Transcript Honeyd Virtual Honeypot Frame Work Niels Provos

Honeyd
Virtual Honeypot Frame Work
Niels Provos
CS591 Research Project
Supervised by: Dr. Chow
Dec, 2008
Presented by: Fadi Mohsen
1
Intrusion Detection System

An Intrusion Detection System (IDS) is
software and/or hardware designed to detect
unwanted attempts at accessing,
manipulating, and/or disabling of computer
systems, mainly through a network, such as
the Internet. These attempts may take the
form of attacks, as examples, by crackers,
malware and/or disgruntled employees. An
IDS cannot directly detect attacks within
properly encrypted traffic.
Dec, 2008
2
Intrusion Prevention System

Intrusion Prevention System is used in
computer security. It provides policies and
rules for network traffic along with an
intrusion detection system for alerting system
or network administrators to suspicious
traffic, but allows the administrator to provide
the action upon being alerted. Some compare
an IPS to a combination of IDS and an
application layer firewall for protection.
Dec, 2008
3
So,

The efficiency of IPS depends on the
IDS data and information, but the IDS
does not work probably in an encrypted
traffic, moreover IDS information based
on an actual attacks, which means
there is a lose!
Dec, 2008
4
Honeypot

Honeypot is a trap set to detect, deflect, or
in some manner counteract attempts at
unauthorized use of information systems.
Generally it consists of a computer, data, or a
network site that appears to be part of a
network but which is actually isolated, (un)
protected, and monitored, and which seems
to contain information or a resource that
would be of value to attackers.
Dec, 2008
5
Honeypot Benefits



Monitoring the data that enters and leaves a
honeypot lets us gather information that is
not available to NIDS
Honeypots can detect vulnerabilities that are
not yet understood
data collected from Honeypots is less likely to
lead to false positives than data collected by
NIDS
Dec, 2008
6
Honeypot Benefits (Cot.)


Honeypots can run any operating system and
any number of services
Dealing with an interactive session even if
encryption is used to protect the network
traffic
Dec, 2008
7
Honeypot Types


A high-interaction honeypot simulates all
aspects of an operating system.
A low-interaction honeypot simulates only
some parts, for example the network stack.
Dec, 2008
8
Also we have


A physical honeypot is a real machine on
the network with its own IP address.
A virtual honeypot is simulated by another
machine that responds to network traffic sent
to the virtual honeypot.
Dec, 2008
9
Honeyd

Honeyd is a framework for virtual
honeypots that simulates computer systems
at the network level. Honeyd supports the IP
protocol suites, and responds to network
requests for its virtual honeypots according to
the services that are configured for each
virtual honeypot.
Dec, 2008
10
Design and Implementation



The framework allows us to instrument
thousands of IP addresses with virtual
machines and corresponding network
services.
Instead of simulating every aspect of an
operating system, it is only simulating its
network stack.
Honeyd is a low-interaction virtual honeypot
that simulates TCP and UDP services.
Dec, 2008
11
Cont.


Honeyd must be able to handle virtual
honeypots on multiple IP addresses
simultaneously, in order to populate the
network with numerous virtual honeypots
simulating different operating systems and
services.
the framework able to simulate arbitrary
network topologies, and support network
tunneling.
Dec, 2008
12
Design



Dec, 2008
A central machine intercepts
network traffic sent to the IP
addresses of configured
honeypots and simulates their
responses.
Honeyd is designed to reply to
network packets whose
destination IP address belongs
to one of the simulated
honeypots
Honeyd, to receive the correct
packets, the network needs to
be configured appropriately. We
can create special routes for the
virtual IP addresses that point
to the Honeyd host
13
Architecture



Dec, 2008
Incoming packets are
processed by the central
packet dispatcher
the dispatcher must query the
configuration database to find
a honeypot configuration that
corresponds to the destination
IP address
Honeyd simulates the network
stack behavior of a given
operating system. We call this
the personality of a virtual
honeypot
14
Performance


We analyze Honeyd’s performance on a 1.1
GHz Pentium III over an idle 100 MBit/s
network.
Our performance measurements showed that
a single 1.1 GHz Pentium III can simulate
thousands of virtual honeypots with an
aggregate bandwidths of over 30 MBit/s and
that it can sustain over two thousand TCP
transactions per second .
Dec, 2008
15
References



[1] Ofir Arkin and Fyodor Yarochkin. Xprobe v2.0:
A “Fuzzy” Approach to Remote Active Operating
System Fingerprinting. www.xprobe2.org, August
2002.
[2] Smoot Carl-Mitchell and John S. Quarterman.
Using ARP to Implement Transparent Subnet
Gateways. RFC 1027, October 1987.
[3] Fred Cohen. The Deception Toolkit. http://all.
net/dtk.html, March 1998. Viewed on May 12th,
2004.
Dec, 2008
16
Cont.



[4] George W. Dunlap, Samuel T. King, Sukru Cinar,
Murtaza Basrai, and Peter M. Chen. ReVirt: Enabling Intrusion
Analysis through Virtual-Machine Logging and Replay. In
Proceedings of the 2002 Symposium on Operating Systems
Design and Implementation,
December 2002.
[5] Kevin Fall. Network Emulation in the VINT/NS Simulator. In
Proceedings of the fourth IEEE Symposium on Computers and
Communications, July 1999.
[6] Fyodor. Remote OS Detection via TCP/IP Stack
Fingerprinting. www.nmap.org/nmap/ nmap-fingerprintingarticle.html, October 1998.
Dec, 2008
17
Thank You
?
Dec, 2008
18