Honeypots
Agenda
Agenda
HoneypotsHoneypots HoneynetsHoneynets HoneywallHoneywallTraffic
Traffic
Problem:
Problem:
Vast quantities of normalVast quantities of normal traffictraffic
Honeypot
Honeypot
Machine without normal taskMachine without normal task
That is never mentionedThat is never mentioned
So:So:
Machine that gets no normal trafficMachine that gets no normal traffic
Every network packet is suspectEvery network packet is suspect
WithWith
Contained environmentContained environment
Where
Where
Anywhere within netAnywhere within net
No specific placeNo specific place
Built like productionBuilt like production
machine
machine
Definition
Definition
A honeypot is a [sacrificial] security resource
whose value lies in being probed, attacked or compromised.
History
History
1990: real systems1990: real systems
Deploy unpatched Deploy unpatched systems in default systems in default conconfifig g on unprotectedon unprotected
network (
network (‘‘low-hanging fruitlow-hanging fruit’’))
Easy to deployEasy to deploy
High-interaction, high-riskHigh-interaction, high-risk
Nice reading: “Nice reading: “CuckooCuckoo’’s Eggs Egg”” by Clifford Stoll by Clifford Stoll
1998: service / OS emulation1998: service / OS emulation
Deception Toolkit, Cyber Cop Sting, Deception Toolkit, Cyber Cop Sting, KFSensor, SpecterKFSensor, Specter
Easy to deployEasy to deploy
Low-interaction, low-riskLow-interaction, low-risk
1999-current: virtual systems1999-current: virtual systems
History of the
History of the
Honeynet
Honeynet
Project
Project
1999: Lance 1999: Lance Spitzner (Sun) founds Spitzner (Sun) founds HoneynetprojectHoneynetproject
1999-2001, GenI1999-2001, GenI: : PoCPoC, L3 + (, L3 + (modifimodified ed IP-headers)IP-headers)
2001-2003, GenII2001-2003, GenII: : GenI GenI + bridging (no TTL, harder to detect)+ bridging (no TTL, harder to detect)
2003: Release of Eeyore Honeywall 2003: Release of Eeyore Honeywall CD-ROMCD-ROM
2003-current, GenIII2003-current, GenIII: : GenII GenII + blocking (+ blocking (HoneywallHoneywall))
2005: Release of Roo Honeywall 2005: Release of Roo Honeywall CD-ROMCD-ROM
future: ‘future: ‘GenIVGenIV’ ’ refers to next-gen refers to next-gen analysis capabilitiesanalysis capabilities
Honeynet
Take care!
Take care!
Machine must look real
Machine must look real
Outside traffic possible
Outside traffic possible
Or clearly fakeOr clearly fake
Capture all traffic
Capture all traffic
analyseanalyse
Special restrictions on
Special restrictions on
outgoing traffic
outgoing traffic
Everything is allowedEverything is allowed Low bandwidth (
Purpose
Purpose
ResearchResearch
Attract Attract blackhatsblackhats
Reveal Reveal blackhattacticsblackhattactics, techniques, tools(KYE), techniques, tools(KYE)
Reveal motives / intentions(?)Reveal motives / intentions(?)
Mostly universities, governments, ISPsMostly universities, governments, ISPs
ProtectionProtection
Deter Deter blackhats blackhats from real assetsfrom real assets
Provide early warningProvide early warning
Mostly governments, large enterprisesMostly governments, large enterprises
Purpose may determine Purpose may determine honeypot honeypot functionalityfunctionality
and architecture
Definitions
Definitions
DeDefifinitionnition
A honeynet A honeynet is a network of [high-interaction]is a network of [high-interaction]
honeypots honeypots..
DeDefifinitionnition
A A honeywall honeywall is a layer-2 bridge that is placed in-lineis a layer-2 bridge that is placed in-line
between a network and a
between a network and a honeynethoneynet, or between a, or between a network and a
network and a honeypothoneypot, to uni- , to uni- or or bidirectionallybidirectionally capture, control and analyze attacks.
capture, control and analyze attacks.
DeDefifinitionnition
Functional requirements of a
Functional requirements of a
honeypot
honeypot
Data control
Data control
Data capture
Data capture
Data collection
Data collection
Entrapment
Entrapment
Applies only to law enforcement
Applies only to law enforcement
Useful only as defence in criminal
Useful only as defence in criminal
prosecution
prosecution
Still, most legal authorities consider
Still, most legal authorities consider
honeypots
honeypots
non-entrapment
non-entrapment
Responsibility
Responsibility
for everything done from
for everything done from
our net
our net
Low vs. High interaction
Low vs. High interaction
Low interaction
Low interaction
Burglar alarmBurglar alarm
Not to learn about new attacksNot to learn about new attacks
simplesimple
High interaction
High interaction
ResearchResearch
Look at new thingsLook at new things
Anatomy of new exploitAnatomy of new exploit
Realness
Realness
Make things look real
Make things look real
Windows servicesWindows services
Windows exploitsWindows exploits
How to
How to
organise
organise
Honeypot
Honeypot
more
more
than
than
unpatched
unpatched
host
host
See what happensSee what happens
ContainmentContainment
Check logsCheck logs
Limit outgoing trafficLimit outgoing traffic
Honeyd
Honeyd
http://www.honeyd.org
http://www.honeyd.org
Framework
Framework
Config Config filefile
ScriptsScripts forfor emulated servicesemulated services
•
• Internal (python interpreter inInternal (python interpreter in honeyd honeyd)) •
• External (extern process)External (extern process) •
• StdinStdin++stdout stdout = net,= net, stderr stderr == syslog syslog
honeyd
Honeyd
Honeyd
Run on a single ip address
Run on a single ip address
Several services on one addressSeveral services on one address
Run as
Run as
honeynet
honeynet
SeveralSeveral hosts on several addresseshosts on several addresses
Attract trafficAttract traffic
•
• Static route in routerStatic route in router •
Containment
Containment
Honeywall
Honeywall
ApplianceAppliance Based on Based on unixunix
3 network interfaces3 network interfaces
•
• ManagementManagement •
Sebek
Sebek
: spying on your intruder
: spying on your intruder
HoneynetHoneynet.org: .org: ““Sebek Sebek is a tool designed for datais a tool designed for data
capture, it attempts to capture most of the attackers capture, it attempts to capture most of the attackers activity on the
activity on the honeypothoneypot, without the attacker knowing it, without the attacker knowing it (hopefully), then sends there covered data to a central (hopefully), then sends there covered data to a central logging system.
logging system.””
Linux kernel module that hooks Linux kernel module that hooks sys_readsys_read()()
Covertly sends captured data to Covertly sends captured data to honeywall honeywall (UDP)(UDP)
Recovers keystrokes, uploaded Recovers keystrokes, uploaded fifilesles, passwords, IRC, passwords, IRC
chats, even if they are encrypted
Sebek
Honeynet
Honeynet
Requirements
Requirements
Data Control
Data Control
Data Capture
Data Capture
Gen II
No Data Control
No Data Control
Data Control
Honeynet
Honeynet
Bridge
Bridge
Eth0-NO IP Eth1-NO IP 129.252.140.3 192.252.140.7 Administrative Interface SSH Connections Trusted Hosts Eth2- 129.252.xxx.yyy
What is Data Control and
What is Data Control and
Why?
Why?
Process used to control or contain traffic to
Process used to control or contain traffic to
a
a
honeynet
honeynet
Upstream liability
Upstream liability
–
–
an attack from one of
an attack from one of
your
your
honeypots
honeypots
Snort-inline
Snort-inline
–
–
South Florida Honeynet
South Florida
Honeynet
Project
Project
Connection Limiting Mode
Connection Limiting Mode
Hub Data Control Snort-Inline IPTables Enemy DROP Packet No =10 IPTables
Snort-Inline Drop Mode
Snort-Inline Drop Mode
Enemy Data Control
Snort-Inline Hub IP Tables Ip_queue Snort-Inline Snort Rules=Drop IPTables Drop
Snort-Inline Replace Mode
Snort-Inline Replace Mode
Enemy Data Control
Snort-Inline Hub IP Tables Ip_queue Snort-Inline Snort Rules=Replace IPTables bin/sh->ben/sh
GEN II Data Control
GEN II Data Control
Gen II :
Gen II :
Incorporates a firewall and IDS in one systemIncorporates a firewall and IDS in one system
Provides more stealthy data controlProvides more stealthy data control
Can be implemented for layer 2 bridging orCan be implemented for layer 2 bridging or Layer 3 NAT translation
Layer 3 NAT translation
Packets passed from internet to Packets passed from internet to honeynet honeynet asas layer 2 (
layer 2 (datalinkdatalink) layer packets) layer packets
•
• no TTL decrementno TTL decrement •
IPTables
IPTables
for GEN II
for GEN II
Honeynet
Honeynet
IPTables is a free, IPTables is a free, statefulstateful, Open Source firewall for Linux, Open Source firewall for Linux
2.4.x and 2.5.x kernels 2.4.x and 2.5.x kernels
Each packet header is compared to a set of Each packet header is compared to a set of “chains“chains””
Chains contain rules: ACCEPT, DROP, REJECT, QueueChains contain rules: ACCEPT, DROP, REJECT, Queue
Custom ChainsCustom Chains
tcpHandlertcpHandler udpHandlerudpHandler icmpHandlericmpHandler
Honeywall
Honeywall
Bootable CD-ROM
Bootable CD-ROM
Standard ISO distribution
Standard ISO distribution
GenII GenII Data Capture/Data Control featuresData Capture/Data Control features
SebekSebek
Simple User InterfaceSimple User Interface
Auto-configure from floppyAuto-configure from floppy
Customization features
Customization features
““TemplateTemplate”” customization (file system) customization (file system)
Honeywall
Honeywall
Standard
Standard
intel PC
intel
PC
3
3
ethernet
ethernet
cards
cards
Inside (Inside (honeypotshoneypots))
Outside (internet)Outside (internet)
ManagementManagement
Outside -> inside: bridge, no restrictions
Outside -> inside: bridge, no restrictions
Inside -> outside: bridge, restrictions
Inside -> outside: bridge, restrictions
Honeywall
Honeywall
-
-
Roo
Roo
Malware
Malware
catching
catching
Nepentes
Nepentes
(http://nepenthes.carnivore.it)
(http://nepenthes.carnivore.it)
Malware-collecting Malware-collecting mid interaction mid interaction honeypothoneypot
Emulates known vulnerabilitiesEmulates known vulnerabilities
Captures Captures malware malware trying to exploit themtrying to exploit them
Modular architectureModular architecture
Nepentes
Real world uses
Real world uses
Surfnet
Surfnet
IDS
IDS
Honeypot Honeypot in sensorin sensor
Qnet
Qnet
Quarantaine Quarantaine net sensornet sensor
ContainContain misbehaving hostmisbehaving host
Louis mail relay
Louis mail relay