1 / 22

Honeypot An instrument for attracting and detecting attackers

Honeypot An instrument for attracting and detecting attackers. April 2002, R. Baumann me@rbaumann.net http://security.rbaumann.net. Agenda. Theory Implementation Administrations Toolkit Attacks Conclusion. Theory Honeypot. Term originally from the military Fake target or ambush

issac
Download Presentation

Honeypot An instrument for attracting and detecting attackers

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HoneypotAn instrument for attractingand detecting attackers April 2002, R. Baumann me@rbaumann.net http://security.rbaumann.net

  2. Agenda • Theory • Implementation • Administrations Toolkit • Attacks • Conclusion Honeypot - R. Baumann – April 2002

  3. TheoryHoneypot • Term originally from the military • Fake target or ambush • In this presentation, the term „honeypot“ is used in network security environment Honeypot - R. Baumann – April 2002

  4. TheoryDefinition A honeypot is a resource which pretends to be a real target. A honeypot is expected to be attacked or compromised. The main goals are the distraction of an attacker and the gain of information about an attacker, his methods and tools. Honeypot - R. Baumann – April 2002

  5. TheoryBenefit • Productive environment:distraction from the real targets • Research environment:information gathering but: • No direct protection gained • In difference to IDS: no false alerts Honeypot - R. Baumann – April 2002

  6. TheoryTypes of implementation • Level of Involvement • Low Involvement: Port Listeners • Mid Involvement: Fake Daemons • High Involvement: Real Services • Risk increases with level of involvement Honeypot - R. Baumann – April 2002

  7. TheoryHoneynet • Network of honeypots • Supplemented by firewalls and intrusion detection systems Advantages: • “More realistic” environment • Improved possibilities to collect data Honeypot - R. Baumann – April 2002

  8. ImplementationProjekt Honeybread • Honeynet implementation • Administration Toolkit • Ethernet Tunneling Software Honeypot - R. Baumann – April 2002

  9. ImplementationSchematic illustration Internet Detection Honeypots Honeypot - R. Baumann – April 2002

  10. ImplementationTopology Honeypot - R. Baumann – April 2002

  11. ImplementationHoneypots • Multiple honeypots • Virtual machines • Different, independent systems Honeypot - R. Baumann – April 2002

  12. ImplementationDetection unit • Information logging • Connetion controll • Administration Honeypot - R. Baumann – April 2002

  13. Administration InterfaceFeatures • Web-based • Event visualization • Connections from and to the honeynet • Intrusion detection system alerts • Session logs • Statistics and reports Honeypot - R. Baumann – April 2002

  14. Administration InterfaceScreenshot Honeypot - R. Baumann – April 2002

  15. AttacksFacts • Huge amount of IDS alerts (>40‘000) • Mostly automated attacks • Code Red Virus • In less than 24 hours successfully attacked • Well known security vulnerabilities used Honeypot - R. Baumann – April 2002

  16. AttacksIDS alerts Honeypot - R. Baumann – April 2002

  17. AttacksDistribution over time Honeypot - R. Baumann – April 2002

  18. AttacksOrigin Honeypot - R. Baumann – April 2002

  19. AttacksSummary • Amount of attacks surprised • Origin of attacks mostyl from local systems • Attacks on own subnet • Most tools use own subnet as default setting Conclusion: • Protection required and possible Honeypot - R. Baumann – April 2002

  20. SummaryTechnology • Honeypot as a safety solution not very attractive • Very time expensive • No out-of-the-box solutions • Risk quite high when used inappropriate • Deep knowledge needed • Legal situation uncertain • Honeypot as a service very attractive Honeypot - R. Baumann – April 2002

  21. SummaryImplementation • Data analysis very complex and time consuming • Very good learning results • Very interesting research area • Exciting and suprising moments Honeypot - R. Baumann – April 2002

  22. Thank you very muchfor your attention

More Related