Evangelos Markatos, FORTH info@fp6-noah.org1 NoAH: A Network of Affined Honeypots : Current State...

Evangelos Markatos, FORTH

http://www.fp6-noah.org

info@fp6-noah.org 1

NoAH: A Network of Affined Honeypots:

Current State and Collaboration Opportunities

Evangelos MarkatosInstitute of Computer Science (ICS)

Foundation for Research and Technology – Hellas (FORTH)Crete, Greece

The NoAH project

info@fp6-noah.org 2

Roadmap

• The problem:– The trust that we used to place on our network is slowly

eroding away• We are being attacked

– Viruses, Worms, Trojans, keyboard loggers continue to plague our computers

• What do people say about this?– Europe – ENISA – USA – PITAC

• What can be done? The NoAH approach– Understand

• mechanisms and causes of cyberattacks – Automate

• Detection of, fingerprinting of, and reaction to cyberattacks • Summary and Conclusions

info@fp6-noah.org 3

The erosion of trust on the Internet

• We used to trust computers we interacted with on the Internet– Not any more…

• Address bar spoofing: – Do you know that the web server http://www.paypal.com is the real

• We used to trust our network – Not any more…

• Our network is the largest source of all attacks

• We used to trust our own computer– Not any more… (keyboard loggers can easily get all our

personal information)

info@fp6-noah.org 4

The erosion of trust on the Internet

• We used to trust our own eyes with respect to the content we were viewing on the Internet– Not any more…– Phishing: sophisticated social engineering

• Attackers send users email • On behalf of a legitimate sender (e.g. a bank) • Inviting them to sign-up for a service • When users click they are requested to give their password • Users think they give their password to a bank• But it ends up in the attacker’s database

info@fp6-noah.org 5

A sophisticated phising attack: Setting the stage

• Attackers send email inviting Bank of America customers to change their address on-line

info@fp6-noah.org 6

A phishing attack: hiding the tracks

• Bank of America web site opens in the background• Pop-up window (from www.bofalert.com!) requests user name and

password

Legitimate Web site

Pop-up Window

info@fp6-noah.org 7

The boiling cauldron of Security

• Security on the Internet is getting increasingly important– Worms, Viruses, and trojians, continue to

disrupt our everyday activities – Spyware and backdoors continue to steal our

credit card numbers, our passwords, and snoop into our private lives

– Keyboard loggers can empty our bank accounts if they choose to do so

info@fp6-noah.org 8

It used to be a problem of PCs

• Not any more…

• PocketPC virus: – Duts

• Mobile phone virus:– Cabir – Infects the Symbian

operating system

info@fp6-noah.org 9

Mobile phone viruses: The Mosquitos virus

• Mosquitos Virus:– Attaches itself to an illegal copy of “Mosquitos” game– Once installed it starts sending potentially expensive

SMS messages to premium numbers – “free to download” but “expensive to play”

info@fp6-noah.org 10

The CommWarrior Worm

• Two ways to replicate: – Searches for nearby

phones• Via Bluetooth

– Finds the owner’s tel. # list

• Sends MMS messages with copies of itself

• Using random names – Difficult to filter out

How much does it cost?

• Financial Cost: worms cost billions of euros to lost productivity– CodeRED Worm: $2.6 billion – Slammer: $1.2 billion– LoveLetter virus: $8.8 billion

• Could cyberattacks lead to loss of life? – What if a medical equipment gets infected by a worm?

• Wrong diagnosis? Wrong treatment? – What if a car gets infected by a worm?

• Could this lead to fatal car crash?

• How about Critical Infrastructures?• What if a Nuclear power plant gets infected?

– Would this lead to failure of safety systems? – Is this possible?

How much does it cost?

• Worms have penetrated Nuclear Power plants. • “The Slammer worm penetrated a private computer network at

Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours”

Security Focus News

• Luckily no harm was made– The reactor was not operating at that time – There was a fall-back analog monitoring system

• Will we be so lucky next time?

What do people say about this? ENISA

• ENISA: European Network and Information Security Agency

• PSG: Permanent Stakeholders Group• Vision Document

ENISA Vision

• “The longer-term impact of … worm compromised hosts is likely to be greater in total than at present”

• “… Organized Crime and terrorists … introduce a level of sophistication and funding of (cyber)attacks that is far beyond what we have commonly seen in the previous 20 years of cyber security”

ENISA PSG i.e. things are bad and are going to get worse!

What does the community say about this?What should we do?

• Feb. 2005

• President’s Information Technology Advisory Committee (in U.S.)

• Cyber-Security Sub-committee – David Patterson, UC Berkeley– Tom Leighton, MIT, – and several others

Cyber-security Report

• Provide expert advice– In IT security

Research Priorities Identified

• They identified 10 Research Priorities• We should do Research in:

– Global Scale Monitoring (for cyber-attacks)– Real-time Data collection storage and analysis (for

cyberattacks)– Automated (cyberattack) discovery from monitoring

data – Develop forensic-friendly architectures

To summarize:

Monitor for cyber-attacks and detect them early

• In NoAH we do just that: – We design and prototype an infrastructure to

• monitor for cyber threats • detect them as early as possible • Fingerprint them

• We do that based on honeypot technology

What is a honeypot?

• An “undercover” computer– which has no ordinary users – which provides no regular service

• Or a few selected services if needed

– Just waits to be attacked…

• Its value lies on being compromised – Or in being exploited, scanned, etc.

• Honeypots are an “easy” target– But heavily monitored ones

• If attacked, they log as much information as possible

When was a honeypot first used?

• First widely publicized use: The cuckoo’s egg– By Cliff Stoll

• Cliff Stoll noticed a 75-cent accounting error in the computer he managed – This led Cliff to discover an intruder named “Hunter” – Instead of shutting “Hunter” out, Cliff started to study him – He connected the modem lines to a printer – He created dummy “top-secret” directories to “lure”

“Hunter” into coming back – He was paged every time “Hunter” was in– He traced “Hunter” to a network of hackers

• Paid in cash and drugs and • Reporting directly to KGB

How do we receive attacks?

• Three types of sensors:– Traditional honeypots who wait to be attacked– Collaborating organizations who install low-

interaction honeypots and forward “interesting” attacks to NoAH core

– Honey@Home: A “screensaver” who forwards all unwanted traffic to NoAH

• Unwanted traffic received at – unused IP addresses – unused TCP/UDP ports

The NoAH architecture

Low-interaction Honeypot`

Honey@home

NoAH core

Funnel`

Low-interaction Honeypot

Funnel

Participating Organization

InternetInternet

High-interactionHoneypot

Anonym

Tunnel

Traditional Honeypots

• Low Interaction Honeypot listening to a single IP address of the dark space– Filters out unwanted traffic

• Which is not part of an attack

• High Interaction honeypots for providing responses

NoAH core

Internet

How about limited address space?

• Number of “traditional” honeypots is usually limited,• They cover a small percentage of the IP address space • Problem: they may see attack too late

• Solution: Monitor dark space • What is Dark IP Address Space?

– Unused IP addresses– IP addresses not associated with any computer – Some organizations (i.e. Universities) have lots of Dark IP address

• Assign portions of dark space to this limited number of honeypots• Funnel: map the dark space to a single or a few IP addresses

info@fp6-noah.org 25`

NoAH core

Internet

Funnel

11.12.1.1

11.12.0.0/16

11.12.1.1

Funneling

11.12.15.111.12.15.2

11.12.15.311.12.15.4

11.12.15.5

Internet

Tunnel

Funnel

NoAH core

Monitoring Dark Space of Cooperating Organizations

•So, where are we going to find the Dark Space? •Collaborating Organizations• Organizations may participate in NoAH but lack the ability to maintain a honeypot• Packets targeting organization’s black space are tunneled to the honeypots of NoAH core

The NoAH architecture

Low-interaction Honeypot`

Honey@home

NoAH core

Funnel`

Funnel

InternetInternet

Anonym

Tunnel

http://www.honeyathome.org

Honey@Home

• Honey@Home: a honeypot daemon– Run in at home (or at small office) – Run in the background, send all the traffic from the

dark space to NoAH core for processing – Dark Space:

• Unused IP addresses • Internal IP addresses • Unused ports (or a selected subset of them)

– Attackers think they communicate with a home computer but actually talk with honeypots at NoAH core

Honey@Home

• Empower the people – To help us fight cyberattacks

• With minimal installation overhead• Minimal runtime overhead

• Appropriate for small organizations– Who want to contribute – But do not have the technical knowledge

• To install/maintain a full-fledged honeypot

Honey@Home illustrated

NoAH core

Low-interaction Honeypot High-interaction

Honeypot

Honey@home

Internet

Anonymous

Screenshots

Select network interface

Create a virtual interface

Get a static IP Get an IP through DHCP

In Closing…

• Today May 17th is the – World Telecommunication Day 2006 (WTD)

• Commemorates the founding of ITU

– WTD 2006 is Dedicated to • “Promoting Global Cybersecurity”

WTD 2006: Promoting Global Cybersecurity

In Closing…

• Let us take this opportunity – Of the World Telecommunication Day– Dedicated to promoting Global Cybersecurity – And promote cybersecurity

• By promoting awareness • By empowering people to contribute and make a difference • By empowering small organizations

• Let me take this opportunity – To promote cybersecurity

• By giving the podium to the distinguished Security researchers who honor us with their presence

– My Deepest Thanks to all of you• who came to talk, and • who came to attend

– My Deepest thanks to • FP6 DG-Research who invested the resources and co-funded this project

NoAH: A Network of Affined Honeypots:

Current State and Collaboration Opportunities

Evangelos MarkatosInstitute of Computer Science (ICS)

Foundation for Research and Technology – Hellas (FORTH)Crete, Greece

The NoAH project

Back Up Slides

• Viruses– programs that attach themselves to legitimate applications. Once

the legitimate applications start running, the virus start running as well.

– They also attach themselves to email messages– “Slow-spreading”: need user intervention (i.e. “click”) to run

• Worms– Self-replicating programs– They do not need our help to replicate– How do they do it?

• They find a vulnerable server• Trigger a bug in its code, hijack its execution thread and • They compromise the server

– They can infect 10s of thousands of computers in minutes• Humans have no time to react – they just clean up after the attack is

• Backdoors– Worms install “backdoors” in the compromised computers– e.g. create a new account with login “smith” and password “me”– The attacker can now enter the compromised computer as

“smith” • Keyboard loggers

– They log every key typed on the keyboard • Credit card numbers, bank accounts, • Passwords, • Personal email• Confidential information• They can

– Empty bank accounts – Read and Forward email messages – Change victim’s personal data – Reveal financial and personal secrets– Destroy a person both socially and financially

Honey@Home

• There exist unused IP address space– Large universities and research centers– Organizations and private companies– Public domain bodies– Upscale home users– NAT-based home networks

• 192.168.*.*

• There exist unused IP port address space – Not all computers use all 64K ports– Several of them do not even use port 80

NoAH partners

• Research Organizations– ICS-FORTH, Greece– Vrije University, The Netherlands– ETHZ, Switzerland

• ISPs, CERTs, Associations – DFN-CERT, Germany– FORTHnet, Greece– TERENA, The Netherlands

• Industrial Partners – ALCATEL, France – Virtual Trip, Greece

Challenges

• We cannot trust clients– Anyone will be able to set up honey@home

• Clients must not know the address of honeypots– Honeypots may become victims of flooding

• Addresses of clients must also remain hidden– Attacker can use their black space for flooding – Or blacklist them to make NoAH core blind

• Computer-based mass installation of honey@home mockup clients should be prevented

Hiding honeypots and clients

• Use of anonymous communication system• Onion routing is an attractive solution

– Prevents eavesdropping attacks– Based on a set of centralized nodes (onion

routers)– Even when a router is compromised, privacy

is preserved

• Tor, an implementation of second generation onion routing– Installs only a SOCKS proxy on client side

How onion routing works (1/2)

• Sender chooses a random sequence of routers – Some routers are honest, some controlled by

attacker– Sender controls the length of the path

How onion routing works (2/2)

BobAlice

{R2,k1}pk(R1),{ }k1

{R3,k2}pk(R2),{ }k2

{R4,k3}pk(R3),{ }k3

{B,k4}pk(R4),{ }k4

• Routing info for each link encrypted with router’s public key• Each router learns only the identity of the next router

Hidden services

• In previous examples, Alice needed to know the address of Bob– That is client needs to know the address of

honeypots

• Tor offers hidden services– Clients only need to know an identifier for the

hidden service– This identifier is a DNS name in the form of

“xyz.onion”– “.onion” is routable only through Tor

Creating a Location Hidden Server

Server creates onion routesto “introduction points”

Server gives intro points’descriptors and addresses to service lookup directory

Client obtains servicedescriptor and intro pointaddress from directory

Using a Location Hidden Server

Client creates onion routeto a “rendezvous point”

Client sends address of therendezvous point and anyauthorization, if needed, toserver through intro point

If server chooses to talk to client,connect to rendezvous point

Rendezvous pointmates the circuitsfrom client & server

Hidden services in action

• We created a hidden service that actually forwards to Google.com

Shielding Tor against attacks

• Onion routing is subjective to timing attacks– If attacker has compromised the first and last

routers of the path then she can perform correlation

• Solution: client sets itself as first router – Tor clients can also act like routers

• Honeypot can also setup a trusted first router

• Both ends of the path are not controlled by attacker

Preventing automatic installation

• Goal: prevent attacker from deploying clients to its subnet

• CAPTCHAs as a proposed solution– Instruct human to solve a visual puzzle– Puzzle cannot be identified by a computer– Puzzle can also be an audio clip

Enhancing CAPTCHAs

• Attacker may post the image to his site and use visitors to solve it

• Adding animation to avoid “CAPTCHA” laundry

• User clicks on the correct (animated) answer and her IP address is bound to the registration– Animation prevents users to provide

static responses, like “I clicked the upper left corner”

• Flash is a possible technology we can use– Obfuscation as an extra security step

Click the apple!

Funneling (3/3)

• farpd to collect IP addresses– Does not work well with some old routers (limit of

ARP entries per interface), solved in all modern routers

• Router configuration to forward black space to honeypots– No need for ARP

• Funneling has no overhead– Honeyd organizes addresses in a splay tree– We tested emulating /24, /16 and /8 subnets without

any noticeable difference in performance

Tunneling

• OpenVPN 2.0 as tunnel software• Encrypted channel, supports packet

compression• Easy configuration• We measured tunneling overhead in our

local testbed– Around 20% for two machines in a 100Mbits

• In progress: documentation for setting up tunnel and configuration options

Evangelos Markatos, FORTH info@fp6-noah.org1 NoAH: A Network of Affined Honeypots : Current State...

Documents

Transcript of Evangelos Markatos, FORTH info@fp6-noah.org1 NoAH: A Network of Affined Honeypots : Current State...

Honeypots Workshop - CERT.br · PDF fileQ-CERT Honeypots Workshop - Doha, Qatar - April 18-19, 2007 Agenda •Background about the presenters •Concepts –Honeypots, Honeynets, etc

IntroductionIntroduction Evangelos Pournaras, Izabela Moise, Dirk Helbing Evangelos Pournaras, Izabela Moise, Dirk Helbing 1 Outline 1.Data Science 2.Course Description Evangelos Pournaras,

LES HONEYPOTS

Honeypots Correct

Markatos@ics.forth.gr – – SWITCH March 31 st 2014 1 The rise of the Big Data era: The case for Network Monitoring Evangelos Markatos.

36924807 Honeypots Seminar Report

TESTING DECEPTIVE HONEYPOTS - CORE

HONEYPOTS - 123seminarsonly.com€¦ · HONEYPOTS Honeypots are hard to maintain and they need operators with good knowledge about operating systems and network …

PenTest Extra 6_2012 Honeypots

CmpE-220 Honeypots Final

Evangelos Markatos, FORTH markatos@ics.forth.gr1 CyberSecurity Research in Crete Evangelos Markatos Institute of Computer Science.

Bsides chicago 2013 honeypots

One-Click Hosting Services: A File-Sharing Hideout Demetris Antoniades danton@ics.forth.gr Evangelos P. Markatos markatos@ics.forth.gr ICS-FORTH Heraklion,

The quest to replace passwords Evangelos Markatos Based on a paper by Joseph Bonneau,Cormac Herley, Paul C. van Oorschot, and Frank Stajanod.

Honeypots Monitoring Attackers

Honeypots final

Gnort: High Performance Intrusion Detection Using Graphics Processors Giorgos Vasiliadis, Spiros Antonatos, Michalis Polychronakis, Evangelos Markatos,

Honeypots and Honeynets

The Institute of Computer Science -FORTH Associate Prof. Evangelos Markatos Director of W3C Office in Greece, Head of Advanced Computing Systems Lab markatos@ics.forth.gr.

Modeling Malware-driven Honeypots · PDF fileTRUSTBUS 2017 Honeypots § Honeypots: what are they used for ? – All traffic received in them are considered suspicious. – Replicate