A Virtual Honeypot Framework - PowerPoint PPT Presentation

About This Presentation
Title:

A Virtual Honeypot Framework

Description:

Personality Engine make honeypots appear like real target to a probe to fool the ... Personality Engine. Example of Nmap's fingerprint specifying the network behavior ... – PowerPoint PPT presentation

Number of Views:409
Avg rating:3.0/5.0
Slides: 35
Provided by: csU73
Learn more at: http://www.cs.ucf.edu
Category:

less

Transcript and Presenter's Notes

Title: A Virtual Honeypot Framework


1
A Virtual Honeypot Framework
  • Author Niels Provos
  • Published in CITI Report 03-1
  • Presenter Tao Li

2
Outline
  • Introduction
  • Honeyd
  • What is Honeyd?
  • Design and Implementation of Honeyd
  • Evaluation of Honeyd
  • Application
  • Discussion

3
Outline
  • Introduction
  • Honeyd
  • What is Honeyd?
  • Design and Implementation of Honeyd
  • Evaluation of Honeyd
  • Application
  • Discussion

4
Introduction
  • Network Security Background
  • Were unable to make secure computer systems or
    even measure their security.
  • New vulnerabilities kept being exploited
  • Exploit automation and massive global scanning
    for vulnerabilities to compromise computer
    systems
  • We use Honeypot as one way to get early
    warnings of new vulnerabilities.

5
Introduction
  • What is a honeypot?
  • A closely monitored computing resource intended
    to be probed, attacked or compromised.
  • Network decoy to deter from real targets
  • Network sensor monitoring blackhole
  • Provide IDS functionality

6
Introduction
  • Why using honeypots instead of NIDS ?
  • All data entering or leaving a honeypot is
    closely monitored and collected for forensic
    analysis
  • It can detect vulnerabilities not yet understood
  • Less likely to lead to false positives
  • Can run any OS and any number of services
  • The configured services determine the vectors
    available for an adversary to attack

7
Introduction
  • Categories of honeypots
  • Interaction
  • High-interaction honeypots simulate all aspects
    of OS, can be compromised completely
  • Low-interaction honeypots simulate only parts of
    OS, to gather high level information
  • Implementation
  • Phisical honeypots real machines with itself IP
  • Virtual honeypots simulated by another machine

8
Outline
  • Introduction
  • Honeyd
  • Information of Honeyd
  • Design and Implementation of Honeyd
  • Evaluation of Honeyd
  • Application
  • Discussion

9
What is Honeyd ?
  • Honeyd is a low-interaction virtual honeypot, a
    lightweight framework for creating virtual
    honeypots to instrument thousands of IP addresses
    with virtual machines and corresponding network
    services.

10
(No Transcript)
11
What can Honeyd do?
  • Simulate TCP and UDP services
  • Support ICMP
  • Handle multiple IP addresses simultaneously
  • Simulate arbitrary network topologies
  • Support topologically dispersed address spaces
  • Support network tunneling for load sharing

12
Design and Implementation
  • Receiving Network Data
  • Architecture
  • Personality Engine
  • Routing Topology
  • Configuration
  • Logging

13
Receiving Network Data
  • Three ways for Honeyd to receives traffic for its
    virtual honeypots
  • Special route lead data to honeyd host
  • Proxy ARP for honeypots
  • Support Network Tunnelsgeneric routing
    encapsulation (GRE)

14
Architecture
  • Incoming packets are dispatched to correct
    protocol handler. For TCP and UDP, the configured
    services receive new data and send repsonses if
    necessary. All outgoing packets are modified by
    the personality engine to mimic the behavior of
    the configured network stack. The routing
    component is optional and used only Honeyd
    simulated network topology.

15
Architecture
  • Configuration database
  • Store the personalities of the configured network
    stack.
  • Central packet dispatcher
  • Dispatch Incoming packets to the correct protocol
    handler.
  • Protocol handlers
  • Personality engine
  • Option routing component

16
Architecture
  • Support subsystem
  • An application that runs in the name space of the
    virtual honeypotno need to create a new process
    for each connection
  • Support redirection of connections
  • Forward connection request for a service to a
    real server
  • Reflect connections back to an adversary!!!

17
Personality Engine
  • Why to use it?
  • Different operating system have different network
    stack behaviors.
  • Adversaries commonly run fingerprinting tools
    like Xprobe or Nmap to gather information about a
    target system.
  • Personality Engine make honeypots appear like
    real target to a probe to fool the fingerprinting
    tools

18
Personality Engine
  • How to fool the adversaries?
  • Use Nmaps fingerprint database as reference for
    TCP and UDP protocol
  • Use Xprobes fingerprint database for ICMP
  • Introduces changes to the headers of every
    outgoing packet before sent to the network to
    match the characteristics of the configured
    operating system

19
Personality Engine
  • Example
  • Nmap s fingerprinting is mostly concerned with
    an OSs TCP implementation
  • Nmap uses the size of the advertised receiver
    windows which varies between implementations as
    part of the fingerprint.

20
Personality Engine
  • Example of Nmaps fingerprint specifying the
    network behavior

Fingerprint IRIX 6.5.15m on SGI
O2 TSeq(ClassTDgcdlt104SIlt1AEIPIDITS2HZ) T
1(DFNWEF2AACKSFlagsASOpsMNWNNTNNM) T2(R
espYDFNW0ACKSFlagsAROps) T3(RespYDFN
WEF2AACKOFlagsAOpsNNT) T4(DFNW0ACKOF
lagsROps) T5(DFNW0ACKSFlagsAROps) T6
(DFNW0ACKOFlagsROps) T7(DFNW0ACKSFl
agsAROps) PU(RespN)
21
Routing Topology
  • Honeyd can simulate arbitrary virtual routing
    topologies
  • Simulation of route tree
  • Configure the entry router
  • Configurable latency and packet loss
  • Simulation of arbitrary routing
  • Extension
  • Integrate physical machines into topology
  • Distributed Honeyd via GRE tunneling

22
(No Transcript)
23
How to Configure?
  • Each virtual honeypot is configured with a
    template.
  • Commands
  • Create Creates a new template
  • Set
  • Assign personality (fingerprint database) to a
    template
  • Specify default behavior of network protocols
  • Block All packets dropped
  • Reset All ports closed by default
  • Open All ports open by default
  • Add Specify available services
  • Proxy Used for connection forwarding
  • Bind Assign template to specific IP address

24
Logging
  • Honeyd supports several ways of logging network
    activity.
  • Honeyd creat connection logs to report attempted
    and completed connections for all protocols.
  • Information also can be gathered from the
    services themselves and be reported to Honeyd via
    stderr.
  • Honeyd can be runs in conjunction with a NIDS.

25
Evaluation
  • Honeyd did fools Nmap
  • Among totally 600 fingerprints, Nmap uniquely
    identified the operating system simulated by
    Honey in 555, generated a list of possible
    answers including the simulated personality in
    37.
  • Only 8 fingerprints out of 600 failed!
  • It works pretty effectively.

26
Outline
  • Introduction
  • Honeyd
  • What is Honeyd?
  • Design and Implementation of Honeyd
  • Evaluation of Honeyd
  • Application
  • Discussion

27
Application
  • Network Decoys
  • Instrument the unallocated addresses of a
    production network, confuse and deter adversaries
    scanning the production network
  • Conjunction with a NIDS, the resulting network
    traffic may help in getting early warning of
    attacks.

28
Application
  • Detecting and Countering Worms
  • Deploy a large number of virtual honeypots as
    gateways in front of a smaller number of
    high-interaction honeypots.
  • Use Honeyds subsystem support to expose regular
    UNIX applications like OpenSSH to worms.

29
Application
  • Spam Prevention
  • Spammers abuse two Internet services proxy
    servers and open mail relays
  • Use the Honeyd framework to instrument networks
    with open proxy servers and open mail relays.

30
Outline
  • Introduction
  • Honeyd
  • What is Honeyd?
  • Design and Implementation of Honeyd
  • Evaluation of Honeyd
  • Application
  • Discussion

31
Strength
  • Honeyd has many advantages over NIDS
  • Collects more useful information
  • Detects vulnerabilities not yet understood
  • Less likely leads to high false positives
  • It cheats the fingerprint tools effectively
  • Effective network decoysconfuse and defer the
    attackers
  • Detecting and immunizing new worms
  • Spam prevention

32
Weakness
  • Limit interaction only at network level
  • Not simulate the whole OS
  • Adversaries never gain full access to systems
  • Limited number of simulated services and
    protocols
  • What if the warm is smart to cheat us? Honeyd
    will become attackers.

33
How to improve?
  • Combine Honeyd with high-interaction virtual
    honeypots using User Mode Linux or VMware to
    have a better forensic analysis of the attacker
  • Cheat more fingerprint tools, eg. P0fpassive
    analyze the network traffic
  • Simulate more services and protocols, eg. has a
    better TCP state machine.

34
  • Thank you.
  • Any questions?
Write a Comment
User Comments (0)
About PowerShow.com