Evaluate the Merits of Using Honeypots to

Defend against Distributed Denial-of-Service Attacks on

Web Servers

By Cheow Lip GohBy Cheow Lip Goh

ContentContent• MotivationsMotivations• DDoS attacksDDoS attacks• Honeypots & HoneynetsHoneypots & Honeynets• EvaluationEvaluation• ConclusionConclusion

MotivationsMotivations• ““Paying an extortionist a few thousand Paying an extortionist a few thousand

dollars to leave your network alone dollars to leave your network alone might make bottom-line business sense might make bottom-line business sense if the alternative is enduring a if the alternative is enduring a distributed denial-of-service attack that distributed denial-of-service attack that could cost your company millions in lost could cost your company millions in lost revenue and public relations damage.” revenue and public relations damage.” 'Net Buzz'Net Buzz  By   By Paul McNamaraPaul McNamara, Network , Network World, 05/23/05 World, 05/23/05

DDoS Direct AttackDDoS Direct Attack

DDoS Reflector AttackDDoS Reflector Attack

Successful Defense against Successful Defense against DDoS?DDoS?•Normal Packet Survival Rate (NPSR) -

denotes the percentage of normal packets that could make their way to the victim in the midst of a DDoS attack

• Unfortunately, all current proposed Unfortunately, all current proposed solution to defend against a fully solution to defend against a fully distributed DDoS attacks does not solve distributed DDoS attacks does not solve the issue completely.the issue completely.

Honeypots & HoneynetsHoneypots & Honeynets• “A honeypot is a resource whose value is

being in attacked or compromised. This means, that a honeypot is expected to get probed, attacked and potentially exploited. Honeypots do not fix anything. They provide us with additional, valuable information.” Lance Spitzner

• A honeynet is a group of honeypots configured to be exactly like the production servers in the organizations deploying them.

Actual Deployment of the Actual Deployment of the honeynethoneynet

View of the Honeynet to the View of the Honeynet to the AttackerAttacker

Purpose of the Honeynet in a Purpose of the Honeynet in a DDoS AttackDDoS Attack• Lure DDoS attackers to compromise the

honeypots in the honeynet and learn of the tools, tactics and motives of the attacker. This knowledge will be used to strengthen the networks and servers running in the organization.

• Serve as a decoy during a real DDoS attack to deceive that attacker that the DDoS attack is going on very well.

Evaluation: Issues with using Evaluation: Issues with using the Honeynet to Defend the Honeynet to Defend against DDoSagainst DDoS• A Honeynet is very complicated and A Honeynet is very complicated and

costly to setup. 24x7 monitoring costly to setup. 24x7 monitoring required.required.

• Compromised honeynet could lead to Compromised honeynet could lead to legal issues.legal issues.

• DDoS detection and filtering DDoS detection and filtering mechanism might not work properly.mechanism might not work properly.

• Traffic forwarder is a big bottleneck.Traffic forwarder is a big bottleneck.

ConclusionConclusion• The cost of deploying and maintaining The cost of deploying and maintaining

a honeynet to defend against a DDoS a honeynet to defend against a DDoS attack is very significant. Extra attack is very significant. Extra prudence should be exercised to prudence should be exercised to evaluate the benefits of such a evaluate the benefits of such a complex system as a mistake could complex system as a mistake could lead to costly lawsuits or compromise lead to costly lawsuits or compromise of machines within the intranet.of machines within the intranet.