presented by spiros antonatos [email protected] distributed computing systems lab institute of...
TRANSCRIPT
presented by Spiros [email protected]
Distributed Computing Systems LabInstitute of Computer ScienceFORTH
A little about the project What are honeypots? The NoAH approach Architecture overview Argos Honey@home Conclusions/discussion
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
Three years project April 2005 until March 2008
Funded from the Research Infrastructures Programme of the European Union
4 Work Packages FORTH is coordinator
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
Malware: worms, viruses, keyloggers, spyware…
Malware spreads fast Faster than we can react Thousands of hosts can be infected in a few minutes
We need information about the cyberattacks so as to build effective defenses
http://www.fp6-noah.org Terena Networking Conference 2007 Spiros Antonatos
Gather and analyse information about the nature of Internet cyberattacks
Develop an infrastructure to detect and provide early warning of such attacks
Security monitoring based on honeypot technology
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
Computer systems that do not run production services
Listen to unused IP addresses Intentionally made vulnerable Closely monitored to analyse attacks
directed at them We can identify two types
of honeypots: low-interactionand high-interaction
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
Low-interaction honeypots emulate services using scripts + Lightweight processes, able to cover large network
space
- Emulation cannot provide a high level of interaction with attackers
High-interaction honeypots do not perform emulation, they run real services- Heavyweight processes, able to cover small network
space+ Provide the highest level of interaction with attackers
NoAH uses the advantages of both types
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
`
Low-interaction Honeypot`
`
NoAH core
Funnel`
Low-interaction Honeypot
Funnel
`
Low-interaction Honeypot
`
Low-interaction Honeypot
Participating Organization
InternetInternet
High-interactionHoneypot
High-interactionHoneypot
Anonym
ous
path
Tunnel
Honey@home
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
Most popular and widely-used low-interaction honeypot
Emulates thousands of IP addresses Performs network stack emulation
Highly configurable and lightweight An efficient mechanism to filter out
unestablished and uninteresting connections Port scans, SSH brute-force attacks, etc
Interesting connections are forwarded to high-interaction honeypots
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
Emulates entire PC systems OS agnostic, run on commodity hardware Based on the Qemu emulator
Key idea: data coming from the network should never be executed
Tracks network data throughout execution Memory tainting technique
Detect illegal uses of network data Jump targets, function pointers, instructions, system call
arguments
Argos is able to detect all exploit attempts, including 0-days!
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
Argos emulator
Guest OS
Applications
NIC
Forensics
Detect attack and log state
Host OS
Log
Correlate data
Signature
Signature post-processing
http://www.fp6-noah.org 11Terena Networking Conference 2007
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
Honeypots listen to unused IP space of the organization they are hosted to
This space is limiting to provide results fast and accurately
NoAH tries to empower people to participate
Bring NoAH to home users with Honey@home
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
Lightweight tool that runs in the background Monitors an unused IP address
Usually taken by DHCP
All traffic to that unused address isforwarded to our central honeypots
No configuration, install and run! Both Windows and Linux platforms
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
Running at the background
Creating a new virtual interface
Getting an IP address from DHCP server
1
2
3
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
Handoff
Honey@home clients connect to NoAH honeypots Honeyd acts as front-end to filter out scans Honeyd hands off connection to Argos Attacker thinks she communicates with
honey@home user but in reality Argos is providing the answers
HoneydHoney@home
Forward
NoAH core
Attacker
Attack
Identity of clients and honeypots must remain hidden Attackers can flood black space with junk traffic once
identity is revealed TOR is a network that can provide the desired
anonymization
Automatic installation of clients must be prevented Else attacker would massively deploy mockup clients Registration with CAPTCHA techniques is used
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
We view an organization as a regular user that possesses large unused space
A specialized version of honey@home is implemented No TOR involved, organization is a trusted entity
(unlike home users) Only configuration needed is to declare the
unused address space Honey@home will forward all traffic to that
space (funneling)
http://www.fp6-noah.org Terena Networking Conference 2007 Spiros Antonatos
Deliverables can be found at http://www.fp6-noah.org/publications/
5 conference papers Usenix Security 05, SIGOPS 2006, DIMVA ’06,
RAID’06 Various articles and presentations
ERCIM news, local press
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007
NoAH is a distributed architecture based on low- and high-interaction honeypots
Argos is able to detect all exploits, including zero-days
NoAH empowers non-experts to the battlefield of cyberattacks
Honey@home enables unfamiliar users to effortlessly participate to NoAH
http://www.fp6-noah.org Terena Networking Conference 2007 Spiros Antonatos
http://www.fp6-noah.org Spiros AntonatosTerena Networking Conference 2007