Honeypots / honeynets

(1)

Honeypots

(2)

Agenda

  HoneypotsHoneypots   HoneynetsHoneynets   HoneywallHoneywall

(3)

Traffic



Problem:



 Vast quantities of normalVast quantities of normal traffictraffic



(4)

Honeypot



 Machine without normal taskMachine without normal task 

 That is never mentionedThat is never mentioned 

 So:So:



 Machine that gets no normal trafficMachine that gets no normal traffic 

 Every network packet is suspectEvery network packet is suspect



 WithWith



 Contained environmentContained environment 

(5)

Where



 Anywhere within netAnywhere within net 

 No specific placeNo specific place 

 Built like productionBuilt like production

machine



(6)

Definition

 A honeypot is a [sacrificial] security resource

whose value lies in being probed, attacked or compromised.



(7)

History



 1990: real systems1990: real systems



 Deploy unpatched Deploy unpatched systems in default systems in default conconfifig g on unprotectedon unprotected

network (

network (‘‘low-hanging fruitlow-hanging fruit’’))



 Easy to deployEasy to deploy



 High-interaction, high-riskHigh-interaction, high-risk



 Nice reading: “Nice reading: “CuckooCuckoo’’s Eggs Egg”” by Clifford Stoll by Clifford Stoll



 1998: service / OS emulation1998: service / OS emulation



 Deception Toolkit, Cyber Cop Sting, Deception Toolkit, Cyber Cop Sting, KFSensor, SpecterKFSensor, Specter



 Easy to deployEasy to deploy



 Low-interaction, low-riskLow-interaction, low-risk



 1999-current: virtual systems1999-current: virtual systems



(8)

History of the

Honeynet

Project



 1999: Lance 1999: Lance Spitzner (Sun) founds Spitzner (Sun) founds HoneynetprojectHoneynetproject



 1999-2001, GenI1999-2001, GenI: : PoCPoC, L3 + (, L3 + (modifimodified ed IP-headers)IP-headers)



 2001-2003, GenII2001-2003, GenII: : GenI GenI + bridging (no TTL, harder to detect)+ bridging (no TTL, harder to detect)



 2003: Release of Eeyore Honeywall 2003: Release of Eeyore Honeywall CD-ROMCD-ROM



 2003-current, GenIII2003-current, GenIII: : GenII GenII + blocking (+ blocking (HoneywallHoneywall))



 2005: Release of Roo Honeywall 2005: Release of Roo Honeywall CD-ROMCD-ROM



 future: ‘future: ‘GenIVGenIV’ ’ refers to next-gen refers to next-gen analysis capabilitiesanalysis capabilities

Honeynet

(9)

Take care!



Machine must look real



Outside traffic possible



 Or clearly fakeOr clearly fake



Capture all traffic



 analyseanalyse



Special restrictions on

outgoing traffic



 Everything is allowedEverything is allowed Low bandwidth (

(10)

Purpose



 ResearchResearch



 Attract Attract blackhatsblackhats 

 Reveal Reveal blackhattacticsblackhattactics, techniques, tools(KYE), techniques, tools(KYE) 

 Reveal motives / intentions(?)Reveal motives / intentions(?) 

 Mostly universities, governments, ISPsMostly universities, governments, ISPs



 ProtectionProtection



 Deter Deter blackhats blackhats from real assetsfrom real assets 

 Provide early warningProvide early warning 

 Mostly governments, large enterprisesMostly governments, large enterprises



 Purpose may determine Purpose may determine honeypot honeypot functionalityfunctionality

and architecture

(11)

Definitions



 DeDefifinitionnition



 A honeynet A honeynet is a network of [high-interaction]is a network of [high-interaction]

honeypots honeypots..





 A A honeywall honeywall is a layer-2 bridge that is placed in-lineis a layer-2 bridge that is placed in-line

between a network and a

between a network and a honeynethoneynet, or between a, or between a network and a

network and a honeypothoneypot, to uni- , to uni- or or bidirectionallybidirectionally capture, control and analyze attacks.

capture, control and analyze attacks.





(12)

Functional requirements of a

honeypot



Data control



Data capture



Data collection



(13)

Entrapment



Applies only to law enforcement



Useful only as defence in criminal

prosecution



Still, most legal authorities consider

honeypots

non-entrapment



Responsibility

for everything done from

our net

(14)

Low vs. High interaction



Low interaction



 Burglar alarmBurglar alarm



 Not to learn about new attacksNot to learn about new attacks



 simplesimple



High interaction



 ResearchResearch



 Look at new thingsLook at new things



 Anatomy of new exploitAnatomy of new exploit



(15)

Realness



Make things look real



 Windows servicesWindows services



 Windows exploitsWindows exploits



(16)

How to

organise

_organise



Honeypot

more

than

unpatched

host



 See what happensSee what happens



 ContainmentContainment



 Check logsCheck logs



 Limit outgoing trafficLimit outgoing traffic



(17)

Honeyd

 

http://www.honeyd.org

 

Framework



 Config Config filefile



 ScriptsScripts forfor emulated servicesemulated services

•

• Internal (python interpreter inInternal (python interpreter in honeyd honeyd)) •

• External (extern process)External (extern process) •

• StdinStdin++stdout stdout = net,= net, stderr stderr == syslog syslog 

(18)

honeyd

(19)

Honeyd



Run on a single ip address



 Several services on one addressSeveral services on one address



Run as

honeynet



 SeveralSeveral hosts on several addresseshosts on several addresses



 Attract trafficAttract traffic

•

• Static route in routerStatic route in router •

(20)

Containment

 

Honeywall

  ApplianceAppliance 

 Based on Based on unixunix



 3 network interfaces3 network interfaces

•

• ManagementManagement •

(21)

Sebek

: spying on your intruder



 HoneynetHoneynet.org: .org: ““Sebek Sebek is a tool designed for datais a tool designed for data

capture, it attempts to capture most of the attackers capture, it attempts to capture most of the attackers activity on the

activity on the honeypothoneypot, without the attacker knowing it, without the attacker knowing it (hopefully), then sends there covered data to a central (hopefully), then sends there covered data to a central logging system.

logging system.””



 Linux kernel module that hooks Linux kernel module that hooks sys_readsys_read()() 

 Covertly sends captured data to Covertly sends captured data to honeywall honeywall (UDP)(UDP) 

 Recovers keystrokes, uploaded Recovers keystrokes, uploaded fifilesles, passwords, IRC, passwords, IRC

chats, even if they are encrypted

(22)

Sebek

(23)

Honeynet

Requirements

_Requirements



Data Control



Data Capture



(24)

Gen II

(25)

No Data Control

(26)

Data Control

(27)

Honeynet

Bridge

_Bridge

Eth0-NO IP Eth1-NO IP 129.252.140.3 _{192.252.140.7} Administrative Interface SSH Connections Trusted Hosts Eth2- 129.252.xxx.yyy

(28)

What is Data Control and

Why?



Process used to control or contain traffic to

a

honeynet



Upstream liability

–

an attack from one of

your

honeypots



Snort-inline

–

South Florida Honeynet

South Florida

Honeynet

Project

(29)

Connection Limiting Mode

Hub Data Control Snort-Inline IPTables Enemy DROP Packet No =10 IPTables

(30)

Snort-Inline Drop Mode

Enemy Data Control

Snort-Inline Hub IP Tables Ip_queue Snort-Inline Snort Rules=Drop IPTables Drop

(31)

Snort-Inline Replace Mode

Enemy Data Control

Snort-Inline Hub IP Tables Ip_queue Snort-Inline Snort Rules=Replace IPTables bin/sh->ben/sh

(32)

GEN II Data Control



Gen II :



 Incorporates a firewall and IDS in one systemIncorporates a firewall and IDS in one system



 Provides more stealthy data controlProvides more stealthy data control



 Can be implemented for layer 2 bridging orCan be implemented for layer 2 bridging or Layer 3 NAT translation

Layer 3 NAT translation



 Packets passed from internet to Packets passed from internet to honeynet honeynet asas layer 2 (

layer 2 (datalinkdatalink) layer packets) layer packets

•

• no TTL decrementno TTL decrement •

(33)

IPTables

for GEN II

_{for GEN II}

Honeynet

_Honeynet



 IPTables is a free, IPTables is a free, statefulstateful, Open Source firewall for Linux, Open Source firewall for Linux

2.4.x and 2.5.x kernels 2.4.x and 2.5.x kernels



 Each packet header is compared to a set of Each packet header is compared to a set of “chains“chains”” 

 Chains contain rules: ACCEPT, DROP, REJECT, QueueChains contain rules: ACCEPT, DROP, REJECT, Queue 

 Custom ChainsCustom Chains

  tcpHandlertcpHandler   udpHandlerudpHandler   icmpHandlericmpHandler

(34)

Honeywall

Bootable CD-ROM



Standard ISO distribution



 GenII GenII Data Capture/Data Control featuresData Capture/Data Control features



 SebekSebek



 Simple User InterfaceSimple User Interface



 Auto-configure from floppyAuto-configure from floppy



Customization features



 ““TemplateTemplate”” customization (file system) customization (file system)



(35)

Honeywall



Standard

intel PC

intel

PC



3

3 ethernet

ethernet

cards



 Inside (Inside (honeypotshoneypots))



 Outside (internet)Outside (internet)



 ManagementManagement



Outside -> inside: bridge, no restrictions



Inside -> outside: bridge, restrictions



(36)

Honeywall

-

_-

Roo

_Roo



(37)

Malware

catching

_catching



Nepentes

(http://nepenthes.carnivore.it)



 Malware-collecting Malware-collecting mid interaction mid interaction honeypothoneypot



 Emulates known vulnerabilitiesEmulates known vulnerabilities



 Captures Captures malware malware trying to exploit themtrying to exploit them



 Modular architectureModular architecture



(38)

Nepentes

(39)

Real world uses



Surfnet

IDS



 Honeypot Honeypot in sensorin sensor



Qnet



 Quarantaine Quarantaine net sensornet sensor



 ContainContain misbehaving hostmisbehaving host



Louis mail relay

