Author: Austin PonténSupervisor: Ola FlygtExaminer: Dr. Johan HagelbäckSemester: VT 2017Subject: Computer Science

Bachelor Thesis Project

Evaluation of Low-InteractionHoneypots on the UniversityNetwork

Abstract

This project studies the three honeypot solutions Honeyd, Dionaea, and Kippo. Eval-uating the solutions themselves, and observing their implementation into the univer-sity campus network. The investigation begins with the understanding of how ahoneypot works and is useful as an extra security layer, following with an imple-mentation of said three honeypot solutions and the results that follow after a periodof days. After the data has been collected, it shows that the majority of maliciousactivity surrounded communication services, and an evaluation of the three honeypotsolutions showed Honeyd as the best with its scalability and reconfigurability.

i

Acknowledgements:First, I would like to thank Ola Flygt for being my supervisor and advising me on mythesis in both writing and content. Second, I would like to thank the IT department andespecially Marcus Westin for his aid in procuring the resources needed to complete thisproject, and his insight on certain results. Finally, I’d like to thank Josef Rudberg forreading through my project and correcting it for grammar mistakes, my girlfriend Josiefor her encouragement and support, and to my family back home who has helped me getto this point and supported me over the past three years.

ii

Contents

List of Figures v

1 Introduction 11.1 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.2 Previous Research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.3 Problem Formulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.4 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.5 Scope/Limitation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.6 Target Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.7 Outline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 Method 42.1 Scientific Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.2 Method Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.3 Reliability and Validity . . . . . . . . . . . . . . . . . . . . . . . . . . . 42.4 Ethical considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

3 Background & Theory 53.1 Honeypot History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53.2 Honeypot Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53.3 Research Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53.4 Production Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

3.4.1 Prevention . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.4.2 Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63.4.3 Reaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

3.5 Honeypot Interaction Levels . . . . . . . . . . . . . . . . . . . . . . . . 73.5.1 High-Interaction Honeypot . . . . . . . . . . . . . . . . . . . . . 73.5.2 Medium-Interaction Honeypot . . . . . . . . . . . . . . . . . . . 83.5.3 Low-Interaction Honeypot . . . . . . . . . . . . . . . . . . . . . 8

3.6 Honeypots and the Law . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.7 Entrapment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.8 Invasion of privacy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

3.8.1 Wiretap Act . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93.8.2 Pen Register, Trap, and Trace Devices Statute . . . . . . . . . . . 93.8.3 Electronic Communications Privacy Act (ECPA) . . . . . . . . . 10

3.9 Third-party liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103.9.1 Negligence and Downstream Liability . . . . . . . . . . . . . . . 103.9.2 Possession of Contraband Material . . . . . . . . . . . . . . . . . 103.9.3 Failure to report crimes . . . . . . . . . . . . . . . . . . . . . . . 10

3.10 Advantages of a Honeypot . . . . . . . . . . . . . . . . . . . . . . . . . 103.10.1 Data Value . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.10.2 Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.10.3 Simplicity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113.10.4 Return of Investment . . . . . . . . . . . . . . . . . . . . . . . . 11

3.11 Disadvantages of a Honeypot . . . . . . . . . . . . . . . . . . . . . . . . 123.11.1 Narrow Field of View . . . . . . . . . . . . . . . . . . . . . . . . 123.11.2 Fingerprinting . . . . . . . . . . . . . . . . . . . . . . . . . . . 123.11.3 Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

iii

4 Implementation 144.1 Selection of Honeypot Solutions . . . . . . . . . . . . . . . . . . . . . . 154.2 Honeyd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

4.2.1 Honeyd Download . . . . . . . . . . . . . . . . . . . . . . . . . 164.2.2 Honeyd Configuration File . . . . . . . . . . . . . . . . . . . . . 164.2.3 Honeyd Log File . . . . . . . . . . . . . . . . . . . . . . . . . . 174.2.4 Honeyd Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

4.3 Kippo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194.3.1 Kippo functionality . . . . . . . . . . . . . . . . . . . . . . . . . 194.3.2 Kippo Download and Setup . . . . . . . . . . . . . . . . . . . . 19

4.4 Dinonaea . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194.4.1 Dionaea Functionality . . . . . . . . . . . . . . . . . . . . . . . 194.4.2 Dionaea Download and Setup . . . . . . . . . . . . . . . . . . . 20

5 Results From Honeypot Data 215.1 Honeyd Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

5.1.1 TCP connection analysis . . . . . . . . . . . . . . . . . . . . . . 225.1.2 UDP connection analysis . . . . . . . . . . . . . . . . . . . . . . 245.1.3 ICMP connection analysis . . . . . . . . . . . . . . . . . . . . . 255.1.4 Honeyd connection origin . . . . . . . . . . . . . . . . . . . . . 26

5.2 Kippo Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285.2.1 Kippo Input Results . . . . . . . . . . . . . . . . . . . . . . . . 315.2.2 Kippo Geo Input . . . . . . . . . . . . . . . . . . . . . . . . . . 34

5.3 Dionaea Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375.3.1 Dionaea Connection Analysis . . . . . . . . . . . . . . . . . . . 37

5.4 Which Honeypot Solution is the Best? . . . . . . . . . . . . . . . . . . . 405.4.1 Dionaea Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 405.4.2 Kippo Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . 405.4.3 Honeyd Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . 41

6 Discussion 42

7 Conclusion 44

References 45

A Appendix A 47

B Appendix B 52

C Appendix C 54

iv

List of Figures

4.1 Network design for Honeypots . . . . . . . . . . . . . . . . . . . . . . . 144.2 A sample of linux machine fingerprints from the file nmap.prints . . . . . 154.3 Sample of the configuration for a Windows XP computer . . . . . . . . . 165.4 Pie chart displaying the connections made to the honeypots. All 194.

addresses are the honeypots (removed for security reasons) . . . . . . . . 215.5 Bar chart displaying the different types of connections made . . . . . . . 225.6 Pie chart displaying the different types of connections made . . . . . . . 225.7 Screenshot of AbuseIPDB’s analysis of IP address 116.31.116.26 . . . . . 235.8 Screenshot of AbuseIPDB’s analysis of IP address 59.45.175.30 . . . . . 235.9 Pie chart displaying the connections by the destination port . . . . . . . . 245.10 Bar graph displaying the number of UDP connections per unique IP . . . 245.11 Pie chart displaying the number of UDP connections per unique IP . . . . 255.12 Bar graph displaying the number of ICMP connections per unique IP . . . 265.13 Pie chart displaying the number of ICMP connections per unique IP . . . 265.14 Bar graph displaying the number of connections per unique IP . . . . . . 275.15 Pie chart displaying the number of connections per unique IP . . . . . . . 275.16 Bar graph displaying the number of successful and unsuccessful SSH lo-

gin attempts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285.17 Bar graph displaying the top 10 SSH clients used . . . . . . . . . . . . . 285.18 Bar graph displaying the most probes received in the time span of one day 295.19 Bar graph displaying the most successful logins per day . . . . . . . . . . 295.20 Bar graph displaying the top 10 username and password combinations . . 305.21 Pie chart displaying the top 10 username and password combinations . . . 305.22 Bar graph displaying the top 10 usernames attempted . . . . . . . . . . . 315.23 Pie chart displaying the top 10 passwords attempted . . . . . . . . . . . . 315.24 Bar graph displaying the top 10 commands entered into the console . . . 325.25 Screenshot of a Kipoo TTY log replaying a live attack . . . . . . . . . . 325.26 Bar graph displaying the top 10 successful commands entered into the

console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335.27 Bar graph displaying the top 10 unsuccessful commands entered into the

console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345.28 Bar graph displaying the top 10 connections per unique IP . . . . . . . . 345.29 Pie chart displaying the top 10 connections per unique IP . . . . . . . . . 355.30 Bar graph displaying the most successful logins per unique IP . . . . . . 355.31 AbuseIPDB’s report on the IP address 91.197.235.11 . . . . . . . . . . . 365.32 Main Page of DionaeaFR . . . . . . . . . . . . . . . . . . . . . . . . . . 375.33 Attack map displaying connections made from around the world . . . . . 385.34 Pie chart displaying the the connections by the destination port . . . . . . 385.35 Pie chart displaying the the connections by the destination port . . . . . . 395.36 Pie chart displaying the the connections by the destination port . . . . . . 39

v

1 Introduction

Around the world, billions of attacks on small, medium, and large networks occur ona daily basis [1]. State-of-the-art firewalls, Intrusion Detection Systems (IDS), and otherdetection tools attempt to defend networks against these malicious attacks. Over the years,these defense tools have been built on information from past attempts at breaking intoa system, successful attempts at breaking into a system, and from stolen data [1]. Ahoneypot is designed to reduce and/or eliminate the need for a system breach in orderto learn about what the hackers are using to penetrate the network. A honeypot simplyreplicates a real network with fake data that a hacker will attempt to steal from, therebyshowing how and what their intentions are. Their intentions lead to information that isvital for constructing a better IDS, firewall, and further encrypting the data that needs tobe protected.

1.1 Background

Attackers and blackhat hackers are constantly refining and developing new ways to pen-etrate and take control of systems around the world. With a honeypot, Threats can beeliminated before they become serious by watching the behavior of an intrusion to deter-mine what their mechanisms are, and with this data, further improve security. Honeypotsare described as a trap to attract attackers [1] and they (usually) take shape as a virtualsystem on a network. Mimicking the functionality of a real network, a virtual honeypotnetwork is only a persona set to trap the hacker and gain insight into their methods andintentions. The founder of The Honeynet Project, Lance Spitzer, described a successfulhoneypot as “an information system resource, whose value lies in unauthorized or illicituse of that resource" [2].

1.2 Previous Research

Similar research has been made in other university networks. In several master theses,other students have investigated their university networks using low-interaction honey-pots. In these theses they managed to locate and analyze malicious traffic originatingfrom around the globe directed towards their university. Although some of the experi-ments used different honeypot solutions and methods to develop their data, their researchquestions were similar. In a master thesis from Chalmers University in 2010, a studentproceeded to use several hybrid honeypots to analyze vulnerabilities in the Chalmers Uni-versity network [3]. This student’s blend of high and low-interaction honeypots allowedfor the capture of many Secure Shell (SSH) brute-force attempts, malicious HyperTextTransfer Protocol (HTTP) activity, illicit file transfers over File Transfer Protocol (FTP),and several other botnet-related attacks. Likewise at Halmstad University, a similar ex-periment was made where three students observed traffic using low-interaction honeypots[4]. The results from their experiment showed that most of their attacks were made overport 445 using Server Message Blocks (SMB), which is a vulnerable application-layernetwork protocol [5]. SMB is primarily used for offering shared access to files, printers,serial ports, and other sorts of communications between nodes on a network [5].

1.3 Problem Formulation

Most networks are expected to be seamless, operational, and growing, without the hin-drance of any data breach. With these expectations and the growing threat of external

1

intrusions, a honeypot can be used to discover potential threats. This data can be used bythe university’s IT department to be made aware of incoming attacks to see not only whatkind of services are the most susceptible for attacks, but possibly from which InternetProtocol (IP) address, port, and origin. The goal of this thesis is to raise the IT depart-ment’s awareness of current threats without harming the infrastructure with the use of alow-interaction honeypot.

1.4 Motivation

Linnaeus University is, like any other large network, conscious of keeping its informationsafe and secure from outside perpetrators. With the mass of personal information anddata that is passed internally and externally, a honeypot could help the university networkdetect threats before they become serious [6]. Every network has the potential to have avulnerability, and the university network is not an exception. With an awareness of thepotential perpetrator’s intentions, the university may better defend their resources.

Research Questions

RQ1 Which services are the most exploited at Linnaeus University?RQ2 How are honeypots structured and what are the characteristics of a

honeypot that attract hackers directed towards Linnaeus University?RQ3 Where do most attacks on the university network originate?RQ4 Which honeypot solution is the best and what criteria is used in de-

termining that?

Hypothesis

It is hypothesized that this experiment will result in a large number of intruders originatingfrom botnets and potential blackhat attackers attempting to find a vulnerability in theLinnaeus network. These vulnerabilities include trying to capture shared secrets betweendevices, attempting to infect the network with worms/malware, and possible rootkits.

1.5 Scope/Limitation

The honeypots that were built are specific to the Linnaeus University network. Any con-clusions made of the data on an outside network cannot similarly be made, since thedata gathered is directly related to attacks against the university network. Furthermore,there could be many attacks that are not recorded by the honeypots due to the nature ofthe attack, or the fact that the low-interactive nature of the honeypot could make it anun-attractive target for hackers. Another limitation is that the use of only a few honey-pot versions might not capture every probe against the university network. There couldbe other solutions that are more geared towards different vulnerabilities that the chosenhoneypots for this experiment could miss and would otherwise change the outcome ofthe data. Finally, even though the nine IP addresses received from the IT departmenthad no filters or ports blocked on their end, the Swedish University Computer Network(SUNET) automatically places certain firewall restrictions on these IP addresses. The factthat these IP addresses still have some port rules (see Appendix C) attached to them, cre-ates a limitation in some potentially malicious data packets being blocked from arrivingto the honeypots.

2

1.6 Target Group

The results from this thesis should directly impact the IT department at Linnaeus Uni-versity, and indirectly impact university networks around the world. Since this imple-mentation is catered towards a university network, any other large and/or related networkdesigns can benefit from these findings. The amount and types of attacks are alwaysbeneficial for any network administrator to be aware of, and the results may reveal newinformation about more refined attacks and threats on the web today.

1.7 Outline

Section 2 will go into detail of how each of the research questions will be answered.Section 3 will answer RQ2 with the background of a honeypot, and the theory behindit. In section 4 will be the description on how each honeypot solution was setup and theconfiguration details. Section 5 will answer RQ1, RQ3, and RQ4, and display the resultsfrom the honeypots and an analysis of what the data tells us. Finally in Sections 6 and 7is a discussion on the analysis of the data, future research, and concluding remarks aboutthe project.

3

2 Method

This section will go into detail about how each research question will be answered. Itwill also give the reasoning for why the experiment is valid and capable of solving theresearch questions in the most precise way possible.

2.1 Scientific Approach

The formal research method used is the mixed-methods approach, and, more specifically,the concurrent triangulation strategy. This methodology fits best with the research becauseit will confirm, cross-validate or corroborate findings [7] from the data gathered in thehoneypot. The research will be carried out by using multiple honeypots to catch attacksmade against the university network, and with that data, show the potential vulnerabilitiesand the services that are the most sought after. The data gathered will be quantitative,meaning that there will be conclusive evidence in the form of numerical data.

2.2 Method Description

First, a study into which open source honeypots that work best with the university net-work will be made, gathered from reading internet articles, blogs, research papers, andconsumer reviews. After choosing multiple open source solutions will be an implemen-tation of said solutions on the university network to record attacks for a duration of twoweeks. From this data, conclusions will be drawn regarding the answers to research ques-tions RQ1, RQ3, and RQ4. Included in the report will be a section dedicated to the theorybehind a honeypot to satisfy the answer to RQ2 and give further insight on how honeypotscan help increase network security in general.

2.3 Reliability and Validity

In order to reduce the amount of invalidity as extensively as possible, the experimenthas been alloted 2 weeks for data gathering. The more time the honeypot has to gatherdata, the more reliable the results of the experiment will be. Validity issues could resultfrom not capturing every single attack due to honeypots’ setup or the from the blockageof ports from SUNET. Since the experiment only deals with low-interaction honeypots,they will not capture every single attack, but mostly port scans and botnets searchingfor vulnerabilities. The data however, is reliable and conclusions can be drawn since ahoneypot’s purpose is to collect malicious data. Any connection is recorded and collectedto be reviewed to be used as empirical proof.

2.4 Ethical considerations

As mentioned later in sections 3.8, 3.9, and 3.10, there can be unethical uses of honeypots,although rare. In this particular experiment, there is no trace of illegality since the use ofthese honeypots is purely for research and the nature of the low-interactiveness of thehoneypots disallows the perpetrator to enact irreversible effects on the system. It is alsoimportant to note that the honeypots are not forcing an attacker to interact with them, theyare merely machines emulating certain services that the attacker must choose to interactwith. Any malicious behavior found was not caused by anything else but the actions ofthe attacker.

4

3 Background & Theory

In order to understand how and why honeypots are useful in testing purposes or in creat-ing a safe environment, this section describes the history and current honeypot practices.This section also describes the process it took to determine the honeypot solutions in theexperiment, and the function they would be serving.

3.1 Honeypot History

With the start of computer viruses and worms taking shape in the 1960s, the first hon-eypot showed up later, around 1986 written by Clifford Stoll [2]. At this time, the term"honeypot" was not used, but Stoll used an early version of a modern-day honeypot tocapture a West-German hacker and eventually write a book on his experience called TheCuckoo’s Egg. The next advancement in honeypots came from a notable firewall expertBill Cheswick, who wrote a number of fake services, password files, and even scripts tofake service activity in what is now looked to as a modern honeypot [2]. Finally, the firstreal, palpable honeypot was created by Dr. Fred Cohen in 1997 called the Deception ToolKit (DTK) [2]. This kit was built with perl scripts and C executables, reacted to attacks,and faked symptoms of a vulnerable system.

The Honeynet Project was a movement founded by Lance Spitzer in 1999. Thisproject was the starting grounds for honeypot research and creation. With the membersof The Honeynet Project made mostly of information security professionals, they pro-duced several papers and designs on how to build efficient honeypots. The first designand commercial open source project was released in 2001 called the Genl Model. Sincethen, honeypot designs and other open source projects have continued to expand outsideThe Honeynet Project. Today, all kinds of low, medium, and high-interaction honeypotsare sold commercially or are created open source.

3.2 Honeypot Types

Honeypots can be allocated into different types based on their purpose and the amount ofservices provided. Honeypots can be used either in production or to gather research, andas previously stated, can be either low, medium, or high-interaction in terms of level.

3.3 Research Honeypot

A research honeypot is a tool to gain insight into the blackhat community. In order tostay one step ahead, information security experts need to know where the threat is comingfrom, how the threat is attempting to steal information, and what services are under attack.Acquiring intelligence is a billion dollar industry that most government systems spend inorder to stay on top of issues and potential threats. To defeat a threat, you have to be madeaware of it [8].

In this case, a honeypot used primarily for research purposes is the best solution sinceit provides an environment that allows the study of the threat. Observing this environment,it makes it easier to understand the way attackers think, and be able to see in action whattheir intentions and methods are. Using this information, security experts can developnew intrusion detection and prevention techniques. Research honeypots should not be apart of the network’s main defense and should not add any direct security value to theinfrastructure [8]. The environment should be a sandbox, which means that an attackershould not be able to reach actual network resources from the honeypot[9].

5

The captured information can be directly relevant in the improvements to attack pre-vention, detection, and/or reaction [8] (see sections 3.4.1 3.4.2 and 3.4.3). If an orga-nization requires their honeypot to detect threats to improve the overall security of theirnetwork, then instead of using a research honeypot, which has its main purpose in in-formation gathering, they should use a production honeypot that provides direct securityfeatures [8].

3.4 Production Honeypot

Production honeypots are used to prevent current and potential attacks [8]. This typeof honeypot is used directly alongside an organization’s security architecture and aids inmitigation of internet threats. This type of honeypot is very specific in its emulation andusually lures attackers based on similar operating systems and services that the organi-zation is using. This effect allows the organization to have a more specific preventionsystem based on the data gathered.

A big advantage of using production honeypots is that they can detect and log count-less numbers of attacks that the IDS would not capably handle due to the unique nature ofthe threat [8]. If the threat is new, then the IDS can be improved by registering the attackand creating the specific parameters in the IDS to prevent future threats of a similar kind.Production honeypots can provide security for an organization in three different ways asstated earlier in prevention, detection, and reaction.

3.4.1 Prevention

Total and complete prevention is not probable with a honeypot, as a honeypot, in essence,is not designed to keep attackers at bay. In fact, a poorly designed honeypot could allowan experienced blackhat hacker to take control of the system through the services givento them. Prevention is not the main security aspect that a honeypot will provide, butthe deterrence or distraction that a honeypot provides that prevents many attacks fromentering into real systems.

If attackers are spending time, energy, and resources focusing on breaking into thehoneypot and extracting data from it, then the less time is spent trying to break into the realsystem. Again, this comes with the risk of them gaining control of the real system basedon the level of interaction associated with the honeypot, but essentially, the distractionshould provide a substantial level of prevention.

Most importantly, since most attacks are automated, coming from botnets and zombiecomputers, a honeypot can be a scapegoat for these automated attacks instead of thembeing pointed towards the real system. Then again, since these automated forms of attacksare designed to affect everything with an IP stack [8], it might not be the best form ofprevention. Overall, honeypots are not the best form of prevention, and should only beused more for detection purposes.

3.4.2 Detection

Honeypots are mostly designed for detection. Since it is difficult for many organizationsto detect attacks while distracted by the production environment, a honeypot can be usedas a detection agent that sits idle until a threat occurs [8]. For example, a system withouta honeypot could have a worm in their system with or without the IDS detecting it. How-ever, with a strategic placement of a honeypot, it could notify the system administratorthat it has been infected and that the next course of action must be taken. Preferably, the

6

worms, viruses, and attacks should stay outside of the firewall, but in the case that some-thing manages to slip through, it would be beneficial for a company to have a sandboxednetwork that can log exactly what is happening to it, to better understand and take care ofthe situation.

An IDS is seen as the main guard to a network, and is expected to maintain the securityof a network. However, with the increasing number of false positives, it becomes harderto know whether a threat is real or not. If the IDS is constantly alarming the securityadministrator of a threat that is not real, they could become callous and unsuspectinglyallow a threat that could have been otherwise prevented. If these types of misjudgedthreats are not lowered, the real attacks become more powerful. A honeypot is onlysuccessful when it has come into contact with a threat, therefore the number of falsepositives with regards to a honeypot is extremely low.

Finally, the biggest risk that a honeypot can solve with regards to detection is whena false negative occurs. If an IDS fails to detect the threat and it enters the system unin-hibited, the last line of detection could be a honeypot. Since their primary objective is todetect new anomalies, they will log and display the attack for the security administratorto observe and deal with accordingly. It will be simple for the administrator, since thehoneypot does not take part in the production environment, but instead can treat everyconnection as hostile [8]. Essentially, any new connections made by an internal honeypotcan be enough for an administrator to at least verify to see if there was in fact a potentialthreat to the network. To summarize, honeypots should in no way replace an IDS, butinstead support it with information and its own alert system.

3.4.3 Reaction

If an organization’s data servers have been compromised in some way, and the responseteam needs to identify and isolate the problem, a honeypot could provide a full forensicsearch without compromising the other real production servers [8]. This, terms of reactionand recovery, gives honeypots a unique part to offer in a security system. Especially ifthe servers in question are allowing services that cannot be stopped immediately, havingaccess to a honeypot could be the only chance for discovering the real problem. Withoutthe honeypot, the recovery process would be trying to fix specific bugs without learningwhat damage was done, how the attacker was able to gain access, if the attacker still hasaccess, or if cleanup was successful [8]. From a honeypot analysis, the response teamcould determine the entry point of the attack and what the attack did. From this analysis,a solution can be made to fix the other servers in the system, allowing the organization torecover.

3.5 Honeypot Interaction Levels

Each honeypot solution comes with a different level of interaction. This scale of low,medium, or high-interaction determine how much an attacker can interact with the hon-eypot in terms of services and responses.

3.5.1 High-Interaction Honeypot

A high-interaction honeypot is a real computer system in disguise, having real servicesand operating systems of the organization. Since its purpose is to catch threats, it shouldnot be processing real network data, but instead only be running regular daemons and

7

services that keep it functioning [2]. Every interaction made with the high-interactionhoneypot should be logged and monitored as it could be the result of a threat.

A high-interaction honeypot requires a large amount of maintenance and monitoring,especially if the system becomes compromised. Making a full case study of the situationcould take days to understand what happened [2]. In addition, since high-interactionhoneypots can become fully compromised [2], and the fact that they interact with the realsystem, the risk is greater that the hacker can gain real access. There is a trade-off: eitherthe attacker is fascinated with the honeypot, all of their interactions and keystrokes arelogged, and quality data of their intentions are received, or, the attacker uses the fact thatthey can interact with the real system to gain access, and it compromises the productionnetwork.

3.5.2 Medium-Interaction Honeypot

Medium-interaction honeypots attempt to combine the best from both the low and high-interaction honeypots in the way that they handle botnet detection and malware collection,without the risk associated. The biggest advantage of a medium-interaction honeypotlies in its virtual application layer [10]. Since this type of honeypot is not necessarilyattempting to distinguish itself as an operational system environment, nor is it emulatingall the details of an application protocol, it finds its niche in being attractive enough foran attacker to want to attempt to break into the system, without the risk that they wouldcompromise an actual production environment [10].

A medium level of interaction is enough to keep the attackers interested, and gives theadministrator the power to choose which services need to be emulated to better understandhow they can become compromised [10]. Furthermore, this level of interaction is requiredif, for example, the attacker required some sort of reaction in order to download malwareonto the system. In the case of a low-interaction honeypot, there would be no responseand the malware would not be captured for later evaluation. However, in the case ofa medium-interaction honeypot, it would have just enough interaction to download themalware and collect data surrounding it, without the risk that a high-interaction honeypothas that the malware could potentially affect the rest of the system.

3.5.3 Low-Interaction Honeypot

Low-interaction honeypots emulate services, network stacks, or other aspects of a realmachine [2]. This type of honeypot gives the attacker just enough interaction to makeit interesting enough to attempt to steal or gain access to the system. All the while, thehoneypot will be reporting the attacker’s actions and logging them for future use. Asignificant advantage of a low-interaction honeypot is that they require very little main-tenance and setup time. The honeypot can be run on the Demilitarized Zone (DMZ) fordays, collecting mostly automated scans, spammers, or worms [2]. In most cases, if a realattacker was trying to break into the system, they would realize that they are dealing witha low-interaction honeypot due to the simplicity and lack of response.

The data gathered from a low-interaction honeypot can be used for statistical purposesand determine different automated attack patterns across the web. Also, as mentioned be-fore (see section 3.4.2), low-interaction honeypots can be used as an alarm in connectionwith the IDS. If the honeypot becomes infected on the internal network, then it’s almostguaranteed that an attack has slipped past the IDS and this situation can be used to trig-ger an alarm. Since the nature of a low-interaction honeypot is meant for emulation only,there is no risk involved with allowing an attacker to be on the honeypot. The environment

8

in which the attackers find themselves in is a sandbox, which as previously mentioned,means that the attacker can abuse the honeypot as much as they want without exposingcritical systems and affecting other systems in the process [9].

3.6 Honeypots and the Law

Since the introduction of honeypots in the 1990s, their legality has been debated amongsecurity professionals and legal officials ever since. The law becomes involved in threedifferent ways: entrapment, invasion of privacy, and third-party liability [11].

3.7 Entrapment

Entrapment implies that the criminal was enticed by the honeypot to commit a crime hewould not have otherwise made if it were not for the very nature of the honeypot. Thisdefense will not hold if, for example, the defendant was predisposed to commit the crime,or there was any evidence of planning behind the attack [11]. Entrapment is merely arequired case to determine whether or not the criminal had the correct state of mind toperform their actions [11].

3.8 Invasion of privacy

Invasion of privacy is the right a hacker has under certain exceptions with the precedents:Wiretap Act, Pen Register, Trap, and Trace Devices Statute, and Electronic Communica-tions Privacy Act (ECPA).

3.8.1 Wiretap Act

The Wiretap Act states that the courts may determine the honeypot used to sniff traffic asa violation and view the hacker as merely a bystander [11]. Yet there is a case within theWiretap Act that clearly states a cause, i.e. "computer trespasser", in which the commu-nication can be monitored lawfully [11]. In order to be monitored, several bylaws mustbe met [11]:

1. The owner or operator of the honeypot authorizes the interception.

2. The law enforcement agent is engaged in a lawful investigation.

3. The law enforcement agent has reasonable grounds to believe that the contents ofthe hacker’s communications will be relevant to that investigation.

4. Such interception does not acquire communications other than those transmittedto or from the hacker (i.e. that of innocent parties). This exception is most rele-vant when the honeypot has detected illicit activity and there is a wish to turn thesituation over to law enforcement to gather evidence for criminal prosecution.

3.8.2 Pen Register, Trap, and Trace Devices Statute

This statute applies to the collection of communicative data captured through the filteringof data streams for metadata. This insignificant data includes the source IP or telephonenumber of a user [11]. This type of data collection is against the law except if the collec-tion is made with the same exceptions listed in section 3.8.1 that authorizes the operatorto intercept the non-content information related to hacker communications [11].

9

3.8.3 Electronic Communications Privacy Act (ECPA)

This act entitles every subscriber or user of a computer network with privacy rights withthe assumption that the interception of their traffic is a violation of their privacy. It wasdecided that any "provider of electronic communication" [11] fits under the ECPA, suchas a pager service, booking system, phone service etc. The logic follows that if a honeypotoperator is operating as an electronic communication service, and a hacker is subscribedor is a user of this service, then the hacker could sue under the clause that their communi-cations are being monitored and it is an invasion of their privacy.

3.9 Third-party liability

A third-party liability takes form in three different laws: negligence and downstreamability, possession of contraband material, and the failure to report crimes.

3.9.1 Negligence and Downstream Liability

If a honeypot operator is negligent in their setup of the system, and the hacker uses thehoneypot as a stepping stone to gain real access to launch an attack against a third party,the owner of the honeypot is eligible for prosecution [11]. This term is often called "down-stream liability" which describes the honeypot owner as allowing the hacker to flow into,and compromise systems "downstream". Honeypot operators should be especially carefulthat they do not misuse their resources and create an environment without any chance forthe attacker to gain access to the real production system.

3.9.2 Possession of Contraband Material

Possession of contraband material refers to when a honeypot operator is not aware thata hacker has stored illegal files such as child pornography, pirated files, or other illegaldocuments on their honeypot and is negligent in deleting these illegal files in a timelymanner [11]. Hackers can decide to use a honeypot to store such contraband material forthe purpose of keeping the liability separate from them and hope the operator is not regu-larly observing changes. If the honeypot operator is seen as in possession of contrabanditems, they could be legally responsible and could result in fines and even jail time [11].

3.9.3 Failure to report crimes

Just like any electronic communication service, a honeypot operator is also required toreport if a crime has occurred. It is also punishable by up to three years in prison ifthe crime is not reported in a timely manner [11]. It remains to be seen that a honeypotoperator commits such a crime, yet it is completely within the scope of possibility if theoperator is negligent in their reporting obligations or insufficient monitoring tools [11].

3.10 Advantages of a Honeypot

Due to the sudden influx of both open-source and commercial solutions, it’s obvious tosee that honeypots add a unique and irreplaceable value to the network infrastructure. Afew of the advantages they give to the organization are in data value, resources, simplicity,and a return of investment.

10

3.10.1 Data Value

With millions of logs to filter through, security experts have had a difficult time interpret-ing the messages, alerts, and logs that their machines are giving them on a daily basis. Theadvantage of a honeypot lies in its collection of data. It only collects data that is importantand needs to be observed [12]. This reduces the strain in shifting through countless logsto determine which ones are more important and should be taken seriously.

Honeypots provide the data that the administrator requires in a quick and easy-to-understand format [12]. With this advantage, the administrator can be informed of anypotential threats and respond at a quicker rate. This data could also show attack patterns,new viruses, trends, and other critical information used for statistical purposes or forindividual study [2].

3.10.2 Resources

Another problem faced by security mechanisms is the depletion of resources or the limi-tation of resources [12]. This refers to when a security mechanism can no longer functiondue to the surplus of package intake. For example, if a firewall is set to block all con-nections and eventually its connection table becomes full, it has run out of resources totake in more connections and no longer monitors the incoming connections [12]. Evenan IDS could start dropping packets if the sensor buffers become too full without enoughresources to deal with the situation. This leads to the IDS potentially skipping and notlogging critical data packets that are attacks on the system.

Due to the fact that honeypots log and monitor less activity compared to an IDS orfirewall, they typically will not have problems of resource exhaustion [12]. Honeypotswill only capture data that is pointed directly at itself and will not capture productioninformation. Because of this, honeypots have fewer data to log and monitor, and thereforefewer resources are required. In the place where an IDS sensor may stop, due to resourceexhaustion, a honeypot will continue to function [12].

Honeypots themselves require significantly less Random Access Memory (RAM),chip speed, or large disk drives, depending on their level of interaction [12]. Leftovercomputers found inside the organization or even the executive’s recently discarded laptopcan be used [12]. A honeypot is not only cost-efficient but also will not require a lot ofresources to provide a helpful tool to the organization.

3.10.3 Simplicity

Simplicity is the single biggest advantage of honeypots [12]. A honeypot does not requiremany difficult algorithms, databases to maintain, or rule bases to misconfigure [12]. Thehoneypot is simply placed in a strategic location onto the network and regularly checkedfor anomalies or used as an alert system. Research honeypots can be more complex ifthe operator wants a higher level of interaction and complicated services. However, allhoneypots share the same simple concept; to capture and record any connections madewith it. This simplicity makes honeypots more reliable and less like to be misconfigured,break, or fail [12].

3.10.4 Return of Investment

With IDS and firewalls, it is difficult to really understand the extent of the investment. Ifan organization has a successful firewall, this means that little to no attacks were launched

11

successfully against the organization. Therefore this will cause them to question the extentof their investment. Since no major attacks or problems have been made, the organizationmight not understand the extent of the investment in the firewall and think to cut backfinancially. Security measures such as encryptions, strong authentication, and host-basedarmoring are victims of their own success [12]. To summarize, if these mechanisms aresuccessful, the company might cut back on the expense of these products due to the lackof intrusions that these mechanism provided in the first place.

For this reason, a honeypot’s value is obvious by their function. Every time they areattacked, the organization may realize the threat is indeed present. This can justify notonly the use of a honeypot itself but also the investment into other security resources [12].The honeypot can provide the proof that management needs to ensure that their securitymechanisms may stay.

3.11 Disadvantages of a Honeypot

Despite the aforementioned advantages, a honeypot could be seen to provide some disad-vantages due to a few misconceptions of its functionality and improper setup techniques.

3.11.1 Narrow Field of View

A narrow field of view is when a honeypot is unaware of any activity outside of its ownresources [12]. If a network is attacked and the attackers discover a honeypot, the attackerscould choose to not direct the attack on the honeypot and it would be unaware of thesurrounding activity. This can be especially damaging if the honeypot was used as somesort of alert system. In this case, it would be detrimental to the organization if the attackersare able to maneuver their attack around the honeypot.

3.11.2 Fingerprinting

Fingerprinting, in both active and passive terms, refer to the capture and identification of asystem [13]. Fingerprinting can be the bane of a honeypot if an attacker recognizes certainservices from previous honeypots. For example, an attacker may be able to recognize ahoneypot by an incorrectly made web server returning an incorrect HTML value, or anincorrect SSH server error message. Anything that an attacker could discover that issuspicious or not normal could alert the attacker of the presence of a honeypot and createa fingerprint of the situation. If a honeypot becomes fingerprinted, its use is nullified.Honeypot operators should ensure that there are no stray, incorrect, or unusual servicesthat could raise suspicious for an attacker, especially at higher levels of interaction [12].

One particularly dangerous instance of fingerprinting could occur if the attacker usesthe honeypot to their advantage. By identifying a honeypot on the network, an attackercan spoof production systems and attack the honeypot [12]. The alerts from this fakeattack will have management confused and in the confusion, allow the attackers to focuson real attacks.

Lastly, fingerprinting could be the main issue with bad information coming from ahoneypot. An attacker could recognize the existence of a research honeypot and pro-ceed to feed bad information [12]. This information could lead to an incorrect securityconfiguration, which could lead to security issues in the future.

12

3.11.3 Risk

As mentioned in section 3.5, a honeypot has a certain level of risk attached to the levelof interaction it has. If a honeypot is compromised and controlled by an attacker, theycan use this honeypot and its resources to further their attack. Either by furthering theattack into the organization the honeypot is attached to, or turn the honeypot into a pieceof a bigger botnet. The general rule is that the simpler the honeypot is, the less risk isassociated with it [12]. The trade off is, however, that the honeypot might not generate asprecise and unique data as one with a more complicated level of interaction.

Because of these disadvantages, honeypots should not replace security mechanismslike firewalls and IDS [12]. Instead, a honeypot should add to the overall security in-frastructure with clear goals and instructions without overstepping the bounds to create asecurity risk.

13

4 Implementation

In this section, a detailed description of how the honeypots were implemented will bepresented, specifically with regards to the honeypot itself, setup, configuration, and theircapturing of data. After thorough research into many open source honeypot solutions,three different honeypot solutions were chosen: Honeyd, Kippo, and Dionaea. In thissection, each solution selection will be explained and the configuration details of each willbe included. Due to security reasons, some of the configurations cannot be released. Allof the configurations displayed in this report are the same as used in the actual experimentexcluding the subnet of IP addresses given from the IT department. The below figure isthe design of the network, which will be explained in detail later in this section.

Figure 4.1: Network design for Honeypots

14

4.1 Selection of Honeypot Solutions

When searching for a suitable honeypot solution, several pieces of influential criteria wereinvolved in the decision. This criteria was a incorporation of cost, level of interaction,amount of online sources, online reviews, available documentation, reconfigurability, andfinally, ease of setup. Setup difficulty was not determined until after the experiment wasconcluded and could not be factored into the selection process. Yet, without the setup dif-ficulty, the decision to choose these honeypots solutions were based on the other qualitieslisted above. Another factor that was a part of the decision making process in terms of thelevel of interaction was the fact that using a high-interaction honeypot is not only expen-sive, but it could lead to legal issues. With low-interaction honeypots, it is a lot easier tocontrol the network environment and deters from any serious issues with the core networkand any illegality.

4.2 Honeyd

Honeyd is a small daemon that creates virtual hosts on a network. [14]. Any of these hostshave the ability to run and personalize most network functions and operating systems. Asingle Honeyd host can claim up to 65,536 IP addresses [14], and can emulate routing andother functions such as web servers, FTP servers, dynamic port binding, etc [14]. In orderto appear realistic, Honeyd reveals itself as a real system when either Xprobe or Nmap(the two most common fingerprinting tools) are used to determine the operating systemof the host. In Honeyd, the virtual personality is configured using an Nmap fingerprintfound in the nmap.prints database.

Figure 4.2: A sample of linux machine fingerprints from the file nmap.prints

When this personality is configured, the virtual honeypot will react to packets usingthe network stack behavior that the particular fingerprint calls for [15]. Every outgoingpacket’s protocol headers are changed to reflect the personality that they are emulating.Nmap’s fingerprint database is used to simulate Transmission Control Protocol (TCP) andUser Datagram Protocol (UDP) network behavior, and Xprobe is used to simulate Inter-net Control Message Protocol (ICMP) behavior [15]. The above example is a fingerprint

15

found in the file nmap.prints which specifies the network stack behavior of a Linux ma-chine.

4.2.1 Honeyd Download

Out of the three honeypot solutions, Honeyd was by far the most difficult to set up. Therewas very little documentation in regards to network configuration and about the pythonand pearl scripts used to run services on the virtual honeypots. Honeyd is easily obtainedand downloaded using sudo apt-get install honeyd or it can be retrieved from Github orfrom The Honeynet Project and it requires the libraries libevent for event notification,libdnet for packet creation, libpcap for packet sniffing, and libpcre (optional perl library)[16].

4.2.2 Honeyd Configuration File

After the correct dependencies and packages are downloaded, the next step is to write ahoneyd configuration file in which /etc/honeypot/honeyd.conf was the location of the fileused in this experiment. In this configuration file, are the details of the virtual honeypotsthat Honeyd will be emulating. There is a syntax to follow when creating a virtual hon-eypot, or personality as it is called. Unfortunately there is very little documentation onthe specifics in regards to scripts that can be used to emulate certain processes on thesevirtual honeypots. Presented below is an excerpt of a Windows XP computer from theconfiguration file, the entire configuration is found in Appendix A.

Figure 4.3: Sample of the configuration for a Windows XP computer

As aforementioned, the syntax for creating such personalities are difficult due to thelack of documentation. With the help of several blog posts from the creators of Honeydand Nova, Honeyd’s successor, it became easier to understand how the personalities wereconfigured. The basics are:

1. Both a general name and personality found in nmap.prints are assigned to the virtualhoneypot.

2. The uptime field gives the option to spoof the uptime of a host, referring to theduration of time since the system was first booted [4].

16

3. Setting the default TCP action refers to how the virtual honeypot will handle incom-ing TCP traffic. There are three different states that you assign to a certain actionor port on a virtual honeypot[17]:

(a) For TCP:

• filtered: ignore packets from that port.• open: responds with SYN ACK.• closed: responds with SYN RST.

(b) For ICMP:

• open: respond to ICMP messages.• closed: do not respond to ICMP messages.

4. Set as many ports open, closed, or filtered (closed by default) as needed on thevirtual honeypot.

5. Lastly, python and/or pearl based scripts can be assigned that emulated differentfunctions onto each port.

(a) Several predefined scripts are found in /usr/share/Honeyd/scripts. There isvery little online documentation on the scripts available but some help canbe found from developers manuals, blog posts, and previous examples. Thescripts can also be written and added by the user. The more scripts there are,the more likelihood an attacker will interact with the honeypot(s) [4].

(b) An example of adding a telnet script on port 23 on a linux machine in theconfiguration file:add LinuxComputer tcp port 23"/usr/share/Honeyd/scripts/unix/linux/suse8.0/telnetd.sh"

4.2.3 Honeyd Log File

The next part of the process is to create a log file that will record all interactions with thevirtual honeypots. This process is as follows:

1. First, an empty file is created, which in this experiment was called /etc/log/honeyd.log.

2. Next, the file permission must be changed to 766 using sudo chmod 766 /etc/log/honeyd.logso that the file can be read, written to, and executed by the owner, but only can beread and written to by in group and others.

3. Finally, the Honeyd2mysql script needs to be pointed to the correct log file path,which in this case is /etc/log/honeyd.log. This step is done in preparation for whenthe log data from Honeyd will eventually be transferred into Honeyd-Viz.

4.2.4 Honeyd Startup

After the configuration file is made, and the log file is created, Honeyd can be started witha series of startup commands, the first of which is a command that disables IP forwardingon the Honeyd host computer. This is necessary to disable, otherwise the IP packets Hon-eyd receives for the virtual honeypots are forwarded to other computers in the network [3].

17

The command used to disable IP forwarding is: echo 0 > /proc/sys/net/ipv4/ip_forward.Next, the Honeyd host needs to be configured so that Address Resolution Protocol (ARP)requests from the router about the IP addresses of the virtual honeypots are answered. Inorder for this request to suffice, a tool called farpd, otherwise known as "Proxy-ARP", isused to spoof the ARP requests. Farpd, created by Niels Povos (creator of Honeyd), lis-tens on the host interface and responds with its own Media Access Control (MAC) addressin response to a request from the router for information from the IP of a virtual honeypot.This allows the Honeyd host to take the responsibility in getting the information from theinternet to the virtual honeypots and back. Without this, either the router needs to havethe specific routes to the virtual honeypots in its routing table or the virtual honeypots willbe unable to interact on the internet. The command used to activate this is:farpd (host network interface IP) -i (physical network interface)Once IP forwarding is turned off, and farpd is turned on, Honeyd is ready to be activated.The command used to start Honeyd is:

sudo honeyd −d−f / e t c / honeypo t / honeyd . con f− l / v a r / l o g / honeypo t / honeyd . l o g−p / e t c / honeypo t / nmap . p r i n t s−a / e t c / honeypo t / nmap . a s s o c−0 / e t c / honeypo t / p f . os−x / e t c / honeypo t / xprobe2 . con f−u 1000 −g 1000 − i e t h 0 192 .168 .1 .11−19

• -d flag denotes that Honeyd will run in the foreground and not in deamon mode sothat the debug messages will be shown on the terminal.

• -f flag tells Honeyd the path to the configuration file that holds the personalitiesHoneyd should launch.

• -l flag gives Honeyd where the connections should be written to in a log file.

• -p flag gives Honeyd the path to the Nmap signature database that Honeyd uses toemulate different operating systems at the network stack [4].

• -a flag reads the file that associates Nmap style fingerprints with Xprobe style fin-gerprints [18].

• -0 flag reads the database for passive fingerprinting. Allows for dynamic templates[18].

• -x flag reads Xprobe style fingerprints. The content of this file will denote howHoneyd reacts to ICMP fingerprinting tools [18].

• -u and -g flag sets the user and group ID of the process. 1000 just happens to be thepoint where human user ID’s start in Ubuntu [19].

• -i flag specifies the network interface and IP address of the Honeyd host.

If the configuration file’s syntax is correct, then Honeyd will start in debug mode andbe listening promiscuously on the network interface.

18

4.3 Kippo

Kippo is a medium-interaction honeypot that emulates an SSH service. SSH is used toconnect a user securely into a device to control and change files within the system [20].

4.3.1 Kippo functionality

All activity from the attempted SSH connection to the honeypot is recorded in the Kippolog. Working on port 22, attackers are monitored on user names, passwords used, theorigin IP address, and input if the attacker successfully logs into the honeypot. In orderto receive as many intrusions as possible, it is best to keep the user name and passwordcombination as easy as possible to crack. If an attacker is successfully inside the Kippohoneypot, they will find a series of fake files that can be traversed, deleted, added to, andmanipulated in any way [20]. Since this is not connected to any real system, nothing canbe compromised with any downloads or file deletion.

4.3.2 Kippo Download and Setup

Kippo software is available on Github. The installation is an "all-in-one" package andrequires very little configuration. Kippo has the option to change which port the honeypotwill be listening on, the file system, the password file, hostname, and even the ability toadd new commands [20]. Lastly, Kippo will let the user decide which user name andpassword combinations will be permitted access inside the honeypot. It’s better to choosea user name and password combination that is easily crackable with brute force attemptsfrom the attacker. Simple login credentials give the user a better chance to discover whatthe attackers are trying to do inside their network. For this particular experiment, theinitial configurations were left unaltered which left the Kippo honeypot with the user nameand password "root" and "123456" respectively. Once all the settings are configured, theKippo script is started with ./kippo.sh and the honeypot will start logging all connections,depending on the file structure, in /kippo/log/kippo.log. These logs can be later convertedinto a readable format and updated in Kippo-Graph.

4.4 Dinonaea

Dionaea, otherwise known as "the Nepenthes successor", is a malware capturing honeypotdeveloped in 2009 as a part of The Honeynet Project [21].

4.4.1 Dionaea Functionality

Dionaea’s aim is to advertise vulnerable services in order to be affected by malware thatwill later be downloaded and stored for inspection. Dionaea has a modular architecture,using python to write scripts that emulate different protocols that advertise to the attackers[21]. Dionaea was an improvement to Nepenthes in terms of detection of shellcodes andsupporting protocols such as (Internet Protocol Version 6) (IPv6) and Transport LayerSecurity (TLS). Due to the fact that Dionaea deals with potentially dangerous malware,the environment is kept as a sandbox, and with no administrative privileges [21]. Dionaeatraps malware using services such as:

• Server Message Block (SMB) – Used as a popular target for worms, SMB is one ofthe main protocols offered by Dionaea [21].

19

• HyperText Transfer Protocol (HTTP) – As well as supporting traffic on port 80,Dionaea generates a self-signed SSL certificate upon startup to include HTTPS [21].

• File Transfer Protocol (FTP) – Dionaea is susceptible all activities involving FTPincluding the downloading and uploading of files plus the creation of directories[21].

• Trivial File Transfer Protocol (TFTP) – Dionaea can serve files over port 60 on aprovided TFTP server [21].

• Microsoft SQL Server (MSSQL) – Using the Tabular Data Stream protocol, Dion-aea Listens on port 1433 and allows logins to clients and decodes the queries madeon the database [21].

• Voice over IP (VoIP) – Dionaea is able to register and log all SIP (Session InitialProtocol) messages, and react accordingly [21].

4.4.2 Dionaea Download and Setup

Dionaea can be directly downloaded from Github where the dependencies are also found.Dionaea is similar to Kippo, where after the correct packages are installed, it is easy todeploy after a few changes to the configuration file. If desired, the directory of the logfile can be changed, and even a cap on how many entries can be made. Additionally,the path to which file the malware is downloaded can be changed, as well as a path to apotential third-party analysis directly from the honeypot. Lastly, the IPv4 or IPv6 rangethat Dionaea will listen on can be configured, or by default Dionaea will listen to all traffic.After the configuration file is set to the correct standard, Dionaea is started by executingthe script ./runDionaea.sh. Logs from Dionaea can be stored into an SQL database, andlater be visualized with DionaeaFR.

20

5 Results From Honeypot Data

In this chapter, the results of each honeypot will be shown. Please note that some of thedata must be hidden due to security reasons, but conclusions can be drawn nevertheless.This chapter will also answer the research questions posed at the beginning of this paperand many references will be made back to these questions in the analysis of the honeypotdata:

• Which services are the most exploited at Linnaeus University?

• What are the characteristics of a honeypot that attract hackers directed towards Lin-naeus University ?

• Where do most attacks on the university network originate?

The following is a graph of how many connections each honeypot received. The IPaddresses are removed for security reasons.

Figure 5.4: Pie chart displaying the connections made to the honeypots. All 194.addresses are the honeypots (removed for security reasons)

Each virtual honeypot almost equally received the same amount of connections, whichconfirms that they are individually working and are interacting with traffic across the web.

5.1 Honeyd Results

After 3 days of capturing, there were over 1.7 million connections on the virtual honeypotsgenerated by Honeyd. Once these connections were logged, they were converted into anSQL database using Honeyd2MySQL, and then visualized through an open source projectcalled Honeyd-Viz. The following is one of the graphs generated by Honeyd-Viz and itdisplays the amount of connections received and the transmission protocol type:

21

Figure 5.5: Bar chart displaying the different types of connections made

Displayed in the graph is an influx of TCP connections. Since more TCP ports wereleft open in the Honeyd virtual honeypot configurations, it make sense that the most com-mon probed ports are over TCP. There are a few ICMP connections as well as a few GREtunneled connections. However, since ICMP and GRE do not have much to do with theconnections themselves, more focus will be put on the TCP and UDP connections.

5.1.1 TCP connection analysis

A deeper look into the TCP connections shows exactly what the attackers are looking forin the honeypots and more exclusively, the university network. In the following graphs,the top ten IP addresses associated with a TCP connection are displayed:

Figure 5.6: Pie chart displaying the different types of connections made

From the following data, IP addresses 59.45.175.30 and 116.31.116.26 were the mostactive with the honeypots using TCP as a connection. An investigation into these IP ad-dresses brings the following results from a project called AbuseIPDB which is sponsored

22

by DigitalOcean. Their goal is to help make the web safer by providing a central repos-itory for webmasters, system administrators, and other interested parties to report andidentify IP addresses that have been associated with malicious activity online [22].

Figure 5.7: Screenshot of AbuseIPDB’s analysis of IP address 116.31.116.26

Both IP address correspond with malicious activity and both were reported with multi-ple accounts of brute-force attempts on different connection protocols, DDoS, Port Scans,and SSH abuse. With over 570 reports from webmasters and system administrators com-bined, and holding the most connections on the honeypots, these two IP addresses aretherefore most likely the contributors to most of the malicious TCP activity.

Figure 5.8: Screenshot of AbuseIPDB’s analysis of IP address 59.45.175.30

23

To understand which resources are the most probed from these IP addresses and theother million connections, the following graph is used to cross reference the amount ofTCP connections with the number of connections per port. This helps determine whatsort of services where the most targeted on the university network.

Figure 5.9: Pie chart displaying the connections by the destination port

The conclusion made from the TCP connections made to the honeypots on the univer-sity network shows that ports 22, 23, and even 2323 are the most perceptible to brute forceconnection attempts and malicious SSH abuse. These connection attempts, as shown inthe data from AbuseIPDB originated from China.

5.1.2 UDP connection analysis

As observed in figure 5.5, the number of UDP connections are significantly less than TCP.Still, there was over 18,000 connections originating from the following IP addresses:

Figure 5.10: Bar graph displaying the number of UDP connections per unique IP

24

Figure 5.11: Pie chart displaying the number of UDP connections per unique IP

The top two addresses used by the honeypots are from the Domain Name Server(DNS) addresses for Google. Unusual as it is, the conclusion made from this data mightbe insignificant, but shows that these connections are Multicast Domain Name System(MDNS) queries sent from DNS servers to detect a single host’s IP addresses becauseof an absence of a central DNS [4]. This data may not show perpetrators on the vir-tual honeypots, but it does prove that Google’s DNS treats the virtual honeypots like realhosts, receiving those queries for host identification. The other IP addresses that con-nected through UDP that are not DNS servers are therefore subject to more investigation.Unfortunately, since the top ten connections were using TCP, we cannot know for surewhat sort of activity was happening over UDP (see Figure 5.9). Also, since such a smallamount of UDP traffic was captured compared to TCP traffic, no conclusion can be drawnas to whether or not any malicious activity is happening using UDP.

5.1.3 ICMP connection analysis

ICMP is used to report errors between network devices. Any machine that operates on atleast layer 4 in the TCP/IP stack has the ability to send and receive ICMP messages [23].ICMP is used to detect and prevent problems associated with IP packet delivery, such asindicating if a gateway or website is up or down. It is important to note that ICMP can beused to execute a Denial-of-Service (DoS) attack, which could be a reason to check thehoneypot for a sudden influx of pings.

25

Figure 5.12: Bar graph displaying the number of ICMP connections per unique IP

Figure 5.13: Pie chart displaying the number of ICMP connections per unique IP

Again, the top two origin IP addresses were found in AbuseIPDB’s database involv-ing malicious activity with the top IP (221.183.16.231) being reported for hacking by 50+webmasters and/or system administrators. Although nothing can be achieved through2000 pings over several days, it still goes to show that the honeypots can aid in the detec-tion of malicious networks through the use of ICMP.

5.1.4 Honeyd connection origin

As shown in figure 5.5, Honeyd received over 1.7 million total connections from allaround the world. In the answering of research question number three, i.e. where domost connections originate, we can observe the following graph of the most commonconnections by IP address:

26

Figure 5.14: Bar graph displaying the number of connections per unique IP

Figure 5.15: Pie chart displaying the number of connections per unique IP

Out of the 1.7 million connections, about half (807,591) of them are from The People’sRepublic of China. Furthermore, from only the top ten most connections, half of them areblacklisted in several databases that contain IP addresses of malicious servers. The resultsfrom this data can be found in Appendix B and the conclusion can be can be drawn thatthe most connections and attacks against the university network originate from China.

27

5.2 Kippo Results

Kippo gathered over 40,000 connections in about two weeks. Each time an attacker at-tempted to login into the honeypot using SSH, Kippo recorded all the interactions fromthis connection and directly uploaded this data to Kippo-Graph, where the data was vi-sualized. The following graphs represent each connection’s attempt to gain access to thehoneypot through SSH and also which SSH client was used the most:

Figure 5.16: Bar graph displaying the number of successful and unsuccessful SSHlogin attempts

Figure 5.17: Bar graph displaying the top 10 SSH clients used

Only a few number of connections were successful, regardless of the relatively simplelogin credentials. It is also not surprising to see Putty listed as the top client, due toits popularity and ease of use. These probes continuously attacked the system from 500connections in one day to over 8000 connection attempts in one day, as shown in thefollowing graph:

28

Figure 5.18: Bar graph displaying the most probes received in the time span of oneday

With each connection attempt, taking into account the success rate was quite low, notevery connection was granted access. The following graph details how many successfulconnections were made each day:

Figure 5.19: Bar graph displaying the most successful logins per day

As expressed in the data, the login attempts were very few, yet still present every dayon the Kippo honeypot. For every login attempt, a probe tries to establish an SSH connec-tion by trying to login as a certain user and their password combination respectively. Thefollowing graphs explain the different results concerning the most common combinations:

29

Figure 5.20: Bar graph displaying the top 10 username and password combinations

Figure 5.21: Pie chart displaying the top 10 username and password combinations

The attackers used similar user name and password combinations to attempts to enterthe system. Both "root" and "admin" are keywords used to try and gain a higher privilegeinside the system. The guessed passwords are most likely using a dictionary attack basedon default passwords, common phrases, and eventually random characters until the systemis broken into. Fortunately, for the attackers, the user name and password combinationwas easy enough to guess. Unfortunately, for the attackers, the system was a honeypotthat was recording their every move. The following graphs can be used to show whichuser name and passwords are the most used in brute forcing SSH:

30

Figure 5.22: Bar graph displaying the top 10 usernames attempted

Figure 5.23: Pie chart displaying the top 10 passwords attempted

This data can be used to show which user names and passwords should absolutelynot be used when setting up a machine with SSH. This data can also show that one ofthe criteria that a honeypot has that directs attackers towards the university network is anopen and easily crackable SSH connection. This leads to the next section explaining whatthese attackers attempted to do once inside the Kippo honeypot and what commands wereexecuted inside it.

5.2.1 Kippo Input Results

With each successful login attempt, each attacker was presented with a fake file systemalong with the ability to add and remove files that closely resembles a Debian 5.0 instal-lation [24]. Attackers were also given the ability to ’cat’ files (especially in /etc/passwd)and all wget downloads was saved for inspection. The following graph shows the top tenoverall input received in the Kippo honeypot:

31

Figure 5.24: Bar graph displaying the top 10 commands entered into the console

Since these input values are the most used by attackers, it is important to understandwhat each do, and by this we can draw a conclusion as to what most attackers are after.The following screen shot is taken from a Kippo TTY log, where it shows the actualcommands typed into the terminal. While watching the video play, it is clear to see thatthis is completely automated. The commands are almost instantly typed in and executed.This particular log was from an attack from Warsaw, Poland:

Figure 5.25: Screenshot of a Kipoo TTY log replaying a live attack

With some help from the IT department, and some sources online, this is the bestguess of what was attempted within the system:

Although /gweerwe323f was the most executed command, it failed to execute anyfile by the name of gweerwe323f as shown in figure 5.27. Not only did the file fail to

32

execute, it is a part of a seemingly new and unknown attack. The closest we have come toseeing /gweerwe323f is in recent blog posts and several SSH honeypot paste bins from thepast month asking about the source, with no answers about what it is [25]. Speculationsfrom both online articles and the IT department say that it might be a fork of a popularSSH bot Mirai in which the author of the malware recently released its source code onGithub earlier this year [26]. If the suspicion is correct, this means that the following codesnippets show the worm checking for different files within the system for write access andattempting to find a part of the system open for a root exploit. In both:

• echo -e ’\x47 \x72\x6f \x70/’ > //.nippon cat //.nippon rm -f //.nippon

• echo -e ’\x47 \x72\x6f \x70/tmp’ > /tmp/.nippon cat /tmp/.nippon rm -f /tmp/.nippon

show the user trying to deposit a hidden file in file names that start with "." and in "tmp"respectively. This is a common thing for applications to do, yet it is suspicious that thereis no chmod command to enable the user to run the original file that has been modified.After the attacker has probed the file, the final "rm command" is used to clean up allevidence that the attacker did anything to that file and to the system.

Figure 5.26: Bar graph displaying the top 10 successful commands entered into theconsole

Using the top ten successful commands, it is clear to see which commands can directlyimpact the system. If the system has been set up similarly to the production network inany way, then this data can reveal better what an attacker can do to the production networkto be able to better defend against it. However, it is still interesting to note unsuccessfulcommands to discover what they might be looking for that was not available on the Kippohoneypot:

33

Figure 5.27: Bar graph displaying the top 10 unsuccessful commands entered intothe console

It seems that the most entered command is also the most unsuccessful. The only guesshere is that this particular attack is searching for a very specific system like an IP camera,security mechanism, or specific operating systems that holds this file to be executed by theworm. Due to very little information about this recent SSH input, it is currently unknownwhat exactly the file is and why these attackers want it to be executed.

5.2.2 Kippo Geo Input

The 40,000+ SSH attacks received by the honeypot were made from different locationsthroughout the globe. The following graphs show the representation of which countriessent the most probes:

Figure 5.28: Bar graph displaying the top 10 connections per unique IP

34

Figure 5.29: Pie chart displaying the top 10 connections per unique IP

As shown in the graphs, the largest number of attacks came from China. As shown insection 5.1.4, Honeyd received the same results as Kippo when it comes to the origin ofthe most attacks. Yet, interestingly enough, the most probing IP address (116.31.116.26)only established five logins with the Kippo honeypot. This is revealed in the followinggraph on successful connections per IP:

Figure 5.30: Bar graph displaying the most successful logins per unique IP

From this data, a conclusion can be made, that most of the input data seen in section5.2.1 is coming from the IP address 91.197.235.11. The following shows the results fromthis IP address in AbuseIPDB’s Database [22].

35

Figure 5.31: AbuseIPDB’s report on the IP address 91.197.235.11

Regardless of the 10,000 connections coming from China, it is in fact the attacks thatcame from this Russian IP address that should be the most scrutinized as these attackshad the most success. The rest of the attacks were scattered around the globe and did nothave as many successful logins.

36

5.3 Dionaea Results

Dionaea, the malware capturing honeypot, proved to be almost useless of the three honey-pot solutions. In over 40,000 connections and over 12,000 different IP addresses, Dionaeafailed to capture a single piece of malware. These results were less than satisfactory, butfrom a conversation with the IT department, they speculated that "worms and malwaregenerally don’t ’wander around’ on the Internet, but are distributed inside one’s corpo-rate network after one machine has been infected". This, in addition to SUNET’s portblockage on the incoming line or even in the Dionaea configuration, could have lead tothe results received. Regardless of the lack of malware, Dionaea still managed to recordthe connections made from all around the globe. These results also backup the results re-ceived in Honeyd and Kippo in terms of connection origin and port. The following screenshot displays the main page of DionaeaFR, a visualization program that takes the Dionaealogs, and converts them into an easily readable format:

Figure 5.32: Main Page of DionaeaFR

5.3.1 Dionaea Connection Analysis

Dionaea exposes a number of services, and these services include [27]:

• tcp/5060→ SIP Protocol

• tcp/5061→ SIP Protocol over TLS

• tcp/135→ Remote procedure Call RPC

• tcp/3306→MySQL Database

• tcp/42→WINS Protocol

• tcp/21→ FTP Protocol

37

• tcp/1433→MSSQL

• tcp/445→ SMB over TCP

• udp/5060→ SIP Protocol

• tcp/23→ SSH Protocol

Once a connection is made asking for any of these services, Dionaea records the con-tact and writes the information in the log file. The following figure shows an attack maprevealing the origin of all the connections asking for one of these services:

Figure 5.33: Attack map displaying connections made from around the world

Looking at the data, it is apparent that the Dionaea honeypot’s services were properlymarketed across the globe with connections from different IP addresses in different coun-tries. The following graphs detail the majority of connections by IP address and ports toshow which service was the most targeted and from where.

Figure 5.34: Pie chart displaying the the connections by the destination port

38

Figure 5.35: Pie chart displaying the the connections by the destination port

Looking at figure 5.34, several of the IP addresses, including the top connection202.73.98.66 from Indonesia are listed in AbuseIPDB’s database [22]. The analysis fromthe list of ports in figure 5.35 show that connections on port 23 are the most used. Thesecond most probed port are connections on port 5060, which uses the Session InitiationProtocol (SIP), a signaling protocol widely used in Voice over IP (VoIP). VoIP can betargeted and exploited to steal data, misuse calls, or even use the microphone or webcamswithout approval [28]. Each individual connection is able to be analyzed on Dionaea, andfurther investigated if need be. An excerpt from the analysis of the connections is shownbelow which includes important information about where the connection came from, how,and when it was received. The sensor’s IP address was edited for security reasons.

Figure 5.36: Pie chart displaying the the connections by the destination port

Overall, Dionaea was unable to capture any malware, which could be seen as eitherpositive for the university network in terms of knowing they have little to worry aboutregarding malware, there was something wrong with the Dionaea honeypot, or the blockedports from SUNET prevented any malware from transmitting on the incoming line. Fromthe connections, it proves that there was plenty of activity regarding the outside world’s

39

ability to connect to the honeypot. The conclusion here would be that the universitynetwork is not vulnerable to malware attacks directly from the internet, and if malwarewere to enter the network, it would have to be brought on a device directly into the system.

5.4 Which Honeypot Solution is the Best?

As addressed in the section 1.4, the fourth research question about which honeypot solu-tion is the best is answered in the following subsections. It must be noted that Honeyd,Kippo, and Dionaea do not provide the same services, which means that even if one so-lution is deemed "better" than the other, this does not entail that this particular solutionshould be singled out for implementation on a network system. Each solution is com-pared using the qualities listed in section 4.1 and in the below graph. From this data, andpersonal review, the best solution will be determined.

Honeypot ComparisonCategory Honeyd Dionaea KippoCost Open Source Open Source Open SourceLevel of interaction Low Low MediumAmount of Online Sources Medium Medium HighOnline Reviews High High HighAvailable Documentation Very Low Low MediumReconfigurability Very High Low LowSetup Difficulty Very High Low Very Low

Table 5.1: Table comparing the three honeypot solutions

5.4.1 Dionaea Evaluation

Dionaea, a malware collector, ranks number three out of the three honeypot solutions.The reason Dionaea is last stems, not only from the results in the experiment, but alsothe fact that Dionaea has very little reconfigurability. This can be seen as beneficial, asa system administrator would not have to spend hours building a configuration file orwriting scripts. However, when there is an experiment involved and also an investigationinto the code, Dionaea does not provide the malleability required to create a specificsolution for a specific environment.

5.4.2 Kippo Evaluation

Kippo, a very simple and cost-efficient SSH honeypot, ranks number two out of the threehoneypot solutions. Kippo lands in second due to the difference in online help, setup dif-ficulty, and flawless execution. Kippo is an incredibly documented and well establishedhoneypot solution. The amount of resources online and the most simple of setup direc-tions makes Kippo a very manageable honeypot. Due to the simplicity of the setup ofKippo, it follows in the same direction of Dionaea in the fact that there is very little tono reconfigurability. Kippo can change which port to listen on, filter out some IP ad-dress ranges, and change the login credentials [24]. This can be seen as a considerableadvantage for network administrators who will not have to spend hours making a honey-pot configuration, and can merely deploy Kippo in a few minutes after the download of

40

dependencies has finished. The simplicity factor, along with the vast amount of onlineresources, places this honeypot solution in second place.

5.4.3 Honeyd Evaluation

Honeyd, ranking number one out of the three honeypot solutions, earned its place alongwith its difficulty in configuration. Unlike Kippo and Dionaea, Honeyd requires the userto write the configuration file and scripts that will emulate the different virtual honeypots.On top of all that, since the latest version of Honeyd was released back in 2007, the doc-umentation from then is outdated, and most online sources had false information whentrying to configure and start Honeyd. Despite these difficulties and the sources online notbeing helpful in many ways, Honeyd’s reconfigurability was by far the most impressive.Honeyd can emulate up to 65,536 hosts simultaneously, with the ability for each host tobe configured with different scripts, port states, and even routing information [14]. Thisin itself shows the reasoning behind choosing Honeyd as the best honeypot out of thethree. The biggest criteria that proves Honeyd as the best of the solutions is the ability tochoose which machines will be emulated and how they will appear to the outside. From anetwork administrator’s perspective, this could be menial work, writing pages and pagesof configuration files and researching different scripts when they might want the honey-pots to be deployed as soon as possible. However, in the case of careful experimentation,this is the perfect solution to test and determine exactly how the internet will interact withthe different virtual honeypots, and in turn determine how the internet will interact withthe system. Therefore, Honeyd, through its vast reconfigurability, is the best of the threehoneypot solutions.

41

6 Discussion

The purpose of this study was to evaluate several low-interaction honeypots and theirdetection of potential threats in the university network. In order for this to happen, threehoneypots were deployed to capture and analyze different connections on different ports.The selection of Kippo, Honeyd, and Dionaea as tools, as explained in section 4.1, helpedthe process of capturing probes around the world to show which services are the mostthreatened.

Analyzing the interaction between the honeypots, the attackers, and the overall con-nection data in such a short span of time gives an incredible insight into how significanthoneypots can be as a security mechanism. With the simple distributions like Kippo andDionaea, they can add an extra layer of security to the network infrastructure without asmuch configuration time. However, with Honeyd, it might be more of a complication thanan addition, but if the administrator would like to test for specific machines and networkpatterns, then Honeyd provides these functions. One of the major advantages of theselow-interactive honeypots is that they can be deployed and left alone to gather data with-out any maintenance. The only requirement is to check the logs regularly or when therehas been a breach to see exactly what kind of malicious data is currently on the internet.

Hypothesized at the beginning of this experiment was that the results would reflect anumber of botnets and blackhat hackers attempting to inflict malicious bugs and rootkitsinto the university network. Although the experiment did wield a large number of probesfrom what seems to be botnets around the world, the botnets did not attempt to inflict asmalicious damage as hypothesized. From the results, it shows that it was uncommon formalware to be lingering on the internet waiting to be downloaded, and definitely not theintruders first line of attack. Instead the results showed a majority of its intruders abusingthe services that runs on ports 22 and 23.

The results of this thesis compared similarly to the results of two master theses fromChalmers and Halmstad University [4] [3]. In these theses, they also found botnet attacksmade on ports 22 and 23 and found a significant amount of malicious TCP traffic origi-nating from China. However, one of the major differences found between this project andtheirs, was that port 445 was a profoundly attacked resource. As mentioned in section1.2, port 445 uses SMB which is a vulnerable application-layer network protocol asso-ciated with communications between Microsoft services [5]. The difference however, isthat activity over port 445 was one of the ports blocked from SUNET’s end which madeit impossible to receive connections over this port. It is suspected that these blocked portsfrom SUNET disallowed Dionaea from downloading any malware that should have beencaptured during the experiment.

To be able to draw conclusions from the results of the honeypot logs, specific visual-ization tools gave the data an extremely easily readable format. The three visualizationtools were Honeyd-Viz for Honeyd, DionaeaFR for Dionaea, and Kippo-Graph for Kippo.Dionaea, Kippo, and all the virtual honeypots from Honeyd were each given a public IPaddress from the IT department with some restrictions from SUNET as previously men-tioned. Besides this, there was nothing between the honeypots and the internet. From thelimited capture time, (two weeks for Dionaea and Kippo, three days for Honeyd) the datagathered lead to the following conclusions:

1. The most attacked service was using SSH and Telnet on ports 22 and 23. These portsheld more than 50% of the traffic and the input from these interactions came frommany blacklisted servers. From the logs, it looks like many automated connectionsare made on these ports most likely from botnets or other zombie computers.

42

2. The characteristic of a honeypot that will attract hackers towards Linnaeus Univer-sity are open ports. Any open ports are vulnerable for exploitation. In this particularexperiment, every port that was opened had been scanned and, in the case of ports22 and 23, section 5.2 shows exactly what an attackers does to take advantage ofthat.

3. The most attacks on the university network originate from the People’s Republic ofChina. Honeyd and Kippo showed China as their most common perpetrator andDionaea had china in the top 10. This data is in coherence with online sources thatalso acknowledge China as one of the leaders of cyber-attacks [29][30][20].

4. The best honeypot solution of the three is Honeyd due to its reconfigurability, scal-ability, and ability to advertise services. Honeyd is able to replicate an unprece-dented amount of services, including machines and specific scripts attached to eachport. The ability to manipulate the configuration file and decide exactly how thehoneynet, or collection of honeypots, should function gives the user the power todecide what they want to test. For these reasons, Honeyd was the best of the threelow-interaction honeypots.

Although much of the data received in this experiment was reflected in other theses,future research in the field of analyzing malicious traffic on a university network canexplored in three different areas:

The first area for future research would be to explore the incoming traffic without theblocked ports from SUNET. Since this experiment’s results might be more realistic interms of the Internet Service Provider (ISP) blocking these ports, these rules disallowedthe entry of potentially many different malicious packets that could be analyzed to showdifferent results.

The second area for future research involves the implementation of several differentlevels of new and upcoming honeypot solutions. Since this experiment only handled low-interaction honeypots, it could be beneficial to analyze the data captured using the latesthoneypot technology of different levels. Using a high-interaction honeypot could give awhole new plethora of data that could impact the university more than a low or medium-interaction solution could.

The last area of potential future research is to go a step further and help create asecurity plan regarding the data received from the honeypots. Since a honeypot’s purposeis to research malicious data on one’s network, then this data could be used to alter thesecurity plan to ensure the prevention of an attack surrounding the data gathered. Theprocess included in discovering an abused resource, and creating a plan to counteractthese attacks, could be explored in future research.

43

7 Conclusion

The university network is under the scrutiny of the internet at all times. Aiding in thedetection and elimination of cyber attacks, a honeypot can be a valuable asset to any net-works security plan. Although the honeypot selection process and setup can be difficult,the eventual repercussions of a honeypot will produce valuable data to stay ahead of thecurrent cyber threats. This particular experiment dealt with machines that had virtuallyno protection, but, it shows what could happen if the university were to leave servicesopen and unsecured. In doing this, it revealed exactly what attackers around the world arecapable of, only after a matter of days, which further proves how imperative it is to builda secure infrastructure.

44

References

[1] S. Russell and P. Norvig, Virtual honeypots: from botnet tracking to intrusion detec-tion, 3rd ed. Addison-Wesley Professional, 2007.

[2] R. A. Grimes, Honeypots for Windows. Apress, 2005. [Online]. Avail-able: http://books.gigatux.nl/mirror/honeypot/final/ch01lev1sec2.htmgoogle.com/books?id=uOZQAAAAMAAJ&pgis=1

[3] V. Aliyev, “Using honeypots to study skill level of attackers based onthe exploited vulnerabilities in the network,” 2010. [Online]. Available:http://publications.lib.chalmers.se/records/fulltext/129915.pdf

[4] B. Alkudhir, E. Chairetakis, and P. Mystridis, “Deployment of Low InteractionHoneypots in University Campus Network,” 2013. [Online]. Available: http://hh.diva-portal.org/smash/get/diva2:621481/FULLTEXT02.pdf

[5] “What is an SMB Port? What is Port 445 and Port 139used for?” 2016. [Online]. Available: http://www.thewindowsclub.com/smb-port-what-is-port-445-port-139-used-for

[6] T. Holtz, “How to use honeypots to improve your network security,” eWeek, 2008.

[7] S. E. J. S. M.-A. S. D. Damian, “Selecting empirical methods for software engineer-ing research,” 2015.

[8] Lance Spitzner, “The Value of Honeypots, Part One: Definitions and Valuesof Honeypots,” 2001. [Online]. Available: https://www.symantec.com/connect/articles/value-honeypots-part-one-definitions-and-values-honeypots

[9] “What is a Sandbox (in Computer Security)? - Definition fromTechopedia.” [Online]. Available: https://www.techopedia.com/definition/27682/sandbox-computer-security

[10] J. Bradshaw, “Does Your Honeypot Interaction Match Your Security Operations Ser-vice Level Agreement? – TRAPX Security.” [Online]. Available: https://trapx.com/does-your-honeypot-interaction-match-your-security-operations-service-level-agreement/

[11] B. J. Schaufenbuel, “The Legality of Honeypots.” [Online]. Available: http://www.jdsupra.com/legalnews/the-legality-of-honeypots-50070/

[12] L. Spitzner and A. Wesley, “Honeypots: Tracking Hackers,” 2002. [Online].Available: http://www.it-docs.net/ddata/792.pdf

[13] D. Gibson, CompTIA Security+ get certified get ahead SYO-401 study guide.YCDA, LLC, 2014.

[14] N. Provos, “Honeyd General Information,” 2004. [Online]. Available: http://www.honeyd.org/general.php

[15] ——, “A Virtual Honeypot Framework.” [Online]. Avail-able: https://www.usenix.org/legacy/publications/library/proceedings/sec04/tech/full_papers/provos/provos_html/honeyd.html

45

[16] ——, “Honeyd,” 2007. [Online]. Available: https://github.com/DataSoft/Honeyd

[17] “Ports not actually blocked on HoneyD,” 2013. [Online]. Available: https://ubuntuforums.org/showthread.php?t=2113540

[18] “Ubuntu Manpage: honeyd — Honeypot Daemon,” 2002. [Online]. Available:http://manpages.ubuntu.com/manpages/precise/man8/honeyd.8.html

[19] “[ubuntu] uid=1000. gid=1000. why 1000?” 2011. [Online]. Available:https://ubuntuforums.org/showthread.php?t=1740376

[20] User Super, “Deployment of Kippo SSH Honeypot on Ubuntu Linux- LinuxConfig.org,” 2016. [Online]. Available: https://linuxconfig.org/deployment-of-kippo-ssh-honeypot-on-ubuntu-linux

[21] E. Tan, “Dionaea – A Malware Capturing Honeypot,” 2014. [Online]. Available:https://www.edgis-security.org/honeypot/dionaea/

[22] “AbuseIPDB - IP address abuse reports - Making the Internet safer, one IP at atime,” 2017. [Online]. Available: https://www.abuseipdb.com/

[23] Rouse Margaret, “What is ICMP (Internet Control Message Protocol)? - Definitionfrom WhatIs.com,” 2015. [Online]. Available: http://searchnetworking.techtarget.com/definition/ICMP

[24] Desaster, “Kippo,” 2012. [Online]. Available: https://github.com/desaster/kippo

[25] Joanbtl, “December 30, 2016 – HoneyPot World,” 2016. [Online]. Available:https://honeypotworldblog.wordpress.com/2016/12/30/december-30-2016/

[26] Anna-senpai, “Mirai BotNet,” 2016. [Online]. Available: https://github.com/jgamblin/Mirai-Source-Code

[27] Ercolino Miguel, “Honeypot Networks | IT & Security Stuffs!!!”2015. [Online]. Available: https://itandsecuritystuffs.wordpress.com/2015/02/03/honeypot-networks/

[28] Yonatan Reuben, “5 Signs That Your VoIP System is Hacked | GetVoIP,” 2015.[Online]. Available: https://getvoip.com/blog/2015/03/25/signs-voip-hack/

[29] Fingas Jon, “Sit back and watch hacks around the world in real time,” 2014.[Online]. Available: https://www.engadget.com/2014/06/24/live-hacking-map/

[30] Walker Lauren, “Real-Time Cyber-Attack Map Shows Scope of GlobalCyber War,” 2015. [Online]. Available: http://www.newsweek.com/real-time-cyber-attack-map-shows-scope-global-cyber-war-352886

46

A Appendix A

The following IP-addresses will be hidden for security reasons, which will be marked withan asterisk (*).create defaultset default default tcp action openset default default udp action openset default default icmp action opencreate switchset switch personality "Cisco Catalyst 4006 Switch running NmpSW 7.4(2)"set switch uptime 9401532set switch default tcp action openadd switch tcp port 22 openadd switch tcp port 23 openset switch ethernet "64:00:6a:85:45:39"#dhcp switch on eth0bind 194. switch*

create routerset router personality "Cisco 1601R router running IOS 12.1(5)"set router default tcp action openadd router tcp port 22 "/usr/share/honeyd/scripts/test.sh"add router tcp port 23 "/usr/share/honeyd/scripts/router-telnet.pl"set router ethernet "64:00:6a:85:45:40"bind 194. router*#dhcp router on eth0

create windowsNTset windowsNT personality "Microsoft Windows NT 4.0 SP3"set windowsNT uptime 5981234set windowsNT default tcp action openadd windowsNT tcp port 21 openadd windowsNT tcp port 22 openadd windowsNT tcp port 23 openadd windowsNT tcp port 25 openadd windowsNT tcp port 53 openadd windowsNT tcp port 443 openadd windowsNT tcp port 110 openadd windowsNT tcp port 119"/usr/share/Honeyd/scripts/win32/win2k/exchange-nntp.sh"add windowsNT tcp port 135 openadd windowsNT udp port 136 openadd windowsNT udp port 137 openadd windowsNT udp port 138 openadd windowsNT tcp port 139 openadd windowsNT tcp port 143 "/usr/share/Honeyd/scripts/win32/win2k/exchange-imap.sh"add windowsNT tcp port 1433 openadd windowsNT tcp port 80 "/usr/share/Honeyd/scripts/web.sh"add windowsNT udp port 53 openadd windowsNT tcp port 389 "/usr/share/Honeyd/scripts/win32/win2k/ldap.sh"

47

add windowsNT udp port 1434 openadd windowsNT tcp port 901 openadd windowsNT udp port 1026 openadd windowsNT tcp port 1026 openadd windowsNT tcp port 1900 openadd windowsNT tcp port 5000 openadd windowsNT udp port 3389 openadd windowsNT udp port 4899 openadd windowsNT tcp port 1080 "/usr/share/Honeyd/scripts/mydoom1.pl-l/usr/share/Honeyd/scripts/mydoom"add windowsNT tcp port 10080 "/usr/share/Honeyd/scripts/mydoom1.pl-l/usr/share/Honeyd/scripts/mydoom"add windowsNT tcp port 8080 openadd windowsNT tcp port 3128 openadd windowsNT tcp port 3410 openadd windowsNT tcp port 8866 openadd windowsNT tcp port 17300 openadd windowsNT tcp port 5554 "/usr/share/Honeyd/scripts/cmdexexp.pl-p winxp-l/usr/share/Honeyd/scripts/cmdexexp"add windowsNT tcp port 9898 "/usr/share/Honeyd/scripts/cmdexexp.pl-p winxp-l/usr/share/Honeyd/scripts/cmdexexp"add windowsNT tcp port 9996"/usr/share/Honeyd/scripts/cmdexexp.pl-pwinxp-l/usr/share/Honeyd/scripts/cmdexexp"add windowsNT tcp port 1234 "/usr/share/Honeyd/scripts/win32/win2k/msftp.sh"add windowsNT tcp port 5900 "/usr/share/Honeyd/scripts/win32/win2k/vnc.sh"set windowsNT ethernet "64:00:6a:85:45:41"bind 194. windowsNT*#dhcp windowsNT on eth0

create WindowServerset WindowServer personality "Microsoft Windows Server 2003 Standard Edition"set WindowServer uptime 290438set WindowServer default tcp action openset WindowServer default udp action openadd WindowServer tcp port 21 openadd WindowServer tcp port 22 openadd WindowServer tcp port 23 openadd WindowServer tcp port 25 openadd WindowServer tcp port 53 openadd WindowServer tcp port 443 openadd WindowServer tcp port 110 "/usr/share/Honeyd/scripts/win32/win2k/exchange-pop3.sh"add WindowServer tcp port 119 "/usr/share/Honeyd/scripts/win32/win2k/exchange-nntp.sh"add WindowServer tcp port 135 openadd WindowServer udp port 136 openadd WindowServer udp port 137 openadd WindowServer udp port 138 openadd WindowServer tcp port 139 openadd WindowServer tcp port 143 "/usr/share/Honeyd/scripts/win32/win2k/exchange-imap.sh"add WindowServer tcp port 1433 openadd WindowServer tcp port 80 "/usr/share/Honeyd/scripts/win32/win2k/iis.sh"add WindowServer udp port 53 openadd WindowServer udp port 1434 openadd WindowServer tcp port 389 "/usr/share/Honeyd/scripts/win32/win2k/ldap.sh"add WindowServer tcp port 901 open

48

add WindowServer udp port 1026 openadd WindowServer tcp port 1026 openadd WindowServer tcp port 1900 openadd WindowServer tcp port 5000 openadd WindowServer udp port 3389 openadd WindowServer udp port 4899 openadd WindowServer tcp port 1080 openadd WindowServer tcp port 3127 "/usr/share/Honeyd/scripts/mydoom1.pl-l/usr/share/Honeyd/scripts/mydoom"add WindowServer tcp port 3128 "/usr/share/Honeyd/scripts/mydoom1.pl-l/usr/share/Honeyd/scripts/mydoom"add WindowServer tcp port 8080 openadd WindowServer tcp port 3410 openadd WindowServer tcp port 8866 openadd WindowServer tcp port 17300 openadd WindowServer tcp port 4444 "/usr/share/Honeyd/scripts/cmdexe2003.pl-p win2003-l/usr/share/Honeyd/scripts/cmdexe2003"add WindowServer tcp port 8967 "/usr/share/Honeyd/scripts/cmdexe2003.pl-p win2003-l/usr/share/Honeyd/scripts/cmdexe2003"add WindowServer tcp port 9898 "/usr/share/Honeyd/scripts/cmdexe2003.pl-p win2003-l/usr/share/Honeyd/scripts/cmdexe2003"add WindowServer tcp port 20168 "/usr/share/Honeyd/scripts/cmdexe2003.pl-p win2003-l/usr/share/Honeyd/scripts/cmdexe2003"add WindowServer tcp port 1234 "/usr/share/Honeyd/scripts/win32/win2k/msftp.sh"add WindowServer tcp port 5900 "/usr/share/Honeyd/scripts/win32/win2k/vnc.sh"set WindowServer ethernet "64:00:6a:85:45:42"#dhcp WindowServer on eth0bind 194. WindowServer*

create WinXPComputerset WinXPComputer personality "Microsoft Windows XP Professional SP1"set WinXPComputer uptime 5981234set WinXPComputer default tcp action openadd WinXPComputer tcp port 21 openadd WinXPComputer tcp port 22 openadd WinXPComputer tcp port 23 openadd WinXPComputer tcp port 25 openadd WinXPComputer tcp port 53 openadd WinXPComputer tcp port 443 openadd WinXPComputer tcp port 110 openadd WinXPComputer tcp port 119"/usr/share/Honeyd/scripts/win32/win2k/exchange-nntp.sh"add WinXPComputer tcp port 135 openadd WinXPComputer udp port 136 openadd WinXPComputer udp port 137 openadd WinXPComputer udp port 138 openadd WinXPComputer tcp port 139 openadd WinXPComputer tcp port 143 "/usr/share/Honeyd/scripts/win32/win2k/exchange-imap.sh"add WinXPComputer tcp port 1433 openadd WinXPComputer tcp port 80 "/usr/share/Honeyd/scripts/web.sh"add WinXPComputer udp port 53 openadd WinXPComputer tcp port 389 "/usr/share/Honeyd/scripts/win32/win2k/ldap.sh"

49

add WinXPComputer udp port 1434 openadd WinXPComputer tcp port 901 openadd WinXPComputer udp port 1026 openadd WinXPComputer tcp port 1026 openadd WinXPComputer tcp port 1900 openadd WinXPComputer tcp port 5000 openadd WinXPComputer udp port 3389 openadd WinXPComputer udp port 4899 openadd WinXPComputer tcp port 1080 "/usr/share/Honeyd/scripts/mydoom1.pl-l/usr/share/Honeyd/scripts/mydoom"add WinXPComputer tcp port 10080 "/usr/share/Honeyd/scripts/mydoom1.pl-l/usr/share/Honeyd/scripts/mydoom"add WinXPComputer tcp port 8080 openadd WinXPComputer tcp port 3128 openadd WinXPComputer tcp port 3410 openadd WinXPComputer tcp port 8866 openadd WinXPComputer tcp port 17300 openadd WinXPComputer tcp port 5554 "/usr/share/Honeyd/scripts/cmdexexp.pl-p winxp-l/usr/share/Honeyd/scripts/cmdexexp"add WinXPComputer tcp port 9898 "/usr/share/Honeyd/scripts/cmdexexp.pl-p winxp-l/usr/share/Honeyd/scripts/cmdexexp"add WinXPComputer tcp port 9996"/usr/share/Honeyd/scripts/cmdexexp.pl-pwinxp-l/usr/share/Honeyd/scripts/cmdexexp"add WinXPComputer tcp port 1234 "/usr/share/Honeyd/scripts/win32/win2k/msftp.sh"add WinXPComputer tcp port 5900 "/usr/share/Honeyd/scripts/win32/win2k/vnc.sh"set WinXPComputer ethernet "64:00:6a:85:45:43"#dhcp WinXPComputer on eth0bind 194. WinXPComputer*

create LinuxComputerset LinuxComputer personality "Linux 2.0.34-38"set LinuxComputer uptime 2903245set LinuxComputer default tcp action openset LinuxComputer default udp action openadd LinuxComputer tcp port 21 "/usr/share/Honeyd/scripts/unix/linux/ftp.sh"add LinuxComputer tcp port 22 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/SSH.sh"add LinuxComputer tcp port 23 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/telnetd.sh"add LinuxComputer tcp port 25 openadd LinuxComputer tcp port 53 openadd LinuxComputer tcp port 110 "/usr/share/Honeyd/scripts/unix/general/pop/pop3.sh" ’add LinuxComputer tcp port 135 openadd LinuxComputer udp port 136 openadd LinuxComputer udp port 137 openadd LinuxComputer udp port 138 openadd LinuxComputer tcp port 139 openadd LinuxComputer tcp port 143 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/cyrus-imapd.sh"add LinuxComputer tcp port 443 openadd LinuxComputer tcp port 389 openadd LinuxComputer tcp port 465 openadd LinuxComputer tcp port 515 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/lpd.sh"add LinuxComputer tcp port 990 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/proftpd.sh"add LinuxComputer tcp port 993 openadd LinuxComputer tcp port 2086 openadd LinuxComputer tcp port 9080 open

50

add LinuxComputer tcp port 587 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/sendmail.sh"add LinuxComputer tcp port 1433 openadd LinuxComputer tcp port 80 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/apache.sh"add LinuxComputer udp port 53 openadd LinuxComputer tcp port 113 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/ident.sh"add LinuxComputer udp port 1434 openadd LinuxComputer tcp port 901 openadd LinuxComputer udp port 1026 openadd LinuxComputer tcp port 1026 openadd LinuxComputer tcp port 1900 openadd LinuxComputer tcp port 5000 openadd LinuxComputer udp port 3389 openadd LinuxComputer udp port 4899 openadd LinuxComputer tcp port 1080 openadd LinuxComputer tcp port 8080 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/apache.sh"add LinuxComputer tcp port 3128 openadd LinuxComputer tcp port 3410 openadd LinuxComputer tcp port 8866 openadd LinuxComputer tcp port 17300 openset LinuxComputer ethernet "64:00:6a:85:45:44"#dhcp LinuxComputer on eth0bind 194. LinuxComputer*

create BSDComputerset BSDComputer personality "OpenBSD 2.6-2.8"set BSDComputer default tcp action openset BSDComputer default udp action openadd BSDComputer tcp port 21 "/usr/share/Honeyd/scripts/unix/linux/ftp.sh"add BSDComputer tcp port 22 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/SSH.sh"add BSDComputer tcp port 23 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/telnetd.sh"add BSDComputer tcp port 25 openadd BSDComputer tcp port 53 openadd BSDComputer tcp port 110 "/usr/share/Honeyd/scripts/unix/general/pop/pop3.sh"add BSDComputer tcp port 135 openadd BSDComputer udp port 136 openadd BSDComputer udp port 137 openadd BSDComputer udp port 138 openadd BSDComputer tcp port 139 openadd BSDComputer tcp port 143 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/cyrus-imapd.sh"add BSDComputer tcp port 443 openadd BSDComputer tcp port 389 openadd BSDComputer tcp port 465 openadd BSDComputer tcp port 515 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/lpd.sh"add BSDComputer tcp port 990 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/proftpd.sh"add BSDComputer tcp port 993 openadd BSDComputer tcp port 2086 openadd BSDComputer tcp port 9080 openadd BSDComputer tcp port 587 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/sendmail.sh"add BSDComputer tcp port 1433 open

51

add BSDComputer tcp port 80 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/apache.sh"add BSDComputer udp port 53 openadd BSDComputer tcp port 113 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/ident.sh"add BSDComputer udp port 1434 openadd BSDComputer tcp port 901 openadd BSDComputer udp port 1026 openadd BSDComputer tcp port 1026 openadd BSDComputer tcp port 1900 openadd BSDComputer tcp port 5000 openadd BSDComputer udp port 3389 openadd BSDComputer udp port 4899 openadd BSDComputer tcp port 1080 openadd BSDComputer tcp port 8080 "/usr/share/Honeyd/scripts/unix/linux/suse8.0/apache.sh"add BSDComputer tcp port 3128 openadd BSDComputer tcp port 3410 openadd BSDComputer tcp port 8866 openadd BSDComputer tcp port 17300 openset BSDComputer ethernet "64:00:6a:85:45:45"#dhcp BSDComputer on eth0bind 194. BSDComputer*

B Appendix B

1. IP address: 59.45.175.30

• ISP: China Telecom Liaoning

• Organization: China Telecom Liaoning

• Connection Type: Cable/DSL

• Location: Shenyang, Liaoning China

• AbuseIPDB reports: 24

• Connections: 548,601

2. IP address: 116.31.116.26

• ISP: China Telecom Guangdong

• Organization: China Telecom Guangdong

• Connection Type: Cable/DSL

• Location: Guangzhou, Guangdong China

• AbuseIPDB reports: 553

• Connections: 258,990

3. IP address: 194.71.11.173

• ISP: SUNET Swedish University Network

• Hostname: napoleon.ftp.acc.umu.se

• Connection Type: Unknown

• Location: Umea, Sweden

52

• AbuseIPDB reports: 0

• Connections: 10440

4. IP address: 54.243.196.213

• ISP: Amazon Technologies

• Hostname: ec2-54-243-196-213.compute-1.amazonaws.com

• Organization: Amazon.com

• Connection Type: Corporate

• Location: Ashburn, Virginia USA

• AbuseIPDB reports: 0

• Connections: 10439

5. IP address: 202.73.98.66

• ISP: PT. First Media, Tbk.

• Hostname: fm-dyn-202-73-98-66.fast.net.id

• Organization: Fastnet

• Connection Type: Cable/DSL

• Location: Indonesia

• AbuseIPDB reports: 5

• Connections: 9052

6. IP address: 91.189.88.161

• ISP: Canonical

• Hostname: keeton.canonical.com

• Organization: Canonical

• Connection Type: Unknown

• Location: United Kingdom

• AbuseIPDB reports: 27

• Connections: 8997

7. IP address: 54.243.175.138

• ISP: Amazon Technologies

• Hostname: ec2-54-243-175-138.compute-1.amazonaws.com

• Organization: Amazon.com

• Connection Type: Corporate

• Location: Ashburn, Virginia USA

• AbuseIPDB reports: 0

• Connections: 8573

8. IP address: 50.19.225.125

53

• ISP: Amazon Technologies

• Hostname: ec2-50-19-225-125.compute-1.amazonaws.com

• Organization: Amazon.com

• Connection Type: Corporate

• Location: Ashburn, Virginia USA

• AbuseIPDB reports: 0

• Connections: 7273

9. IP address: 188.92.75.10

• ISP: Sia Nano IT

• Organization: Sia Nano IT

• Connection Type: Cable/DSL

• Location: Latvia

• AbuseIPDB reports: 48

• Connections: 6765

C Appendix C

510 deny tcp any any eq 445520 deny tcp any any eq 42530 deny udp any any eq bootps540 deny udp any any eq bootpc550 deny udp any any range 135 netbios-ss560 deny tcp any any range 135 139570 deny udp any any eq tftp580 deny udp any any eq sunrpc590 deny tcp any any eq sunrpc600 deny tcp any any eq 161610 deny udp any any eq snmp620 deny tcp any any eq 162630 deny udp any any eq snmptrap640 deny tcp any any eq 593645 deny tcp any any eq 4786647 deny udp any any eq 4786740 deny udp any any eq ntp750 deny tcp any any eq 1433760 deny udp any any eq 1434770 deny tcp any any eq 1434780 deny udp any any eq 1900790 deny tcp any any eq 1900800 deny tcp any any eq 2967810 deny udp any any eq 2967830 deny tcp any any eq 4865840 deny tcp any any eq 17850 deny udp any any eq 17

54

860 deny tcp any any eq chargen870 deny udp any any eq 19

55