Presented by
1 / 22

Network of Affined Honeypots: More Than An Infrastructure - PowerPoint PPT Presentation

  • Uploaded on

presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH. Network of Affined Honeypots: More Than An Infrastructure. Roadmap. A little about the project What are honeypots? The NoAH approach Architecture overview Argos

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Network of Affined Honeypots: More Than An Infrastructure' - dextra

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Network of affined honeypots more than an infrastructure

presented by

Spiros Antonatos

Distributed Computing Systems Lab

Institute of Computer Science


Network of Affined Honeypots: More Than An Infrastructure


A little about the project

What are honeypots?

The NoAH approach

Architecture overview




Terena Networking Conference 2007

The noah project
The NoAH project

  • Three years project

    • April 2005 until March 2008

  • Funded from the Research Infrastructures Programme of the European Union

  • 4 Work Packages

  • FORTH is coordinator

Terena Networking Conference 2007

What problem we face
What problem we face

  • Malware: worms, viruses, keyloggers, spyware…

  • Malware spreads fast

    • Faster than we can react

    • Thousands of hosts can be infected in a few minutes

  • We need information about the cyberattacks so as to build effective defenses

Terena Networking Conference 2007

Project goals
Project goals

Gather and analyse information about the nature of Internet cyberattacks

Develop an infrastructure to detect and provide early warning of such attacks

Security monitoring based on honeypot technology

Terena Networking Conference 2007

What are honeypots
What are honeypots?

Computer systems that do not run production services

Listen to unused IP addresses

Intentionally made vulnerable

Closely monitored to analyse attacksdirected at them

We can identify two typesof honeypots: low-interactionand high-interaction

Terena Networking Conference 2007

Low and high interaction honeypots
Low- and high-interaction honeypots

  • Low-interaction honeypots emulate services using scripts

    + Lightweight processes, able to cover large network space

    -Emulation cannot provide a high level of interaction with attackers

  • High-interaction honeypots do not perform emulation, they run real services

    - Heavyweight processes, able to cover small network space

    + Provide the highest level of interaction with attackers

  • NoAH uses the advantages of both types

Terena Networking Conference 2007

The noah architecture
The NoAH architecture

Terena Networking Conference 2007

Low interaction honeypot honeyd
Low-interaction honeypot: Honeyd

  • Most popular and widely-used low-interaction honeypot

  • Emulates thousands of IP addresses

    • Performs network stack emulation

  • Highly configurable and lightweight

  • An efficient mechanism to filter out unestablished and uninteresting connections

    • Port scans, SSH brute-force attacks, etc

  • Interesting connections are forwarded to high-interaction honeypots

Terena Networking Conference 2007

High interaction honeypot argos
High-interaction honeypot: Argos

  • Emulates entire PC systems

    • OS agnostic, run on commodity hardware

    • Based on the Qemu emulator

  • Key idea: data coming from the network should never be executed

  • Tracks network data throughout execution

    • Memory tainting technique

  • Detect illegal uses of network data

    • Jump targets, function pointers, instructions, system call arguments

  • Argos is able to detect all exploit attempts, including 0-days!

Terena Networking Conference 2007

Argos overview
Argos Overview




Guest OS

Argos emulator



Host OS

Detect attack and log state

Correlate data



Terena Networking Conference 2007

Http www few vu nl argos

Terena Networking Conference 2007

Beyond honeypots honey@home
Beyond honeypots: Honey@Home

Honeypots listen to unused IP space of the organization they are hosted to

This space is limiting to provide results fast and accurately

NoAH tries to empower people to participate

Bring NoAH to home users with Honey@home

Terena Networking Conference 2007


  • Lightweight tool that runs in the background

  • Monitors an unused IP address

    • Usually taken by DHCP

  • All traffic to that unused address isforwarded to our central honeypots

  • No configuration, install and run!

  • Both Windows and Linux platforms

Terena Networking Conference 2007

Honey@home in action
Honey@home in action


Running at the background


Creating a new virtual interface


Getting an IP address from DHCP server

Terena Networking Conference 2007

Backend architecture
Backend architecture

  • Honey@home clients connect to NoAH honeypots

  • Honeyd acts as front-end to filter out scans

  • Honeyd hands off connection to Argos

  • Attacker thinks she communicates with honey@home user but in reality Argos is providing the answers







NoAH core


  • Identity of clients and honeypots must remain hidden

    • Attackers can flood black space with junk traffic once identity is revealed

    • TOR is a network that can provide the desired anonymization

  • Automatic installation of clients must be prevented

    • Else attacker would massively deploy mockup clients

    • Registration with CAPTCHA techniques is used

Terena Networking Conference 2007

Www honeyathome org

Terena Networking Conference 2007

How can an organization participate
How can an organization participate?

  • We view an organization as a regular user that possesses large unused space

  • A specialized version of honey@home is implemented

    • No TOR involved, organization is a trusted entity (unlike home users)

  • Only configuration needed is to declare the unused address space

  • Honey@home will forward all traffic to that space (funneling)

Terena Networking Conference 2007


  • Deliverables can be found at

  • 5 conference papers

    • Usenix Security 05, SIGOPS 2006, DIMVA ’06, RAID’06

  • Various articles and presentations

    • ERCIM news, local press

Terena Networking Conference 2007


NoAH is a distributed architecture based on low- and high-interaction honeypots

Argos is able to detect all exploits, including zero-days

NoAH empowers non-experts to the battlefield of cyberattacks

Honey@home enables unfamiliar users to effortlessly participate to NoAH

Terena Networking Conference 2007


Terena Networking Conference 2007