Transcript A Virtual Honeypot Framework

A VIRTUAL HONEYPOT
FRAMEWORK
Author : Niels Provos
Publication: Usenix Security Symposium 2004.
Presenter: Hiral Chhaya for CAP6103
SECURITY SITUATION

We’re unable to make secure computer
systems or even measure their security.

New vulnerabilities kept being exploited

Exploit automation and massive global
scanning for vulnerabilities to
compromise computer systems

We use “Honeypot” as one way to get
early warnings of new vulnerabilities
INTRODUCTION

What Is Honeypot ????
Defunation--A honeypot is an information system
resource whose value lies in unauthorized or
illicit use of that resource.


Has no production value;
Used for monitoring, detecting and analyzing
attacks

Does not solve a specific problem

Honeypots have a low false positive rate
CLASSIFICATION

By level of interaction
High
 Low


By Implementation
Virtual
 Physical

WHAT IS HONEYD
 Honeyd:
A virtual honeypot application,
which allows us to create thousands of IP
addresses with virtual machines and
corresponding network services.
WHAT CAN HONEYD DO ???

Simulate TCP and UDP services

Support ICMP

Handle multiple IP addresses simultaneously

Simulate arbitrary network topologies

Support topologically dispersed address spaces

Support network tunneling for load sharing
HONEYD DESIGN

Receiving Network Data

Architecture

Personality Engine

Routing Topology

Logging
RECEIVING NETWORK DATA
Ways for Honeyd to receives
traffic for its virtual honeypots
Special route lead data to
honeyd host
Proxy ARP for honeypots
ARCHITECTURE
•Configuration
database
•Central packet
dispatcher
•Protocol handles
•Personality engine
•Option routing
component
PERSONALITY ENGIN

To fool fingerprinting tools

Uses fingerprint databases by
Nmap, for TCP, UDP
 Xprobe, for ICMP


Introduces changes to the headers of every
outgoing packet before sent to the network
ROUTING TOPOLOGY
 Simulates


virtual network topologies;
Some honeypots are also configured as
routers
Latency and loss rate for each edge is
configured;
 Support
network tunneling and
traffic redirection;
HOW TO CONFIGURE
Each virtual honeypot is configured with a
template.
 Commands:



Create: Creates a new template
Set:
Assign personality (fingerprint database) to a template
 Specify default behavior of network protocols





Add: Specify available services


Block: All packets dropped
Reset: All ports closed by default
Open: All ports open by default
Proxy: Used for connection forwarding
Bind: Assign template to specific IP address
LOGGING
 Honeyd
supports several ways of logging network
activity.

Honeyd creat connection logs to report attempted and
completed connections for all protocols.

Honeyd can be runs in conjunction with a NIDS.
APPLICATIONS

Network decoys

Spam Prevention
CONCLUSION

Honeyd has many advantages over NIDS
Collects more useful information
 Detects vulnerabilities not yet understood
 Less likely leads to high false positives

Cheats the fingerprint tools
 Effective network decoys
 Detecting and immunizing new worms
 Spam prevention

WEAKNESSES

Limit interaction only at network level

Not simulate the whole OS



Adversaries never gain full access to
systems
Limited number of simulated services and
protocols
What if the warm is smart to cheat us?
Honeyd will become attackers.
HOW TO IMPROVE



Combine Honeyd with high-interaction virtual
honeypots using User Mode Linux or VMware to
have a better forensic analysis of the attacker;
Cheat more fingerprint tools, eg. P0f—passive
analyze the network traffic;
Simulate more services and protocols, eg. has a
better TCP state machine.

THANK YOU !!!!!