Embed Size (px)
Citation preview
A Virtual Honeypot Framework
Author: Niels ProvosPublished in: CITI Report 03-1
Presenter: Tao Li
Outline
Introduction Honeyd
What is Honeyd? Design and Implementation of Honeyd Evaluation of Honeyd
Application Discussion
Outline
Introduction Honeyd
What is Honeyd? Design and Implementation of Honeyd Evaluation of Honeyd
Application Discussion
Introduction
Network Security Background We’re unable to make secure computer
systems or even measure their security. New vulnerabilities kept being exploited Exploit automation and massive global s
canning for vulnerabilities to compromise computer systems
We use “Honeypot” as one way to get early warnings of new vulnerabilities.
Introduction
What is a honeypot? A closely monitored computing resource
intended to be probed, attacked or compromised.
Network decoy to deter from real targets Network sensor monitoring blackhole Provide IDS functionality
Introduction Why using honeypots instead of NIDS ?
All data entering or leaving a honeypot is closely monitored and collected for forensic analysis
It can detect vulnerabilities not yet understood Less likely to lead to false positives Can run any OS and any number of services
The configured services determine the vectors available for an adversary to attack
Introduction Categories of honeypots
Interaction High-interaction honeypots simulate all aspects
of OS, can be compromised completely Low-interaction honeypots simulate only parts of
OS, to gather high level information Implementation
Phisical honeypots: real machines with itself IP Virtual honeypots: simulated by another machine
Outline
Introduction Honeyd
Information of Honeyd Design and Implementation of Honeyd Evaluation of Honeyd
Application Discussion
What is Honeyd ?
Honeyd is a low-interaction virtual honeypot, a lightweight framework for creating virtual honeypots to instrument thousands of IP addresses with virtual machines and corresponding network services.
What can Honeyd do?
Simulate TCP and UDP services Support ICMP Handle multiple IP addresses simultaneously Simulate arbitrary network topologies Support topologically dispersed address
spaces Support network tunneling for load sharing
Design and Implementation
Receiving Network Data Architecture Personality Engine Routing Topology Configuration Logging
Receiving Network Data
Three ways for Honeyd to receives traffic for its virtual honeypots
Special route lead data to honeyd host
Proxy ARP for honeypots Support Network Tunnels—generic r
outing encapsulation (GRE)
Architecture
Incoming packets are dispatched to correct protocol handler. For TCP and UDP, the configured services receive new data and send repsonses if necessary. All outgoing packets are modified by the personality engine to mimic the behavior of the configured network stack. The routing component is optional and used only Honeyd simulated network topology.
Architecture Configuration database
Store the personalities of the configured network stack.
Central packet dispatcher Dispatch Incoming packets to the correct
protocol handler. Protocol handlers Personality engine Option routing component
Architecture
Support subsystem An application that runs in the name space of
the virtual honeypot—no need to create a new process for each connection
Support redirection of connections Forward connection request for a service to a
real server Reflect connections back to an adversary!!!
Personality Engine Why to use it?
Different operating system have different network stack behaviors.
Adversaries commonly run fingerprinting tools like Xprobe or Nmap to gather information about a target system.
Personality Engine make honeypots appear like real target to a probe to fool the fingerprinting tools
Personality Engine
How to fool the adversaries? Use Nmap’s fingerprint database as referen
ce for TCP and UDP protocol Use Xprobe’s fingerprint database for ICMP Introduces changes to the headers of every o
utgoing packet before sent to the network to match the characteristics of the configured operating system
Personality Engine
Example Nmap’ s fingerprinting is mostly concer
ned with an OS’s TCP implementation Nmap uses the size of the advertised rece
iver windows which varies between implementations as part of the fingerprint.
Personality Engine
Example of Nmap’s fingerprint specifying the network behaviorFingerprint IRIX 6.5.15m on SGI O2TSeq(Class=TD%gcd=<104%SI=<1AE%IPID=I%TS=2HZ)T1(DF=N%W=EF2A%ACK=S++%Flags=AS%Ops=MNWNNTNNM)T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)T3(Resp=Y%DF=N%W=EF2A%ACK=O%Flags=A%Ops=NNT)T4(DF=N%W=0%ACK=O%Flags=R%Ops=)T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)T6(DF=N%W=0%ACK=O%Flags=R%Ops=)T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)PU(Resp=N)
Routing Topology Honeyd can simulate arbitrary virtual routing t
opologies Simulation of route tree
Configure the entry router Configurable latency and packet loss Simulation of arbitrary routing
Extension Integrate physical machines into topology Distributed Honeyd via GRE tunneling
How to Configure? Each virtual honeypot is configured with a templat
e. Commands:
Create: Creates a new template Set:
Assign personality (fingerprint database) to a template Specify default behavior of network protocols
Block: All packets dropped Reset: All ports closed by default Open: All ports open by default
Add: Specify available services Proxy: Used for connection forwarding
Bind: Assign template to specific IP address
Logging Honeyd supports several ways of logging network activit
y. Honeyd creat connection logs to report attempted and comple
ted connections for all protocols.
Information also can be gathered from the services themselves and be reported to Honeyd via stderr.
Honeyd can be runs in conjunction with a NIDS.
Evaluation
Honeyd did fools Nmap Among totally 600 fingerprints, Nmap uni
quely identified the operating system simulated by Honey in 555, generated a list of possible answers including the simulated personality in 37.
Only 8 fingerprints out of 600 failed! It works pretty effectively.
Outline
Introduction Honeyd
What is Honeyd? Design and Implementation of Honeyd Evaluation of Honeyd
Application Discussion
Application
Network Decoys Instrument the unallocated addresses of a
production network, confuse and deter adversaries scanning the production network
Conjunction with a NIDS, the resulting network traffic may help in getting early warning of attacks.
Application Detecting and Countering Worms
Deploy a large number of virtual honeypots as gateways in front of a smaller number of high-interaction honeypots.
Use Honeyd’s subsystem support to expose regular UNIX applications like OpenSSH to worms.
Application Spam Prevention
Spammers abuse two Internet services proxy servers and open mail relays
Use the Honeyd framework to instrument networks with open proxy servers and open mail relays.
Outline
Introduction Honeyd
What is Honeyd? Design and Implementation of Honeyd Evaluation of Honeyd
Application Discussion
Strength Honeyd has many advantages over NIDS
Collects more useful information Detects vulnerabilities not yet understood Less likely leads to high false positives
It cheats the fingerprint tools effectively Effective network decoys—confuse and def
er the attackers Detecting and immunizing new worms Spam prevention
Weakness Limit interaction only at network level Not simulate the whole OS Adversaries never gain full access to syste
ms Limited number of simulated services and
protocols What if the warm is smart to cheat us? Hon
eyd will become attackers.
How to improve? Combine Honeyd with high-interaction virtu
al honeypots using User Mode Linux or VMware to have a better forensic analysis of the attacker;
Cheat more fingerprint tools, eg. P0f—passive analyze the network traffic;
Simulate more services and protocols, eg. has a better TCP state machine.
Thank you. Any questions?
