1 / 12

.nz honeypot project

Keith Davidson. .nz honeypot project. Drive-by-Downloads. Attacks launched by servers that target vulnerable clients Web based client-side attacks (web server attacking web browser) Visiting a page is sufficient for exploit to be delivered

dianne
Download Presentation

.nz honeypot project

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Keith Davidson .nz honeypot project

  2. Drive-by-Downloads • Attacks launched by servers that target vulnerable clients • Web based client-side attacks (web server attacking web browser) • Visiting a page is sufficient for exploit to be delivered • Targets a specific vulnerability of the browser, plug-in or the operating system

  3. Study Overview Study undertaken by Victoria University of Wellington Sponsored by InternetNZ Phases: • Assess threat posed by servers in the .nz domain compared to other English speaking domains (complete) • Analyse the entire .nz domain for the presence of malicious web servers (complete) • Re-run analysis monthly for six months and more often on URLs identified as malicious in tests (complete) Methodology: • Drive vulnerable clients (Windows XP SP2/Internet Explorer 6 SP2) to visit websites, store interaction with the server and watch foranomalous system behaviour

  4. Early Results • Phase one: • Estimate number of malicious web servers in .au, .com, .nz and .uk domains • Inspected a sample of 664,000 URLs • Malicious URLs/hosts: .au (26/16), .com (1/1), .nz(3/3), .uk (8/7) • Phase two: • Visited front page of all .nz web servers identified from zone file (247,198 hosts) in April 2008 • Found 52 web servers with malicious response or content (April 2008) • Malicious servers located in USA, UK, Australia & NZ • Exploit servers located in China, Russia, Germany, UK, USA, South America

  5. Technology • Using software platform initially developed by Christian Seifert and a team of research assistants as part of his PhD at Victoria University of Wellington. • Software is released as open source (GPL-ed) and hosted by the international Honeynet Project • Capture-HPC (a high interaction honeyclient) is obtainable from: • https://projects.honeynet.org/capture-hpc/

  6. Technology Update • Capture-HPC 2.5.1 (released 8th September 2008) • Faster detection, more options • New release expected in Q2/2009 • More network monitoring support • Database support • Visualisation of data and reports • Enhanced documentation for systems admin and developers

  7. Results – Confirmed malicious servers

  8. Results – Persistence of Malicious Servers Months

  9. Discussion • Initial results indicate a slight upward trend overall • High variability month by month • 43% on average are newly malicious on monthly scans • Malicious server typically redirect to an exploit server located outside the .nz domain • Many sites remain malicious for long periods before system administrators detect and nullify malicious behaviour • Over 53% remain malicious for 1 month or more

  10. Table of Data – Malicious Servers .nz

  11. Summary Provides an opportunity for very small investment for other ccTLD’s to collaborate with their local universities International collaboration and development of the source code would: enhance the overall robustness testing develop new tests provide useful international benchmarking

  12. Links / Thanks www.mcs.vuw.ac.nz/Main/ResearchSpotlightOnHoneypots www.internetnz.net.nz/projects/honeypot Keith Davidson Executive Director – InternetNZ keith@internetnz.net.nz

More Related