Transcript ppt - UCF Computer Science

Honeypot, Botnet, Security
Measurement, Email Spam
Cliff C. Zou
CDA6938
02/01/07
1
What Is a Honeypot?
“A honeypot is a faked
vulnerable system used for
the purpose of being
attacked, probed, exploited
and compromised.”
2
Example of a Simple Honeypot

Install vulnerable OS and software on a
machine

Install monitor or IDS software

Connect to the Internet (with global IP)


Wait & monitor being scanned, attacked,
compromised
Finish analysis, clean the machine
3
Benefit of Deploying Honeypots

Risk mitigation:


IDS-like functionality:


A deployed honeypot may lure an attacker away from
the real production systems (“easy target“).
Since no legitimate traffic should take place to or from
the honeypot, any traffic appearing is evil and can
initiate further actions.
Attack analysis:



Binary code analysis of captured attack codes
Spying attacker’s ongoing actions
Find out reasons, and strategies why and how you are
attacked.
4
Honeypot Classification

High-interaction honeypots


A full and working OS is provided for being attacked
VMware virtual environment


Low-interaction honeypots


Only emulate specific network services
No real interaction or OS


Several VMware virtual hosts in one physical machine
Honeyd
Honeynet/honeyfarm

A network of honeypots
5
Low-Interaction Honeypots

Pros:
Easy to install (simple program)
 No risk (no vulnerable software to be attacked)
 One machine supports hundreds of honeypots


Cons:

No real interaction to be captured


Limited logging/monitor function
Easily detectable by attackers
6
High-Interaction Honeypots

Pros:
Real OS, capture all attack traffic/actions
 Can discover unknown attacks/vulnerabilities


Cons:
Time-consuming to build/maintain/analysis
 Risk of being used as stepping stone



Must have a firewall blocking all outgoing traffic
High computer resource requirement
7
Honeynet


A network of honeypots
High-interaction honeynet


Low-interaction honeynet




A distributed network composing many honeypots
Emulate a virtual network in one physical machine
Example: honeyd
Mixed honeynet
 “Scalability, Fidelity and Containment in the
Potemkin Virtual Honeyfarm”, presented next
week
Reference: http://www.ccc.de/congress/2004/fahrplan/files/135honeypot-forensics-slides.ppt
8
What Is a Botnet?

A network of compromised computers controlled
by their attacker



Users on zombie machines do not know
Most home computers with broadband
The main source for many attacks now

Distributed Denial-of-Service (DDoS)




Extortion
Email spam, phishing
Ad-fraud
User information: document, keylogger, …
9
How to Build a Botnet?

Infect machines via:
Internet worms, viruses
 Email virus
 Backdoor left by previous malware
 Trojan programs hidden in free download
software, games
 …


Bots phone back to receive command
10
Botnet Architecture

Bot controller


Usually using IRC server (Internet relay chat)
Dozen of controllers for robustness
attacker
bot
controller
bot
controller
bot
bot
bot
11
Botnet Monitoring

Hijack one of the bot controller
DNS provider redirects domain name to the
monitor
 Still cannot cut off a botnet (dozen of controller)
 Can obtain most/all bots IP addresses


Let honeypots join in a botnet
Can monitor all communications
 No complete picture of a botnet

12
Security Measurement


Monitor network traffic
to understand/track
Internet attack
activities
Monitor incoming
traffic to unused IP
space


Internet
Monitored
traffic
Local network
Unused
IP space
TCP connection requests
UDP packets
13
Refining Monitoring

TCP/SYN not enough (IP, port only)

Distinguish different attacks

Low-interaction honeypots (honeyd)


Obtain the first attack payload by replying SYN/ACK
Used by the “Internet Motion Sensor” in U. Michigan


Paper presented next…
High-interaction honeypots
14
Remote fingerprinting

Actively probe remote hosts to identify
remote hosts’ OS, physical devices, etc
OSes service responses are different
 Hardware responses are different


Purposes:
Understand Internet computers
 Remove DHCP issue in monitored data
 Paper presented later

15
Data Sharing:
Traffic Anonymization

Sharing monitored network traffic is important



Privacy and security exposure in data sharing



Collaborative attack detection
Academic research
Packet header: IP address, service port exposure
Packet content: more serious
Data anonymization


Change packet header: preserve IP prefix, and …
Change packet content
16
Why So Many Email Spam?



No authentication/authorization in email
Receive unsolicited email by design
Sending fake email is so easy


Shown in next slide
Profit:
Takes a dime to send out millions email spam
 A few effective spam give back good profit
 No penalty in spam (law, out-of-country spam)

17
Sample fake email sending
Telnet longwood.cs.ucf.edu 25
S: 220 longwood.cs.ucf.edu ESMTP Sendmail 8.13.8/8.13.8; …
C: HELO fake.domain
S: 250 Hello crepes.fr, pleased to meet you
C: MAIL FROM: [email protected]
S: 250 [email protected]... Sender ok
C: RCPT TO: [email protected]
S: 250 [email protected] ... Recipient ok
C: DATA
S: 354 Enter mail, end with "." on a line by itself
C: subject: who am I?
C: Do you like ketchup?
C: .
S: 250 Message accepted for delivery
C: QUIT
S: 221 longwood.cs.ucf.edu closing connection
18
Current Major Spam Defense

Signature-based filtering


Blacklisting-based filtering


Spamassasin, etc: based on keywords, rules on header…
DNS black list, dynamically updated (Spamhaus)
Sender authentication


Caller ID (Microsoft) http://en.wikipedia.org/wiki/Caller_ID
Sender Policy Framework (SPF) http://www.openspf.org/
19