250 likes | 527 Views
A Virtual Honeypot Framework. Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire. Honeyd’s Contributions. Provides an alternative technique for detecting attacks Extremely low-cost option for honeypots
E N D
A Virtual Honeypot Framework Niels ProvosGoogle, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire
Honeyd’s Contributions • Provides an alternative technique for detecting attacks • Extremely low-cost option for honeypots • A model framework for low-interaction honeypots.
Agenda 1. Introduction of Honeypots 2. Honeyd 3. Critique of Honeyd 4. Recent Work 5. Honeyd’s Contributions
What are Honeypots? • Monitored computer system with the hopes of being probed, attacked, and compromised. • Monitors all incoming and outgoing data. • Any contact is considered suspicious. • Can support any OS with any amount of functionality.
Honeypots’ Goals • Capture information about attacks • System vulnerabilities • System responses • Capture information about attackers • Attack methods • Scan patterns • Identities • Be attacked!
Etymology of Honeypots • Winnie-the-Pooh • His desire for pots of honey lead him to various predicaments • Cold War terminology • Female communist agent vs. Male Westerner • Outhouses • “Honey” : euphemism for waste • Attackers are flies attracted to honey’s stench
Physical vs. Virtual Honeypots • Physical Honeypot: • Real machine • Runs one OS to be attacked • Has its own IP address • Virtual Honeypot: • Virtual machine on top of a real machine • Can run a different OS than the real machine • Real machine responds to network traffic sent to the virtual machine
Physical vs. Virtual Honeypots Physical Honeypots Virtual Honeypots Internet Internet
Virtual Honeypot Types • High-Interaction: • Simulates all aspects of an OS • Can be compromised completely • Low-Interaction • Simulates some parts of an OS • Example: Network Stack • Simulates only services that cannot lead to complete system compromise
Honeyd • A virtual honeypot framework • Can simulate different OS’s at once • Each honeypot allocated its own IP address • Low-Interaction • Only the network stack is simulated • Attackers only interact with honeypots at the network level • Supports TCP and UDP services • Handles ICMP message as well.
Honeyd: The Architecture • Configuration Database • Central Packet Dispatch • Protocol handlers • Personality Engine • Routing Component (optional)
Personality Engine • Virtual Honeypots Personality: • The network stack behavior of a given operating system • Personality Engine alters outgoing packets to mimic that VH’s OS • Changes protocol headers • Used to thwart fingerprinting tools: • Example: Xprobe and Nmap
Routing Options • Proxy ARP • Configured Routing • Routing Tables • Routing Trees • Generic Routing Encapsulation • Network Tunneling • Load balancing
Experiments • Virtual Honeypots for every detectable fingerprint in Nmap were used. • 600 distinct fingerprints • Each VH had one port open to run a web server. • Nmap was tested against the address space allocated for all the VH’s • 555 fingerprints were correctly identified • 37 fingerprints list possible OS’s • 8 were failed to be identified
Applications • Network Decoys • Lure attackers to virtual honeypots, not real machines • Detecting and Countering Worms • Capture packets sent by worms • Use large amounts of VH’s across large address space • Spam Prevention • Monitor open proxy servers and open mail relays • Forward suspicious data to spam filters
Conclusions • Honeyd is a framework for supporting multiple virtual honeypots • Mimics OS network stack behaviors to trick attackers • Provides a tool for network security research • Network decoy • Spam • Worm detection
Honeyd’s Strengths • Supports an array of different OS network stacks • Fool attackers • Can support a large number of VH’s for large address spaces • Easily configurable to test various security issues • Routing configuration • OS options
Honeyd’s Weaknesses • Low-Interaction • Only network stacks were implemented • Not all OS services available • Not all system vulnerabilities cannot be tested • Personality Engine is not 100% • The 37 failed identifications • Could leave clues to attackers of which sections are honeypots.
Future Work • Implement Middle-Interaction • Increase the number of OS services per VH • Experiment with honeyd’s and physical honeypots on same network • Increase stability of personality engine
Related Current Work • Middle-Interaction • mwcollect • nepenthes • The Honeynet Project • Raise Awareness • Teach and Inform • Research
Honeyd’s Contributions • Provides an alternative technique for detecting attacks • Detecting worms, attackers, and spam • Extremely low-cost option for honeypots • Cost of physical honeypots vs. virtual • A model framework for low-interaction honeypots. • Simulates only an OS’s network stack • Can cover large amounts of IP addresses