1 / 19

Honeypot, Botnet, Security Measurement, Email Spam

Honeypot, Botnet, Security Measurement, Email Spam. Cliff C. Zou CDA6938 02/01/07. What Is a Honeypot?. “A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.”. Example of a Simple Honeypot.

aitana
Download Presentation

Honeypot, Botnet, Security Measurement, Email Spam

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Honeypot, Botnet, Security Measurement, Email Spam Cliff C. Zou CDA6938 02/01/07

  2. What Is a Honeypot? “A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.”

  3. Example of a Simple Honeypot • Install vulnerable OS and software on a machine • Install monitor or IDS software • Connect to the Internet (with global IP) • Wait & monitor being scanned, attacked, compromised • Finish analysis, clean the machine

  4. Benefit of Deploying Honeypots • Risk mitigation: • A deployed honeypot may lure an attacker away from the real production systems (“easy target“). • IDS-like functionality: • Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions. • Attack analysis: • Binary code analysis of captured attack codes • Spying attacker’s ongoing actions • Find out reasons, and strategies why and how you are attacked.

  5. Honeypot Classification • High-interaction honeypots • A full and working OS is provided for being attacked • VMware virtual environment • Several VMware virtual hosts in one physical machine • Low-interaction honeypots • Only emulate specific network services • No real interaction or OS • Honeyd • Honeynet/honeyfarm • A network of honeypots

  6. Low-Interaction Honeypots • Pros: • Easy to install (simple program) • No risk (no vulnerable software to be attacked) • One machine supports hundreds of honeypots • Cons: • No real interaction to be captured • Limited logging/monitor function • Easily detectable by attackers

  7. High-Interaction Honeypots • Pros: • Real OS, capture all attack traffic/actions • Can discover unknown attacks/vulnerabilities • Cons: • Time-consuming to build/maintain/analysis • Risk of being used as stepping stone • Must have a firewall blocking all outgoing traffic • High computer resource requirement

  8. Honeynet • A network of honeypots • High-interaction honeynet • A distributed network composing many honeypots • Low-interaction honeynet • Emulate a virtual network in one physical machine • Example: honeyd • Mixed honeynet • “Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm”, presented next week • Reference: http://www.ccc.de/congress/2004/fahrplan/files/135-honeypot-forensics-slides.ppt

  9. What Is a Botnet? • A network of compromised computers controlled by their attacker • Users on zombie machines do not know • Most home computers with broadband • The main source for many attacks now • Distributed Denial-of-Service (DDoS) • Extortion • Email spam, phishing • Ad-fraud • User information: document, keylogger, …

  10. How to Build a Botnet? • Infect machines via: • Internet worms, viruses • Email virus • Backdoor left by previous malware • Trojan programs hidden in free download software, games • … • Bots phone back to receive command

  11. attacker bot controller bot controller bot bot bot Botnet Architecture • Bot controller • Usually using IRC server (Internet relay chat) • Dozen of controllers for robustness

  12. Botnet Monitoring • Hijack one of the bot controller • DNS provider redirects domain name to the monitor • Still cannot cut off a botnet (dozen of controller) • Can obtain most/all bots IP addresses • Let honeypots join in a botnet • Can monitor all communications • No complete picture of a botnet

  13. Monitored traffic Security Measurement • Monitor network traffic to understand/track Internet attack activities • Monitor incoming traffic to unused IP space • TCP connection requests • UDP packets Internet Unused IP space Local network

  14. Refining Monitoring • TCP/SYN not enough (IP, port only) • Distinguish different attacks • Low-interaction honeypots (honeyd) • Obtain the first attack payload by replying SYN/ACK • Used by the “Internet Motion Sensor” in U. Michigan • Paper presented next… • High-interaction honeypots

  15. Remote fingerprinting • Actively probe remote hosts to identify remote hosts’ OS, physical devices, etc • OSes service responses are different • Hardware responses are different • Purposes: • Understand Internet computers • Remove DHCP issue in monitored data • Paper presented later

  16. Data Sharing: Traffic Anonymization • Sharing monitored network traffic is important • Collaborative attack detection • Academic research • Privacy and security exposure in data sharing • Packet header: IP address, service port exposure • Packet content: more serious • Data anonymization • Change packet header: preserve IP prefix, and … • Change packet content

  17. Why So Many Email Spam? • No authentication/authorization in email • Receive unsolicited email by design • Sending fake email is so easy • Shown in next slide • Profit: • Takes a dime to send out millions email spam • A few effective spam give back good profit • No penalty in spam (law, out-of-country spam)

  18. Sample fake email sending Telnet longwood.cs.ucf.edu 25 S: 220 longwood.cs.ucf.edu ESMTP Sendmail 8.13.8/8.13.8; … C: HELO fake.domain S: 250 Hello crepes.fr, pleased to meet you C: MAIL FROM: alice@mit.edu S: 250 alice@mit.edu... Sender ok C: RCPT TO: czou@cs.ucf.edu S: 250 czou@cs.ucf.edu ... Recipient ok C: DATA S: 354 Enter mail, end with "." on a line by itself C: subject: who am I? C: Do you like ketchup? C:. S: 250 Message accepted for delivery C: QUIT S: 221 longwood.cs.ucf.edu closing connection

  19. Current Major Spam Defense • Signature-based filtering • Spamassasin, etc: based on keywords, rules on header… • Blacklisting-based filtering • DNS black list, dynamically updated (Spamhaus) • Sender authentication • Caller ID (Microsoft) http://en.wikipedia.org/wiki/Caller_ID • Sender Policy Framework (SPF) http://www.openspf.org/

More Related