A VIRTUAL HONEYPOT FRAMEWORK
Author : Niels Provos
Publication: Usenix Security Symposium 2004.
Presenter: Hiral Chhaya for CAP6103
SECURITY SITUATION
We’re unable to make secure computer systems or even measure their security.
New vulnerabilities kept being exploited Exploit automation and massive global
scanning for vulnerabilities to compromise computer systems
We use “Honeypot” as one way to get early warnings of new vulnerabilities
INTRODUCTION What Is Honeypot ????
Defunation--A honeypot is an information system resource whose value lies in
unauthorized or illicit use of that resource.
Has no production value;
Used for monitoring, detecting and analyzing attacks
Does not solve a specific problem
Honeypots have a low false positive rate
CLASSIFICATION
By level of interaction
HighLow
By Implementation
VirtualPhysical
WHAT IS HONEYD
HoneydHoneyd: A virtual honeypot application, which allows us to create thousands of IP addresses with virtual machines and corresponding network services.
WHAT CAN HONEYD DO ???
Simulate TCP and UDP services
Support ICMP
Handle multiple IP addresses simultaneously
Simulate arbitrary network topologies
Support topologically dispersed address spaces
Support network tunneling for load sharing
HONEYD DESIGN
Receiving Network Data
Architecture
Personality Engine
Routing Topology
Logging
RECEIVING NETWORK DATA
Ways for Honeyd to receives traffic for its virtual honeypots
Special route lead data to honeyd host
Proxy ARP for honeypots
ARCHITECTURE
•Configuration database
•Central packet dispatcher
•Protocol handles
•Personality engine
•Option routing component
PERSONALITY ENGIN
To fool fingerprinting tools
Uses fingerprint databases by Nmap, for TCP, UDP Xprobe, for ICMP
Introduces changes to the headers of every outgoing packet before sent to the network
ROUTING TOPOLOGY
Simulates virtual network topologies;
Some honeypots are also configured as routers
Latency and loss rate for each edge is configured;
Support network tunneling and traffic redirection;
HOW TO CONFIGURE
Each virtual honeypot is configured with a template.
Commands: Create: Creates a new template Set:
Assign personality (fingerprint database) to a template Specify default behavior of network protocols
Block: All packets dropped Reset: All ports closed by default Open: All ports open by default
Add: Specify available services Proxy: Used for connection forwarding
Bind: Assign template to specific IP address
LOGGING
Honeyd supports several ways of logging network activity.
Honeyd creat connection logs to report attempted and completed connections for all protocols.
Honeyd can be runs in conjunction with a NIDS.
APPLICATIONS
Network decoys
Spam Prevention
CONCLUSION
Honeyd has many advantages over NIDS Collects more useful information Detects vulnerabilities not yet understood Less likely leads to high false positives
Cheats the fingerprint tools Effective network decoys Detecting and immunizing new worms Spam prevention
WEAKNESSES
Limit interaction only at network level
Not simulate the whole OS
Adversaries never gain full access to systems
Limited number of simulated services and protocols
What if the warm is smart to cheat us? Honeyd will become attackers.
HOW TO IMPROVE
Combine Honeyd with high-interaction virtual honeypots using User Mode Linux or VMware to have a better forensic analysis of the attacker;
Cheat more fingerprint tools, eg. P0f—passive analyze the network traffic;
Simulate more services and protocols, eg. has a better TCP state machine.
THANK YOU !!!!!