A Virtual Honeypot Framework
Download
Report
Transcript A Virtual Honeypot Framework
A Virtual Honeypot Framework
Niels Provos
Google, Inc.
The 13th USENIX Security Symposium,
August 9–13, 2004
San Diego, CA
Presented by: Sean Mondesire
Honeyd’s Contributions
• Provides an alternative technique for
detecting attacks
• Extremely low-cost option for honeypots
• A model framework for low-interaction
honeypots.
2
Agenda
1. Introduction of Honeypots
2. Honeyd
3. Critique of Honeyd
4. Recent Work
5. Honeyd’s Contributions
3
What are Honeypots?
• Monitored computer system with the
hopes of being probed, attacked, and
compromised.
• Monitors all incoming and outgoing data.
– Any contact is considered suspicious.
• Can support any OS with any amount of
functionality.
4
Honeypots’ Goals
• Capture information about attacks
– System vulnerabilities
– System responses
• Capture information about attackers
– Attack methods
– Scan patterns
– Identities
• Be attacked!
5
Etymology of Honeypots
• Winnie-the-Pooh
– His desire for pots of honey lead him
to various predicaments
• Cold War terminology
– Female communist agent vs. Male
Westerner
• Outhouses
– “Honey” : euphemism for waste
– Attackers are flies attracted to honey’s
stench
6
Physical vs. Virtual Honeypots
• Physical Honeypot:
– Real machine
– Runs one OS to be attacked
– Has its own IP address
• Virtual Honeypot:
– Virtual machine on top of a real machine
– Can run a different OS than the real machine
– Real machine responds to network traffic sent
to the virtual machine
7
Physical vs. Virtual Honeypots
Physical Honeypots
Virtual Honeypots
Interne
t
Interne
t
8
Virtual Honeypot Types
• High-Interaction:
– Simulates all aspects of an OS
– Can be compromised completely
• Low-Interaction
– Simulates some parts of an OS
• Example: Network Stack
– Simulates only services that cannot lead to
complete system compromise
9
Honeyd
• A virtual honeypot framework
• Can simulate different OS’s at once
– Each honeypot allocated its own IP address
• Low-Interaction
– Only the network stack is simulated
– Attackers only interact with honeypots at the
network level
• Supports TCP and UDP services
– Handles ICMP message as well.
10
Honeyd: The Architecture
• Configuration
Database
• Central Packet
Dispatch
• Protocol handlers
• Personality Engine
• Routing Component
(optional)
11
Personality Engine
• Virtual Honeypots Personality:
– The network stack behavior of a given
operating system
• Personality Engine alters outgoing packets
to mimic that VH’s OS
– Changes protocol headers
• Used to thwart fingerprinting tools:
– Example: Xprobe and Nmap
12
Routing Options
• Proxy ARP
• Configured Routing
– Routing Tables
– Routing Trees
• Generic Routing
Encapsulation
– Network Tunneling
– Load balancing
13
Experiments
• Virtual Honeypots for every detectable
fingerprint in Nmap were used.
– 600 distinct fingerprints
• Each VH had one port open to run a web
server.
• Nmap was tested against the address
space allocated for all the VH’s
– 555 fingerprints were correctly identified
– 37 fingerprints list possible OS’s
– 8 were failed to be identified
14
Applications
• Network Decoys
– Lure attackers to virtual honeypots, not real
machines
• Detecting and Countering Worms
– Capture packets sent by worms
– Use large amounts of VH’s across large
address space
• Spam Prevention
– Monitor open proxy servers and open mail
relays
– Forward suspicious data to spam filters
15
Conclusions
• Honeyd is a framework for supporting
multiple virtual honeypots
• Mimics OS network stack behaviors to
trick attackers
• Provides a tool for network security
research
– Network decoy
– Spam
– Worm detection
16
Honeyd’s Strengths
• Supports an array of different OS network
stacks
– Fool attackers
• Can support a large number of VH’s for
large address spaces
• Easily configurable to test various security
issues
– Routing configuration
– OS options
17
Honeyd’s Weaknesses
• Low-Interaction
– Only network stacks were implemented
– Not all OS services available
– Not all system vulnerabilities cannot be tested
• Personality Engine is not 100%
– The 37 failed identifications
– Could leave clues to attackers of which
sections are honeypots.
18
Future Work
• Implement Middle-Interaction
– Increase the number of OS services per VH
• Experiment with honeyd’s and physical
honeypots on same network
• Increase stability of personality engine
19
Related Current Work
• Middle-Interaction
– mwcollect
– nepenthes
• The Honeynet Project
– Raise Awareness
– Teach and Inform
– Research
20
Honeyd’s Contributions
• Provides an alternative technique for
detecting attacks
– Detecting worms, attackers, and spam
• Extremely low-cost option for honeypots
– Cost of physical honeypots vs. virtual
• A model framework for low-interaction
honeypots.
– Simulates only an OS’s network stack
– Can cover large amounts of IP addresses
21