1 Introduction to Honeypot, Botnet, and Security Measurement Cliff C. Zou 02/07/06.
-
Upload
jeremy-bond -
Category
Documents
-
view
220 -
download
0
Transcript of 1 Introduction to Honeypot, Botnet, and Security Measurement Cliff C. Zou 02/07/06.
2
What Is a Honeypot?
Abstract definition: “A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.” (Lance Spitzner)
Concrete definition: “A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.”
3
Example of a Simple Honeypot
Install vulnerable OS and software on a machine
Install monitor or IDS software Connect to the Internet (with global IP) Wait & monitor being scanned,
attacked, compromised Finish analysis, clean the machine
4
Benefit of Deploying Honeypots
Risk mitigation: A deployed honeypot may lure an attacker away
from the real production systems (“easy target“).
IDS-like functionality: Since no legitimate traffic should take place to or
from the honeypot, any traffic appearing is evil and can initiate further actions.
Attack analysis: Find out reasons, and strategies why and how you
are attacked.
5
Benefit of Deploying Honeypots
Evidence: Once the attacker is identified all data captured
may be used in a legal procedure. Increased knowledge:
By knowing how you are attacked you are able to enlarge your ability to respond in an appropriate way and to prevent future attacks.
Research: Operating and monitoring a honeypot can reveal
most up-to-date techniques/exploits and tools used as well as internal communications of the hackers or infection or spreading techniques of worms or viruses.
6
Honeypot Classification
High-interaction honeypots A full and working OS is provided for being
attacked VMware virtual environment
Several VMware virtual hosts in one physical machine
Low-interaction honeypots Only emulate specific network services No real interaction or OS
Honeyd
Honeynet/honeyfarm A network of honeypots
7
Low-Interaction Honeypots
Pros: Easy to install (simple program) No risk (no vulnerable software to be
attacked) One machine supports hundreds of honeypots
Cons: No real interaction to be captured
Limited logging/monitor function Easily detectable by attackers
8
High-Interaction Honeypots
Pros: Real OS, capture all attack traffic/actions Can discover unknown attacks/vulnerabilites
Cons: Time-consuming to build/maintain Time-consuming to analysis attack Risk of being used as stepping stone High computer resource requirement
9
Honeynet A network of honeypots High-interaction honeynet
A distributed network composing many honeypots “Collapsar: A VM-Based Architecture for Network Attack
Detention Center”, Usenix’04
Low-interaction honeynet Emulate a virtual network in one physical machine Example: honeyd
Mixed honeynet “Scalability, Fidelity and Containment in the
Potemkin Virtual Honeyfarm”, presented next week
Reference: http://www.ccc.de/congress/2004/fahrplan/files/135-honeypot-forensics-slides.ppt
10
What Is a Botnet?
A network of compromised computers controlled by their attacker Users on zombie machines do not know
The main source for many attacks now Distributed Denial-of-Service (DDoS)
Extortion Email spam, phishing Ad-fraud User information: document, keylogger, …
11
How to Build a Botnet?
Infect machines via: Internet worms, viruses Email virus Backdoor left by previous malware Trojan programs …
Bots phone back to receive command
12
Botnet Architecture Bot controller
Usually using IRC server (Internet relay chat) Dozen of controllers for robustness
bot bot
botcontroller
attacker
bot
botcontroller
13
Botnet Monitoring
Hijack one of the bot controller DNS provider redirects domain name to
the monitor Still cannot cut off a botnet (dozen of
controller) Can obtain most/all bots IP addresses
Let honeypots join in a botnet Can monitor all communications No complete picture of a botnet
14
Security Measurement
Monitor network traffic to understand/track Internet attack activities
Monitor incoming traffic to unused IP space
TCP connection requests UDP packets
Unused IP space
Monitoredtraffic
Internet
Local network
15
Refining Monitoring
TCP/SYN not enough (IP, port only) Distinguish different attacks
Low-interaction honeypots (honeyd) Obtain the first attack payload by replying SYN/ACK “Internet Motion Sensor” presented next week
High-interaction honeypots TCP Reset packets
Backscatter from spoofed DoS attack victims “Inferring Internet Denial-of-Service Activity”, presented later
16
Remote fingerprinting
Actively probe remote hosts to identify remote hosts’ OS, physical devices, etc OSes service responses are different Hardware responses are different
Purposes: Understand Internet computers Remove DHCP issue in monitored data
17
Data Sharing: Traffic Anonymization
Sharing monitored network traffic is important Collaborative attack detection Academic research
Privacy and security exposure in data sharing Packet header: IP address, service port exposure Packet content: more serious
Data anonymization Change packet header: preserve IP prefix, and … Change packet content