Transcript ppt

A Virtual Honeypot Framework
Author: Niels Provos
Published in: CITI Report 03-1
Presenter: Tao Li
Outline


Introduction
Honeyd





What is Honeyd?
Design and Implementation of Honeyd
Evaluation of Honeyd
Application
Discussion
Outline


Introduction
Honeyd





What is Honeyd?
Design and Implementation of Honeyd
Evaluation of Honeyd
Application
Discussion
Introduction

Network Security Background




We’re unable to make secure computer
systems or even measure their security.
New vulnerabilities kept being exploited
Exploit automation and massive global
scanning for vulnerabilities to compromise
computer systems
We use “Honeypot” as one way to get
early warnings of new vulnerabilities.
Introduction

What is a honeypot?

A closely monitored computing resource
intended to be probed, attacked or
compromised.



Network decoy to deter from real targets
Network sensor monitoring blackhole
Provide IDS functionality
Introduction

Why using honeypots instead of NIDS ?




All data entering or leaving a honeypot is
closely monitored and collected for forensic
analysis
It can detect vulnerabilities not yet understood
Less likely to lead to false positives
Can run any OS and any number of services

The configured services determine the vectors
available for an adversary to attack
Introduction

Categories of honeypots

Interaction



High-interaction honeypots simulate all aspects of
OS, can be compromised completely
Low-interaction honeypots simulate only parts of
OS, to gather high level information
Implementation


Phisical honeypots: real machines with itself IP
Virtual honeypots: simulated by another machine
Outline


Introduction
Honeyd





Information of Honeyd
Design and Implementation of Honeyd
Evaluation of Honeyd
Application
Discussion
What is Honeyd ?

Honeyd is a low-interaction virtual
honeypot, a lightweight framework for
creating virtual honeypots to instrument
thousands of IP addresses with virtual
machines and corresponding network
services.
What can Honeyd do?






Simulate TCP and UDP services
Support ICMP
Handle multiple IP addresses simultaneously
Simulate arbitrary network topologies
Support topologically dispersed address spaces
Support network tunneling for load sharing
Design and Implementation






Receiving Network Data
Architecture
Personality Engine
Routing Topology
Configuration
Logging
Receiving Network Data

Three ways for Honeyd to
receives traffic for its virtual
honeypots



Special route lead data to honeyd
host
Proxy ARP for honeypots
Support Network Tunnels—generic
routing encapsulation (GRE)
Architecture

Incoming packets are
dispatched to correct
protocol handler. For TCP
and UDP, the configured
services receive new data
and send repsonses if
necessary. All outgoing
packets are modified by
the personality engine to
mimic the behavior of the
configured network stack.
The routing component is
optional and used only
Honeyd simulated network
topology.
Architecture

Configuration database


Central packet dispatcher




Store the personalities of the configured network
stack.
Dispatch Incoming packets to the correct protocol
handler.
Protocol handlers
Personality engine
Option routing component
Architecture

Support subsystem


An application that runs in the name space of
the virtual honeypot—no need to create a new
process for each connection
Support redirection of connections


Forward connection request for a service to a
real server
Reflect connections back to an adversary!!!
Personality Engine

Why to use it?



Different operating system have different network
stack behaviors.
Adversaries commonly run fingerprinting tools like
Xprobe or Nmap to gather information about a target
system.
Personality Engine make honeypots appear like real
target to a probe to fool the fingerprinting tools
Personality Engine

How to fool the adversaries?



Use Nmap’s fingerprint database as reference
for TCP and UDP protocol
Use Xprobe’s fingerprint database for ICMP
Introduces changes to the headers of every
outgoing packet before sent to the network to
match the characteristics of the configured
operating system
Personality Engine

Example


Nmap’ s fingerprinting is mostly concerned
with an OS’s TCP implementation
Nmap uses the size of the advertised
receiver windows which varies between
implementations as part of the fingerprint.
Personality Engine

Example of Nmap’s fingerprint specifying
the network behavior
Fingerprint IRIX 6.5.15m on SGI O2
TSeq(Class=TD%gcd=<104%SI=<1AE%IPID=I%TS=2HZ)
T1(DF=N%W=EF2A%ACK=S++%Flags=AS%Ops=MNWNNTNNM)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=EF2A%ACK=O%Flags=A%Ops=NNT)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=N)
Routing Topology

Honeyd can simulate arbitrary virtual routing
topologies
 Simulation of route tree




Configure the entry router
Configurable latency and packet loss
Simulation of arbitrary routing
Extension


Integrate physical machines into topology
Distributed Honeyd via GRE tunneling
How to Configure?


Each virtual honeypot is configured with a template.
Commands:


Create: Creates a new template
Set:


Assign personality (fingerprint database) to a template
Specify default behavior of network protocols




Add: Specify available services


Block: All packets dropped
Reset: All ports closed by default
Open: All ports open by default
Proxy: Used for connection forwarding
Bind: Assign template to specific IP address
Logging

Honeyd supports several ways of logging network
activity.



Honeyd creat connection logs to report attempted and
completed connections for all protocols.
Information also can be gathered from the services
themselves and be reported to Honeyd via stderr.
Honeyd can be runs in conjunction with a NIDS.
Evaluation

Honeyd did fools Nmap



Among totally 600 fingerprints, Nmap
uniquely identified the operating system
simulated by Honey in 555, generated a list
of possible answers including the simulated
personality in 37.
Only 8 fingerprints out of 600 failed!
It works pretty effectively.
Outline


Introduction
Honeyd





What is Honeyd?
Design and Implementation of Honeyd
Evaluation of Honeyd
Application
Discussion
Application

Network Decoys


Instrument the unallocated addresses of a
production network, confuse and deter adversaries
scanning the production network
Conjunction with a NIDS, the resulting network
traffic may help in getting early warning of attacks.
Application

Detecting and Countering Worms


Deploy a large number of virtual honeypots as
gateways in front of a smaller number of highinteraction honeypots.
Use Honeyd’s subsystem support to expose regular
UNIX applications like OpenSSH to worms.
Application

Spam Prevention


Spammers abuse two
Internet services proxy
servers and open mail
relays
Use the Honeyd
framework to instrument
networks with open
proxy servers and open
mail relays.
Outline


Introduction
Honeyd





What is Honeyd?
Design and Implementation of Honeyd
Evaluation of Honeyd
Application
Discussion
Strength

Honeyd has many advantages over NIDS







Collects more useful information
Detects vulnerabilities not yet understood
Less likely leads to high false positives
It cheats the fingerprint tools effectively
Effective network decoys—confuse and defer
the attackers
Detecting and immunizing new worms
Spam prevention
Weakness





Limit interaction only at network level
Not simulate the whole OS
Adversaries never gain full access to systems
Limited number of simulated services and
protocols
What if the warm is smart to cheat us?
Honeyd will become attackers.
How to improve?



Combine Honeyd with high-interaction virtual
honeypots using User Mode Linux or VMware
to have a better forensic analysis of the
attacker;
Cheat more fingerprint tools, eg. P0f—passive
analyze the network traffic;
Simulate more services and protocols, eg. has
a better TCP state machine.
Thank you.
Any questions?