250 likes | 577 Views
Honeypot An instrument for attracting and detecting attackers. April 2002, R. Baumann me@rbaumann.net http://security.rbaumann.net. Agenda. Theory Implementation Administrations Toolkit Attacks Conclusion. Theory Honeypot. Term originally from the military Fake target or ambush
E N D
HoneypotAn instrument for attractingand detecting attackers April 2002, R. Baumann me@rbaumann.net http://security.rbaumann.net
Agenda • Theory • Implementation • Administrations Toolkit • Attacks • Conclusion Honeypot - R. Baumann – April 2002
TheoryHoneypot • Term originally from the military • Fake target or ambush • In this presentation, the term „honeypot“ is used in network security environment Honeypot - R. Baumann – April 2002
TheoryDefinition A honeypot is a resource which pretends to be a real target. A honeypot is expected to be attacked or compromised. The main goals are the distraction of an attacker and the gain of information about an attacker, his methods and tools. Honeypot - R. Baumann – April 2002
TheoryBenefit • Productive environment:distraction from the real targets • Research environment:information gathering but: • No direct protection gained • In difference to IDS: no false alerts Honeypot - R. Baumann – April 2002
TheoryTypes of implementation • Level of Involvement • Low Involvement: Port Listeners • Mid Involvement: Fake Daemons • High Involvement: Real Services • Risk increases with level of involvement Honeypot - R. Baumann – April 2002
TheoryHoneynet • Network of honeypots • Supplemented by firewalls and intrusion detection systems Advantages: • “More realistic” environment • Improved possibilities to collect data Honeypot - R. Baumann – April 2002
ImplementationProjekt Honeybread • Honeynet implementation • Administration Toolkit • Ethernet Tunneling Software Honeypot - R. Baumann – April 2002
ImplementationSchematic illustration Internet Detection Honeypots Honeypot - R. Baumann – April 2002
ImplementationTopology Honeypot - R. Baumann – April 2002
ImplementationHoneypots • Multiple honeypots • Virtual machines • Different, independent systems Honeypot - R. Baumann – April 2002
ImplementationDetection unit • Information logging • Connetion controll • Administration Honeypot - R. Baumann – April 2002
Administration InterfaceFeatures • Web-based • Event visualization • Connections from and to the honeynet • Intrusion detection system alerts • Session logs • Statistics and reports Honeypot - R. Baumann – April 2002
Administration InterfaceScreenshot Honeypot - R. Baumann – April 2002
AttacksFacts • Huge amount of IDS alerts (>40‘000) • Mostly automated attacks • Code Red Virus • In less than 24 hours successfully attacked • Well known security vulnerabilities used Honeypot - R. Baumann – April 2002
AttacksIDS alerts Honeypot - R. Baumann – April 2002
AttacksDistribution over time Honeypot - R. Baumann – April 2002
AttacksOrigin Honeypot - R. Baumann – April 2002
AttacksSummary • Amount of attacks surprised • Origin of attacks mostyl from local systems • Attacks on own subnet • Most tools use own subnet as default setting Conclusion: • Protection required and possible Honeypot - R. Baumann – April 2002
SummaryTechnology • Honeypot as a safety solution not very attractive • Very time expensive • No out-of-the-box solutions • Risk quite high when used inappropriate • Deep knowledge needed • Legal situation uncertain • Honeypot as a service very attractive Honeypot - R. Baumann – April 2002
SummaryImplementation • Data analysis very complex and time consuming • Very good learning results • Very interesting research area • Exciting and suprising moments Honeypot - R. Baumann – April 2002