100 likes | 698 Views
Intrusion Detection using Honeypots. Patrick Brannan Honeyd with virtual machines. What is a honeypot?. A closely monitored network decoy serving several purposes Distract adversaries from vulnerable machines Provide early warning (new attack &exploits)
E N D
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines
What is a honeypot? • A closely monitored network decoy serving several purposes • Distract adversaries from vulnerable machines • Provide early warning (new attack &exploits) • Allow in-depth examination of adversaries during and after exploitation
Problems and Solution • Physical machines are expensive and costly to maintain • Attacks can corrupt machines • Destroy box • Destroy software • Solution • Honeyd or similar product
Honeyd • A program that can simulate multiple operating systems and multiple IPs • One box can run many honeypots • Simulate network stack of all OS • Provide arbitrary routing • Simulate stack • Can only monitor connection and compromise
Why Honeyd is better? • NIDS requires signatures of known attack • With Honeyd all traffic is saved and can be viewed later so there is no worries about new means of exploit being unregistered • Honeypot has no value so all traffic is suspect therefore less false positives are found
Honeyd + Virtual Machine • Honeyd can only simulate the TCP/IP stack • Combined with a virtual machine the hacker now can try exploits on the whole operating system • Can detect and learn about all new types of exploits and dangers as opposed to just connection
Design • Honeyd will reply to network packets whose destination IP address belongs to one of the simulated honeypots • Router receives packet and sends it on via iptables • Honeypots can be set behind multiple firewalls
Combination • Honeyd alone cannot provide us with enough information to prevent future attacks • Combined with a VM we can now register the new method of the attack and what attacker was after • New attack methods can potentially lead to more violent attacks
Conclusion • Since all traffic is monitored no attack goes unnoticed • With VM we can build new defense for real systems • Great flexibility and record keeping is possible