Honeypot,%20Botnet,%20Security%20Measurement,%20Email%20Spam

1
Honeypot, Botnet, Security Measurement, Email Spam

• Cliff C. Zou
• CDA6938
• 02/01/07

2
What Is a Honeypot?

• A honeypot is a faked vulnerable system used
  for the purpose of being attacked, probed,
  exploited and compromised.

3
Example of a Simple Honeypot

• Install vulnerable OS and software on a machine
• Install monitor or IDS software
• Connect to the Internet (with global IP)
• Wait monitor being scanned, attacked,
  compromised
• Finish analysis, clean the machine

4
Benefit of Deploying Honeypots

• Risk mitigation
• A deployed honeypot may lure an attacker away
  from the real production systems (easy target).
• IDS-like functionality
• Since no legitimate traffic should take place to
  or from the honeypot, any traffic appearing is
  evil and can initiate further actions.
• Attack analysis
• Binary code analysis of captured attack codes
• Spying attackers ongoing actions
• Find out reasons, and strategies why and how you
  are attacked.

5
Honeypot Classification

• High-interaction honeypots
• A full and working OS is provided for being
  attacked
• VMware virtual environment
• Several VMware virtual hosts in one physical
  machine
• Low-interaction honeypots
• Only emulate specific network services
• No real interaction or OS
• Honeyd
• Honeynet/honeyfarm
• A network of honeypots

6
Low-Interaction Honeypots

• Pros
• Easy to install (simple program)
• No risk (no vulnerable software to be attacked)
• One machine supports hundreds of honeypots
• Cons
• No real interaction to be captured
• Limited logging/monitor function
• Easily detectable by attackers

7
High-Interaction Honeypots

• Pros
• Real OS, capture all attack traffic/actions
• Can discover unknown attacks/vulnerabilities
• Cons
• Time-consuming to build/maintain/analysis
• Risk of being used as stepping stone
• Must have a firewall blocking all outgoing
  traffic
• High computer resource requirement

8
Honeynet

• A network of honeypots
• High-interaction honeynet
• A distributed network composing many honeypots
• Low-interaction honeynet
• Emulate a virtual network in one physical machine
• Example honeyd
• Mixed honeynet
• Scalability, Fidelity and Containment in the
  Potemkin Virtual Honeyfarm, presented next week
• Reference http//www.ccc.de/congress/2004/fahrpla
  n/files/135-honeypot-forensics-slides.ppt

9
What Is a Botnet?

• A network of compromised computers controlled by
  their attacker
• Users on zombie machines do not know
• Most home computers with broadband
• The main source for many attacks now
• Distributed Denial-of-Service (DDoS)
• Extortion
• Email spam, phishing
• Ad-fraud
• User information document, keylogger,

10
How to Build a Botnet?

• Infect machines via
• Internet worms, viruses
• Email virus
• Backdoor left by previous malware
• Trojan programs hidden in free download software,
  games
• Bots phone back to receive command

11
Botnet Architecture

• Bot controller
• Usually using IRC server (Internet relay chat)
• Dozen of controllers for robustness

12
Botnet Monitoring

• Hijack one of the bot controller
• DNS provider redirects domain name to the monitor
• Still cannot cut off a botnet (dozen of
  controller)
• Can obtain most/all bots IP addresses
• Let honeypots join in a botnet
• Can monitor all communications
• No complete picture of a botnet

13
Security Measurement

• Monitor network traffic to understand/track
  Internet attack activities
• Monitor incoming traffic to unused IP space
• TCP connection requests
• UDP packets

Internet
Unused IP space
Local network
14
Refining Monitoring

• TCP/SYN not enough (IP, port only)
• Distinguish different attacks
• Low-interaction honeypots (honeyd)
• Obtain the first attack payload by replying
  SYN/ACK
• Used by the Internet Motion Sensor in U.
  Michigan
• Paper presented next
• High-interaction honeypots

15
Remote fingerprinting

• Actively probe remote hosts to identify remote
  hosts OS, physical devices, etc
• OSes service responses are different
• Hardware responses are different
• Purposes
• Understand Internet computers
• Remove DHCP issue in monitored data
• Paper presented later

16
Data Sharing Traffic Anonymization

• Sharing monitored network traffic is important
• Collaborative attack detection
• Academic research
• Privacy and security exposure in data sharing
• Packet header IP address, service port exposure
• Packet content more serious
• Data anonymization
• Change packet header preserve IP prefix, and
• Change packet content

17
Why So Many Email Spam?

• No authentication/authorization in email
• Receive unsolicited email by design
• Sending fake email is so easy
• Shown in next slide
• Profit
• Takes a dime to send out millions email spam
• A few effective spam give back good profit
• No penalty in spam (law, out-of-country spam)

18
Sample fake email sending
Telnet longwood.cs.ucf.edu 25 S 220
longwood.cs.ucf.edu ESMTP Sendmail 8.13.8/8.13.8
C HELO fake.domain S 250 Hello
crepes.fr, pleased to meet you C MAIL
FROM alice_at_mit.edu S 250 alice_at_mit.edu...
Sender ok C RCPT TO czou_at_cs.ucf.edu
S 250 czou_at_cs.ucf.edu ... Recipient ok C
DATA S 354 Enter mail, end with "." on a
line by itself C subject who am I?
C Do you like ketchup? C . S 250
Message accepted for delivery C QUIT
S 221 longwood.cs.ucf.edu closing connection
19
Current Major Spam Defense

• Signature-based filtering
• Spamassasin, etc based on keywords, rules on
  header
• Blacklisting-based filtering
• DNS black list, dynamically updated (Spamhaus)
• Sender authentication
• Caller ID (Microsoft) http//en.wikipedia.org/wiki
  /Caller_ID
• Sender Policy Framework (SPF) http//www.openspf.o
  rg/