network of affined honeypots: more than an infrastructure
DESCRIPTION
presented by Spiros Antonatos [email protected] Distributed Computing Systems Lab Institute of Computer Science FORTH. Network of Affined Honeypots: More Than An Infrastructure. Roadmap. A little about the project What are honeypots? The NoAH approach Architecture overview Argos - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/1.jpg)
presented by Spiros [email protected]
Distributed Computing Systems LabInstitute of Computer ScienceFORTH
![Page 2: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/2.jpg)
A little about the project What are honeypots? The NoAH approach Architecture overview Argos Honey@home Conclusions/discussion
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
![Page 3: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/3.jpg)
Three years project April 2005 until March 2008
Funded from the Research Infrastructures Programme of the European Union
4 Work Packages FORTH is coordinator
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
![Page 4: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/4.jpg)
Malware: worms, viruses, keyloggers, spyware…
Malware spreads fast Faster than we can react Thousands of hosts can be infected in a few minutes
We need information about the cyberattacks so as to build effective defenses
http://www.fp6-noah.org Terena Networking Conference 2007 Spiros Antonatos
![Page 5: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/5.jpg)
Gather and analyse information about the nature of Internet cyberattacks
Develop an infrastructure to detect and provide early warning of such attacks
Security monitoring based on honeypot technology
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
![Page 6: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/6.jpg)
Computer systems that do not run production services
Listen to unused IP addresses Intentionally made vulnerable Closely monitored to analyse attacks
directed at them We can identify two types
of honeypots: low-interactionand high-interaction
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
![Page 7: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/7.jpg)
Low-interaction honeypots emulate services using scripts + Lightweight processes, able to cover large network
space
- Emulation cannot provide a high level of interaction with attackers
High-interaction honeypots do not perform emulation, they run real services- Heavyweight processes, able to cover small network
space+ Provide the highest level of interaction with attackers
NoAH uses the advantages of both types
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
![Page 8: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/8.jpg)
`
Low-interaction Honeypot`
`
NoAH core
Funnel`
Low-interaction Honeypot
Funnel
`
Low-interaction Honeypot
`
Low-interaction Honeypot
Participating Organization
InternetInternet
High-interactionHoneypot
High-interactionHoneypot
Anonym
ous
path
Tunnel
Honey@home
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
![Page 9: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/9.jpg)
Most popular and widely-used low-interaction honeypot
Emulates thousands of IP addresses Performs network stack emulation
Highly configurable and lightweight An efficient mechanism to filter out
unestablished and uninteresting connections Port scans, SSH brute-force attacks, etc
Interesting connections are forwarded to high-interaction honeypots
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
![Page 10: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/10.jpg)
Emulates entire PC systems OS agnostic, run on commodity hardware Based on the Qemu emulator
Key idea: data coming from the network should never be executed
Tracks network data throughout execution Memory tainting technique
Detect illegal uses of network data Jump targets, function pointers, instructions, system call
arguments
Argos is able to detect all exploit attempts, including 0-days!
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
![Page 11: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/11.jpg)
Argos emulator
Guest OS
Applications
NIC
Forensics
Detect attack and log state
Host OS
Log
Correlate data
Signature
Signature post-processing
http://www.fp6-noah.org 11Terena Networking Conference 2007
![Page 12: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/12.jpg)
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
![Page 13: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/13.jpg)
Honeypots listen to unused IP space of the organization they are hosted to
This space is limiting to provide results fast and accurately
NoAH tries to empower people to participate
Bring NoAH to home users with Honey@home
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
![Page 14: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/14.jpg)
Lightweight tool that runs in the background Monitors an unused IP address
Usually taken by DHCP
All traffic to that unused address isforwarded to our central honeypots
No configuration, install and run! Both Windows and Linux platforms
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
![Page 15: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/15.jpg)
Running at the background
Creating a new virtual interface
Getting an IP address from DHCP server
1
2
3
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
![Page 16: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/16.jpg)
Handoff
Honey@home clients connect to NoAH honeypots Honeyd acts as front-end to filter out scans Honeyd hands off connection to Argos Attacker thinks she communicates with
honey@home user but in reality Argos is providing the answers
HoneydHoney@home
Forward
NoAH core
Attacker
Attack
![Page 17: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/17.jpg)
Identity of clients and honeypots must remain hidden Attackers can flood black space with junk traffic once
identity is revealed TOR is a network that can provide the desired
anonymization
Automatic installation of clients must be prevented Else attacker would massively deploy mockup clients Registration with CAPTCHA techniques is used
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
![Page 18: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/18.jpg)
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
![Page 19: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/19.jpg)
We view an organization as a regular user that possesses large unused space
A specialized version of honey@home is implemented No TOR involved, organization is a trusted entity
(unlike home users) Only configuration needed is to declare the
unused address space Honey@home will forward all traffic to that
space (funneling)
http://www.fp6-noah.org Terena Networking Conference 2007 Spiros Antonatos
![Page 20: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/20.jpg)
Deliverables can be found at http://www.fp6-noah.org/publications/
5 conference papers Usenix Security 05, SIGOPS 2006, DIMVA ’06,
RAID’06 Various articles and presentations
ERCIM news, local press
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
![Page 21: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/21.jpg)
NoAH is a distributed architecture based on low- and high-interaction honeypots
Argos is able to detect all exploits, including zero-days
NoAH empowers non-experts to the battlefield of cyberattacks
Honey@home enables unfamiliar users to effortlessly participate to NoAH
http://www.fp6-noah.org Terena Networking Conference 2007 Spiros Antonatos
![Page 22: Network of Affined Honeypots: More Than An Infrastructure](https://reader036.vdocument.in/reader036/viewer/2022062518/5681488e550346895db5a8ac/html5/thumbnails/22.jpg)
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007