response• Can easily be pulled offline
• Little to no data pollution
![Page 15: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/15.jpg)
Research HPs: gathering information
• Collect compact amounts of high value information
• Discover new Tools and Tactics
• Understand Motives, Behavior, and Organization
• Develop Analysis and Forensic Skills
• HONEYNET?
![Page 16: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/16.jpg)
Building your HoneyPots
• Specifying Goals
• Selecting the implementation strategies• Types, Number, Locations and Deployment
• Implementing Data Capture
• Logging and managing data
• Mitigating Risk
• Mitigating Fingerprint
![Page 17: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/17.jpg)
Location of Honeypots
• In front of the firewall
• Demilitarized Zone
• Behind the firewall (Intranet)
![Page 18: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/18.jpg)
Capturing Information
• Host based:• Keystrokes
• Syslog
• Network based:• Firewall
• Sniffer
• IP not resolve name
![Page 19: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/19.jpg)
Logging and Managing Data• Logging
architecture
• Managing data
![Page 20: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/20.jpg)
Maintaining Honeypots
• Detection and Alert
• Response
• Data Analysis
• Update
![Page 21: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/21.jpg)
Honeyd: A Virtual Honeypot Framework
By Zhanxiang HuangNovember 2nd, 2004
![Page 22: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/22.jpg)
Physical V.S. Virtual Honeypots
PH (Real machines, NICs, typically high-interaction) High maintenance cost; Impractical for large address spaces;
VH (Simulated by other machines) Multiple virtual services and VMs on one
machine; Typically it only simulate network level
interactions, but still able to capture intrusion attempts;
![Page 23: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/23.jpg)
What is Honeyd?
HoneydHoneyd: A virtual honeypot application, which allows us to create thousands of IP addresses with virtual machines and corresponding network services.
Written by Neil Provos available at http://www.honeyd.org/
![Page 24: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/24.jpg)
What can honeyd do?
Simulates operating systems at TCP/IP stack level, supporting TCP/UDP/ICMP;
Support arbitrary services;
Simulate arbitrary network topologies;
Support tunneling and redirecting net traffic;
![Page 25: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/25.jpg)
Illustration Simple
![Page 26: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/26.jpg)
![Page 27: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/27.jpg)
How it attracts worms?
Honey!~ But technically they need to advertise themselves;
Three methods: Create special routes; Proxy ARP; Network tunnels.
![Page 28: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/28.jpg)
How it works?
routing
routing
Packet Dispatcher
TCP UDP ICMP
Services
PersonalityEngine
ConfigurationDataBase
Network
![Page 29: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/29.jpg)
Why Personality Engine? To fool fingerprinting tools
Uses fingerprint databases by Nmap, for TCP, UDP Xprobe, for ICMP
Introduces changes to the headers of every outgoing packet before sent to the network
![Page 30: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/30.jpg)
Why Routing topology? Simulates virtual network topologies;
Some honeypots are also configured as routers
Latency and loss rate for each edge is configured;
Support network tunneling and traffic redirection;
![Page 31: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/31.jpg)
![Page 32: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/32.jpg)
Why Redirect Connection?
:D
![Page 33: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/33.jpg)
How to Configure?
Each virtual honeypot is configured with a template.
Commands: Create: Creates a new template Set:
Assign personality (fingerprint database) to a template Specify default behavior of network protocols
Block: All packets dropped Reset: All ports closed by default Open: All ports open by default
Add: Specify available services Proxy: Used for connection forwarding
Bind: Assign template to specific IP address
![Page 34: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/34.jpg)
Show Time!~ Real Demo by Zhanxiang
This simplified configuration was used with attract the MSBlast worm over the Internet:
create default set default personality "Windows XPPro" add default tcp port 135 open add default tcp port 4444 "/bin/shscripts/WormCatcher.sh $ipsrc $ipdst" set default tcp action block set default udp action block
![Page 35: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/35.jpg)
Applications
Worm detection and blocking Combine with automated its post-
processing tools, like NIDS signature generation tool honeycomb[1];
Network decoys Spam Prevention
![Page 36: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/36.jpg)
Simulation Results of Anti-Worm
![Page 37: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/37.jpg)
How real is it?
Traceroute to a virtual host Path of the hosts according to the configuration Latency measured double the one specified
Correct because packets have to travel each link twice
Fingerprinting to the Router personality
Nmap and Xprobe detected Cisco router NetBSD personality
Nmap detected NetBSD Xprobe listed a number of possibilities including
NetBSD
![Page 38: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/38.jpg)
Risks?
Some smart worms may wake up! The honeyd will be snubbed;
We might become accessary if our honeyd is compromised and used as bounce;
![Page 39: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/39.jpg)
Are attackers nuts?
In theory: Remote actions Local actions Cloaking issues Breaking the Matrix
Practical ways: layer 2 Sebek-based
Honeypots Fake AP Bait and Switch
Honeypots
(From securityfocus paper on Sep. 28, 2004 : “Defeating Honeypots: Network Issues”, by Laurent Oudot and Thorsten Holz)http://www.securityfocus.com/infocus/1803
![Page 40: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/40.jpg)
Questions?
![Page 41: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/41.jpg)
Honeynet
By Xiang Yin
November 2nd, 2004
![Page 42: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/42.jpg)
What is a Honeynet
• High-interaction honeypot designed to:– capture in-depth information– learn who would like to use your
system without your permission for their own ends
• Its an architecture, not a product or software. • Populate with live systems.• Can look like an actual production system
![Page 43: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/43.jpg)
What is a Honeynet
• Once compromised, data is collected to learn the tools, tactics, and motives of the blackhat community.
• Information has different value to different organizations.– Learn vulnerabilities– Develop response plans
![Page 44: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/44.jpg)
What’s The Difference?
• Honeypots use known vulnerabilities to lure attack.– Configure a single system with special software or system
emulations
– Want to find out actively who is attacking the system
• Honeynets are networks open to attack– Often use default installations of system software
– Behind a firewall
– Rather they mess up the Honeynet than your production system
![Page 45: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/45.jpg)
How it works
• A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed.
• Any traffic entering or leaving the Honeynet is suspect by nature.
![Page 46: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/46.jpg)
Diagram of Honeynet
![Page 47: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/47.jpg)
Diagram of Honeynet
![Page 48: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/48.jpg)
Data Control
• Containment of activity– Mitigate risks– Freedom vs. risk
• Multiple mechanisms – layers– Counting outbound connections– Intrusion prevention gateways– Bandwidth restrictions
• Fail closed!• Minimize risk, but not eliminate!
![Page 49: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/49.jpg)
Data Control
Internet
Honeywall
Honeypot
Honeypot
No Restrictions
Connections Limited Packet Scrubbed
![Page 50: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/50.jpg)
Data Capture
• This is the reason for setting up a honeynet.• Hidden kernel module that captures all activity
– monitoring and logging
• Challenge: encryption– Activities over encrypted channels (IPSec, SSH, SSL, etc)
• Multiple layers of data capture– Firewall layer, network layer, system layer
• Minimize the ability of attackers to detect – Make as few modifications as possible – Store data on a secured remote system– Also, reduce risk but not eliminate!
![Page 51: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/51.jpg)
Data Analysis
• All activity within Honeynet is suspicious
• 30 minutes of blackhat activity is about 30 to 40 work hours of data analysis
• Less than 10 MB of logging per 24 hours is typical.
![Page 52: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/52.jpg)
Data Collection
![Page 53: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/53.jpg)
Honeynet – Gen I
![Page 54: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/54.jpg)
Honeynet – Gen I
• Counts the number of outbound connections.
• Systems initiate a certain number of outbound connections and then block any further links once the limit is met.
• Useful for blocking denial of service attacks scans, or other malicious activity
• But, gives attacker more room to attack.
![Page 55: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/55.jpg)
Honeynet – Gen II
![Page 56: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/56.jpg)
Honeynet – Gen II
• Layer-two bridging device (called the honeynet sensor) isolates and contains systems in the honeynet.
• Easier to Deploy– Both Data Control and Data Capture on the same system.
• Harder to Detect– Identify activity as opposed to counting connections.– Modify packets instead of blocking.
![Page 57: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/57.jpg)
Data Control – Gen II
• Implemented on gateway
• Connection counting (with IPTables)SCALE="day"TCPRATE="15"UDPRATE="20"ICMPRATE="50"OTHERRATE="15"
• NIPS (Network Intrusion Prevention System) – Works with only known attacks– Modify and disable detected outbound attacks instead of blocking
them– Snort-inline
![Page 58: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/58.jpg)
![Page 59: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/59.jpg)
Data Control - Snort-Inline
alert tcp $EXTERNAL_NET any -> $HOME_NET 53 (msg:"DNS EXPLOIT named";flags: A+;
content:"|CD80 E8D7 FFFFFF|/bin/sh"; replace:"|0000 E8D7 FFFFFF|/ben/sh";)
![Page 60: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/60.jpg)
Data capture elements
• Honeynet Project has developed kernel modules to insert in target systems.
• These capture all the attacker's activities, such as encrypted keystrokes.
• The IDS gateway captures all the data and dump the data generated by the attackers without letting attacker know.
• multiple layers of data capture help ensure that they gain a clear perspective of the attacker's activities.
![Page 61: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/61.jpg)
Data capture elements
• Layer 1: the firewall log– packet-filtering mechanism to block outbound connections
once a connection limit is met.
• Layer 2: network traffic– The IDS gateway that identifies and blocks attacks passively
sniffs every packet and its full payload on the network.
• layer 3: system activity– Capturing the attacker's keystrokes and activity on the
system.
![Page 62: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/62.jpg)
Virtual Honeynets
• All the elements of a Honeynet combined on a single physical system. Accomplished by running multiple instances of operating systems simultaneously. Examples include VMware and User Mode Linux. Virtual Honeynets can support both GenI and GenII technologies.
![Page 63: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/63.jpg)
Issues
• High complexity. – Require extensive resources and manpower to properly
maintain.
• High risk– Detection and anti-honeynet technologies have been
introduced.
– Can be used to attack or harm other non-Honeynet systems.
• Legal issues– Privacy, Entrapment, Liability
![Page 64: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/64.jpg)
Honeypots’ Issues
Discussion
![Page 65: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/65.jpg)
Honeypot Advantages
• High Data Value• Small Data
• Low Resource Cost• Weak or Retired system
• Simple Concept, Flexible Implementation
• Return on Investment• Proof of Effectiveness
• Catch new attacks
![Page 66: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/66.jpg)
Disadvantages
• Narrow Field of View
• Fingerprinting
• Risks?• If being detected?
• If being compromised?
• If being mis-configured?
![Page 67: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/67.jpg)
Mitigrating Risks?
• Being Detected?• Anyway honeypots can be detected
• Modifying is a good solution, but not perfect
• Fingerprinting?
• Being Exploited?
![Page 68: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/68.jpg)
Building Honeypots for specific purpose?
• Bigger fish Specific trap?
![Page 69: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/69.jpg)
Legal Issues
• Privacy• No single statue concerning privacy
– Electronic Communication Privacy Act
– Federal Wiretap Statute
– The Pen/Trap Statute
• Entrapment• Used only to defendant to avoid conviction
• Applies only to law enforcement?
• Liability• If a Honeynet system is used to attack or damage other non-
honeynet system?
![Page 70: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/70.jpg)
More Information about Legal Issues
• Computer Crime Section
• E-Mail: [email protected]
• Computer Crime Section’s Web page:
![Page 71: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/71.jpg)
Conclusion
• Honeypots are not a solution, they are a flexible tool with different applications to security.
• Primary value in detection and information gathering.
• Just the beginning for honeypots.
![Page 72: Honey Pots](https://reader036.vdocument.in/reader036/viewer/2022062421/55cf9981550346d0339db956/html5/thumbnails/72.jpg)
Worm propagation speed sim Simulate worm spreading Parameters
i(t): Fraction of infected hosts s(t): Fraction of susceptible hosts r(t): Fraction of immunized hosts β: Worm contact rate γ: Immunization rate
Worm propagation formulas ds/dt = − β * i(t) *s(t) di/dt = βi * (t) * s(t) − γ * i(t) dr/dt = γ * i(t)