A VIRTUAL HONEYPOT FRAMEWORK

Author : Niels Provos

Publication: Usenix Security Symposium 2004.

Presenter: Hiral Chhaya for CAP6103

SECURITY SITUATION

We’re unable to make secure computer systems or even measure their security.

New vulnerabilities kept being exploited Exploit automation and massive global

scanning for vulnerabilities to compromise computer systems

We use “Honeypot” as one way to get early warnings of new vulnerabilities

INTRODUCTION What Is Honeypot ????

Defunation--A honeypot is an information system resource whose value lies in

unauthorized or illicit use of that resource.

Has no production value;

Used for monitoring, detecting and analyzing attacks

Does not solve a specific problem

Honeypots have a low false positive rate

CLASSIFICATION

By level of interaction

HighLow

By Implementation

VirtualPhysical

WHAT IS HONEYD

HoneydHoneyd: A virtual honeypot application, which allows us to create thousands of IP addresses with virtual machines and corresponding network services.

WHAT CAN HONEYD DO ???

Simulate TCP and UDP services

Support ICMP

Handle multiple IP addresses simultaneously

Simulate arbitrary network topologies

Support topologically dispersed address spaces

Support network tunneling for load sharing

HONEYD DESIGN

Receiving Network Data

Architecture

Personality Engine

Routing Topology

Logging

RECEIVING NETWORK DATA

Ways for Honeyd to receives traffic for its virtual honeypots

Special route lead data to honeyd host

Proxy ARP for honeypots

ARCHITECTURE

•Configuration database

•Central packet dispatcher

•Protocol handles

•Personality engine

•Option routing component

PERSONALITY ENGIN

To fool fingerprinting tools

Uses fingerprint databases by Nmap, for TCP, UDP Xprobe, for ICMP

Introduces changes to the headers of every outgoing packet before sent to the network

ROUTING TOPOLOGY

Simulates virtual network topologies;

Some honeypots are also configured as routers

Latency and loss rate for each edge is configured;

Support network tunneling and traffic redirection;

HOW TO CONFIGURE

Each virtual honeypot is configured with a template.

Commands: Create: Creates a new template Set:

Assign personality (fingerprint database) to a template Specify default behavior of network protocols

Block: All packets dropped Reset: All ports closed by default Open: All ports open by default

Add: Specify available services Proxy: Used for connection forwarding

Bind: Assign template to specific IP address

LOGGING

Honeyd supports several ways of logging network activity.

Honeyd creat connection logs to report attempted and completed connections for all protocols.

Honeyd can be runs in conjunction with a NIDS.

APPLICATIONS

Network decoys

Spam Prevention

CONCLUSION

Honeyd has many advantages over NIDS Collects more useful information Detects vulnerabilities not yet understood Less likely leads to high false positives

Cheats the fingerprint tools Effective network decoys Detecting and immunizing new worms Spam prevention

WEAKNESSES

Limit interaction only at network level

Not simulate the whole OS

Adversaries never gain full access to systems

Limited number of simulated services and protocols

What if the warm is smart to cheat us? Honeyd will become attackers.

HOW TO IMPROVE

Combine Honeyd with high-interaction virtual honeypots using User Mode Linux or VMware to have a better forensic analysis of the attacker;

Cheat more fingerprint tools, eg. P0f—passive analyze the network traffic;

Simulate more services and protocols, eg. has a better TCP state machine.

THANK YOU !!!!!