dMAPI, anonymization, ToCs

Download Report

Transcript dMAPI, anonymization, ToCs

presented by
Spiros Antonatos
[email protected]
Distributed Computing Systems Lab
Institute of Computer Science
FORTH







A little about the project
What are honeypots?
The NoAH approach
Architecture overview
Argos
Honey@home
Conclusions/discussion
http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos

Three years project
 April 2005 until March 2008



Funded from the Research Infrastructures
Programme of the European Union
4 Work Packages
FORTH is coordinator
http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos


Malware: worms, viruses, keyloggers,
spyware…
Malware spreads fast
 Faster than we can react
 Thousands of hosts can be infected in a few minutes

We need information about the cyberattacks so
as to build effective defenses
http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos



Gather and analyse information about the
nature of Internet cyberattacks
Develop an infrastructure to detect and
provide early warning of such attacks
Security monitoring based on honeypot
technology
http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos





Computer systems that do not run
production services
Listen to unused IP addresses
Intentionally made vulnerable
Closely monitored to analyse attacks
directed at them
We can identify two types
of honeypots: low-interaction
and high-interaction
http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos

Low-interaction honeypots emulate services
using scripts
+ Lightweight processes, able to cover large network
space
- Emulation cannot provide a high level of interaction with
attackers

High-interaction honeypots do not perform
emulation, they run real services
- Heavyweight processes, able to cover small network
space
+ Provide the highest level of interaction with attackers

NoAH uses the advantages of both types
http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos
Honey@home
ymou
Anon th
pa
Participating
Organization
Funnel
s
Internet
Internet
n
Tu
ne
l
`
Funnel
Low-interaction
Honeypot
High-interaction
Honeypot
http://www.fp6-noah.org
`
`
`
NoAH
core
Low-interaction
Honeypot
`
Low-interaction
Honeypot
Low-interaction
Honeypot
`
High-interaction
Honeypot
Terena Networking Conference 2007
Spiros Antonatos


Most popular and widely-used lowinteraction honeypot
Emulates thousands of IP addresses
 Performs network stack emulation


Highly configurable and lightweight
An efficient mechanism to filter out
unestablished and uninteresting
connections
 Port scans, SSH brute-force attacks, etc

Interesting connections are forwarded to
high-interaction honeypots
http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos

Emulates entire PC systems
 OS agnostic, run on commodity hardware
 Based on the Qemu emulator
Key idea: data coming from the network should
never be executed
 Tracks network data throughout execution

 Memory tainting technique

Detect illegal uses of network data
 Jump targets, function pointers, instructions, system
call arguments

Argos is able to detect all exploit attempts,
including 0-days!
http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos
Applications
Forensics
Guest OS
Argos emulator
Detect attack
and log state
NIC
Correlate
data
Host OS
Signature
Signature
post-processing
Log
http://www.fp6-noah.org
Terena Networking Conference 2007
11
http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos




Honeypots listen to unused IP space of the
organization they are hosted to
This space is limiting to provide results fast
and accurately
NoAH tries to empower people to
participate
Bring NoAH to home users with
Honey@home
http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos
Lightweight tool that runs in the background
 Monitors an unused IP address

 Usually taken by DHCP
All traffic to that unused address is
forwarded to our central honeypots
 No configuration, install and run!
 Both Windows and Linux platforms

http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos
1
Running at the
background
2
Creating a new
virtual interface
3
http://www.fp6-noah.org
Terena Networking Conference 2007
Getting an IP address
from DHCP server
Spiros Antonatos
Attack
Attacker
Forward
Honey@home
Handoff
Honeyd
NoAH
core




Honey@home clients connect to NoAH honeypots
Honeyd acts as front-end to filter out scans
Honeyd hands off connection to Argos
Attacker thinks she communicates with
honey@home user but in reality Argos is providing
the answers

Identity of clients and honeypots must remain
hidden
 Attackers can flood black space with junk traffic once
identity is revealed
 TOR is a network that can provide the desired
anonymization

Automatic installation of clients must be prevented
 Else attacker would massively deploy mockup clients
 Registration with CAPTCHA techniques is used
http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos
http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos


We view an organization as a regular user
that possesses large unused space
A specialized version of honey@home is
implemented
 No TOR involved, organization is a trusted
entity (unlike home users)


Only configuration needed is to declare
the unused address space
Honey@home will forward all traffic to that
space (funneling)
http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos


Deliverables can be found at http://www.fp6noah.org/publications/
5 conference papers
 Usenix Security 05, SIGOPS 2006, DIMVA ’06,
RAID’06

Various articles and presentations
 ERCIM news, local press
http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos




NoAH is a distributed architecture based
on low- and high-interaction honeypots
Argos is able to detect all exploits,
including zero-days
NoAH empowers non-experts to the
battlefield of cyberattacks
Honey@home enables unfamiliar users to
effortlessly participate to NoAH
http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos
http://www.fp6-noah.org
Terena Networking Conference 2007
Spiros Antonatos