1 / 34

A Virtual Honeypot Framework

A Virtual Honeypot Framework. Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li. Outline . Introduction Honeyd What is Honeyd? Design and Implementation of Honeyd Evaluation of Honeyd Application Discussion. Outline . Introduction Honeyd

beau
Download Presentation

A Virtual Honeypot Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li

  2. Outline • Introduction • Honeyd • What is Honeyd? • Design and Implementation of Honeyd • Evaluation of Honeyd • Application • Discussion

  3. Outline • Introduction • Honeyd • What is Honeyd? • Design and Implementation of Honeyd • Evaluation of Honeyd • Application • Discussion

  4. Introduction • Network Security Background • We’re unable to make secure computer systems or even measure their security. • New vulnerabilities kept being exploited • Exploit automation and massive global scanning for vulnerabilities to compromise computer systems • We use “Honeypot” as one way to get early warnings of new vulnerabilities.

  5. Introduction • What is a honeypot? • A closely monitored computing resource intended to be probed, attacked or compromised. • Network decoy to deter from real targets • Network sensor monitoring blackhole • Provide IDS functionality

  6. Introduction • Why using honeypots instead of NIDS ? • All data entering or leaving a honeypot is closely monitored and collected for forensic analysis • It can detect vulnerabilities not yet understood • Less likely to lead to false positives • Can run any OS and any number of services • The configured services determine the vectors available for an adversary to attack

  7. Introduction • Categories of honeypots • Interaction • High-interaction honeypots simulate all aspects of OS, can be compromised completely • Low-interaction honeypots simulate only parts of OS, to gather high level information • Implementation • Phisical honeypots: real machines with itself IP • Virtual honeypots: simulated by another machine

  8. Outline • Introduction • Honeyd • Information of Honeyd • Design and Implementation of Honeyd • Evaluation of Honeyd • Application • Discussion

  9. What is Honeyd ? • Honeyd is a low-interaction virtual honeypot, a lightweight framework for creating virtual honeypots to instrument thousands of IP addresses with virtual machines and corresponding network services.

  10. What can Honeyd do? • Simulate TCP and UDP services • Support ICMP • Handle multiple IP addresses simultaneously • Simulate arbitrary network topologies • Support topologically dispersed address spaces • Support network tunneling for load sharing

  11. Design and Implementation • Receiving Network Data • Architecture • Personality Engine • Routing Topology • Configuration • Logging

  12. Receiving Network Data • Three ways for Honeyd to receives traffic for its virtual honeypots • Special route lead data to honeyd host • Proxy ARP for honeypots • Support Network Tunnels—generic routing encapsulation (GRE)

  13. Architecture • Incoming packets are dispatched to correct protocol handler. For TCP and UDP, the configured services receive new data and send repsonses if necessary. All outgoing packets are modified by the personality engine to mimic the behavior of the configured network stack. The routing component is optional and used only Honeyd simulated network topology.

  14. Architecture • Configuration database • Store the personalities of the configured network stack. • Central packet dispatcher • Dispatch Incoming packets to the correct protocol handler. • Protocol handlers • Personality engine • Option routing component

  15. Architecture • Support subsystem • An application that runs in the name space of the virtual honeypot—no need to create a new process for each connection • Support redirection of connections • Forward connection request for a service to a real server • Reflect connections back to an adversary!!!

  16. Personality Engine • Why to use it? • Different operating system have different network stack behaviors. • Adversaries commonly run fingerprinting tools like Xprobe or Nmap to gather information about a target system. • Personality Engine make honeypots appear like real target to a probe to fool the fingerprinting tools

  17. Personality Engine • How to fool the adversaries? • Use Nmap’s fingerprint database as reference for TCP and UDP protocol • Use Xprobe’s fingerprint database for ICMP • Introduces changes to the headers of every outgoing packet before sent to the network to match the characteristics of the configured operating system

  18. Personality Engine • Example • Nmap’ s fingerprinting is mostly concerned with an OS’s TCP implementation • Nmap uses the size of the advertised receiver windows which varies between implementations as part of the fingerprint.

  19. Personality Engine • Example of Nmap’s fingerprint specifying the network behavior Fingerprint IRIX 6.5.15m on SGI O2 TSeq(Class=TD%gcd=<104%SI=<1AE%IPID=I%TS=2HZ) T1(DF=N%W=EF2A%ACK=S++%Flags=AS%Ops=MNWNNTNNM) T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) T3(Resp=Y%DF=N%W=EF2A%ACK=O%Flags=A%Ops=NNT) T4(DF=N%W=0%ACK=O%Flags=R%Ops=) T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(DF=N%W=0%ACK=O%Flags=R%Ops=) T7(DF=N%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=N)

  20. Routing Topology • Honeyd can simulate arbitrary virtual routing topologies • Simulation of route tree • Configure the entry router • Configurable latency and packet loss • Simulation of arbitrary routing • Extension • Integrate physical machines into topology • Distributed Honeyd via GRE tunneling

  21. How to Configure? • Each virtual honeypot is configured with a template. • Commands: • Create: Creates a new template • Set: • Assign personality (fingerprint database) to a template • Specify default behavior of network protocols • Block: All packets dropped • Reset: All ports closed by default • Open: All ports open by default • Add: Specify available services • Proxy: Used for connection forwarding • Bind: Assign template to specific IP address

  22. Logging • Honeyd supports several ways of logging network activity. • Honeyd creat connection logs to report attempted and completed connections for all protocols. • Information also can be gathered from the services themselves and be reported to Honeyd via stderr. • Honeyd can be runs in conjunction with a NIDS.

  23. Evaluation • Honeyd did fools Nmap • Among totally 600 fingerprints, Nmap uniquely identified the operating system simulated by Honey in 555, generated a list of possible answers including the simulated personality in 37. • Only 8 fingerprints out of 600 failed! • It works pretty effectively.

  24. Outline • Introduction • Honeyd • What is Honeyd? • Design and Implementation of Honeyd • Evaluation of Honeyd • Application • Discussion

  25. Application • Network Decoys • Instrument the unallocated addresses of a production network, confuse and deter adversaries scanning the production network • Conjunction with a NIDS, the resulting network traffic may help in getting early warning of attacks.

  26. Application • Detecting and Countering Worms • Deploy a large number of virtual honeypots as gateways in front of a smaller number of high-interaction honeypots. • Use Honeyd’s subsystem support to expose regular UNIX applications like OpenSSH to worms.

  27. Application • Spam Prevention • Spammers abuse two Internet services proxy servers and open mail relays • Use the Honeyd framework to instrument networks with open proxy servers and open mail relays.

  28. Outline • Introduction • Honeyd • What is Honeyd? • Design and Implementation of Honeyd • Evaluation of Honeyd • Application • Discussion

  29. Strength • Honeyd has many advantages over NIDS • Collects more useful information • Detects vulnerabilities not yet understood • Less likely leads to high false positives • It cheats the fingerprint tools effectively • Effective network decoys—confuse and defer the attackers • Detecting and immunizing new worms • Spam prevention

  30. Weakness • Limit interaction only at network level • Not simulate the whole OS • Adversaries never gain full access to systems • Limited number of simulated services and protocols • What if the warm is smart to cheat us? Honeyd will become attackers.

  31. How to improve? • Combine Honeyd with high-interaction virtual honeypots using User Mode Linux or VMware to have a better forensic analysis of the attacker; • Cheat more fingerprint tools, eg. P0f—passive analyze the network traffic; • Simulate more services and protocols, eg. has a better TCP state machine.

  32. Thank you. Any questions?

More Related