A Virtual Honeypot Framework honeyd

Information about A Virtual Honeypot Framework honeyd

Published on August 3, 2007

Author: Brainy007

Source: authorstream.com

Content

A Virtual Honeypot Framework----Honeyd:  A Virtual Honeypot Framework ----Honeyd Zhiyin Liang 2004-10-23 Overview:  Overview Introduction About Honeyd What’s Honeyd Design and Implementation Applications Relative work Conclusion Discussion Introduction:  Introduction Security Situations Internet-wide scans for vulnerabilities are more frequent and attacks increased rapidly,while internet security become more and more important It’s necessary to research new attacks and threats Security is an iterative process. Unserstanding motivation Get early warnings of new vulnerabilities Learning by observing attackers Honeypots are virtual doll houses that permit detection and research of new attack methods Introduction:  Introduction What’s a honeypot Honeypot is a security resource whose value lies in being probed,attacked,or compromised. Network decoy to deter from real targets Network sensor monitoring blackhole Provide IDS functionality All data entering or leaving a honeypot is closely monitored and collected for forensic analysis Honeypots have a low false positive rate All connections are suspicious Introduction:  Introduction Different types of honeypots: interaction: High-interaction Low-interaction Implement: Physical honeypots Virtual honeypots Physical honeypots have a high deployment cost Low-interaction honeypots do not allow full compromise Honeyd is a low-interaction virtual honeypot About Honeyd:  About Honeyd Honeyd Overview:  Honeyd Overview Honeyd is a low-interaction virtual honeypot Simulate arbitrary TCP/UDP service IIS, Telnet, pop3… Supports multiple IP addresses Test up to 65536 addresses simultanenously Supports ICMP Virtual machines answer to pings and traceroutes Supports subsystem Supports integration of real system,Service can be proxied and redirected. add windows tcp port 23 proxy '162.105.204.159 23' Honeyd Overview:  Honeyd Overview Logging support Simple connection log Compete packet log Configuration via simple configuration file Template: static template, dynamic Template Route topology Support 'include' Limitations Available services still small Does not simulate the whole operating system Honeyd Design:  Honeyd Design Considerations Network Data Receiving Simulation honeypots Simulate only network stack behavior Instead of simulating every aspect of an operating system Simulate arbitrary network topologies Security of the honeyd host Limit adversaries to interacting with honeypots only at the network level. An adversary never gains access to a complete system Connection and compromise attempts capturing LOGS Honeyd Design:  Honeyd Design Design and Implementation Receiving Network Data Architecture Personality Engine Routing Topology Logging Receiving Network Data:  Receiving Network Data Three ways for Honeyd to receives traffic for its virtual honeypots Special route lead data to honeyd host Proxy ARP for honeypots Support Network Tunnels(GRE) Ex : Arpd:  Proxy ARP tool: Arpd Arpd is a daemon that listens to ARP requests and answers for IP addresses that are unallocated. Using Arpd in conjunction with Honeyd, it is possible to populate the unallocated address space in a production network with virtual honeypots. Cmd line: $andgt; arpd 172.31.0.0/16 Ex : Arpd Architecture:  Architecture Configuration database Store the personalities of the configured network stack. Central packet dispatcher Dispatch Incoming packets to the correct protocol handler. Protocol handles Personality engine Option routing component Personality Engine:  Personality Engine Why do we need Personality Engine? Different operating system have different network stack behaviors. Adversaries commonly run fingerprinting tools like Xprobe or Nmap to gather information about a target system. Personality Engine make honeypots appear like real target to a probe. Every packet generated by honeyd passes through the personality engine Introduces operating system specific quirks into packets for Nmap/Xprobe identification. Nmap fingerprint database reference for TCP/UDP connection. Xprobe fingerprint database reference for ICMP request. Personality Engine:  Personality Engine Ex:Personalities defined via Nmap fingerprint file Creat windows Set windows personality 'Microsoft windows NT 4.0 SP5-SP6' add windows tcp port 80 'perl scripts/iis-0.95/iisemul8.pl' add windows tcp port 139 open add windows udp port 137 open set windows default tcp action reset set windows default udp action reset bind 10.0.0.51 windows bind 10.0.0.52 windows Routing Topology:  Routing Topology Honeyd supports the creation of a complete network topology including routing Simulation of route tree Configure a router entry point Configurable latency and packet loss Simulation of arbitrary route Extension Integrate physical machines into topology Distributed Honeyd via GRE tunneling Routing Topology Define:  Routing Topology Define route entry 10.0.0.1 route 10.0.0.1 add net 10.1.0.0/16 latency 55ms loss 0.1 route 10.0.0.1 add net 10.2.0.0/16 latency 55ms loss 0.1 route 10.1.0.1 link 10.1.0.0/16 route 10.2.0.1 link 10.2.0.0/16 create routerone set routeone personality 'Cisco 7206 router (IOS 11.1(17)' set routerone default tcp action reset set routerone default udp action reset bind 10.0.0.1 routerone bind 10.1.0.1 routerone bind 10.2.0.1 routerone Logging :  Logging The Honeyd framework supports several ways of logging network activity. Honeyd creat connection logs to report attempted and completed connections for all protocols. Information also can be gathered from the services themselves and be reported to Honeyd via stderr. Honeyd can be runs in conjunction with a NIDS. Applications:  Applications Network Decoys Instrument the unallocated addresses of a production network, confuse and deterr adversaries scaning the production network Conjunction with a NIDS, the resulting network traffic may help in getting early warning of attacks. Detecting and Countering new Worms Deploy a large number of virtual honeypots as gateways in front of a smaller number of high-interaction honeypots. Use Honeyd’s subsystem support to expose regular UNIX applications like OpenSSH to worms. Applications:  Applications Spam prevention Spammers abuse two Internet services proxy servers and open mail relays. To understand how spammers operate we use the Honeyd framework to instrument networks with open proxy servers and open mail relays. Use of Honeyd’s GRE tunneling capabilities and tunnel several C-class networks to a central Honeyd host. Using the Honeyd framework, it is possible to instrument networks to automatically capture spam and submit it to collaborative filtering systems. Relation Work:  Relation Work Improve Honeyd by creating useful feature additions More feather, More Services scripts,…. TCP/IP stack fingerprinting Researching and defeat fingerprinting tools. Fingerprinting: Xprobe, Nmap, P0f … defeat fingerprinting: Conjunction honeyd with High-interaction honeypots. Honeyfarm… Other virtual honeypot tools DTK(Deception toolkit) Conclusion:  Conclusion Conclusion:  Conclusion Honeyd is a small little program with great effects A virtual honeypot framework An application enables the setup of multiple virtual honeypots with different characteristics and services on a single machine Flexible and extensible, can be applicated in many area of information security. Conclusion:  Conclusion Limitation Open source make it easy to be detect. Available services still small. Does not simulate the whole operating system. Discussion:  Discussion

Related presentations


Other presentations created by Brainy007

impact irrigation
23. 08. 2007
0 views

impact irrigation

Chapter 10
06. 11. 2007
0 views

Chapter 10

Biomes Notes
10. 10. 2007
0 views

Biomes Notes

national courier
03. 10. 2007
0 views

national courier

Context aware Event Notification
05. 10. 2007
0 views

Context aware Event Notification

Tilde overview
08. 10. 2007
0 views

Tilde overview

India Little Stories Big Dreams
12. 10. 2007
0 views

India Little Stories Big Dreams

Trainer of Training Admin
04. 09. 2007
0 views

Trainer of Training Admin

PresentaciÃn Chile ppp
22. 10. 2007
0 views

PresentaciÃn Chile ppp

munoz
01. 12. 2007
0 views

munoz

Triage mobisys
29. 10. 2007
0 views

Triage mobisys

plead
29. 10. 2007
0 views

plead

life in tudor times
23. 08. 2007
0 views

life in tudor times

Greek Mythology mlm
23. 08. 2007
0 views

Greek Mythology mlm

em ipr gm indigenousseed
17. 10. 2007
0 views

em ipr gm indigenousseed

seaman 1
07. 11. 2007
0 views

seaman 1

ciaa summary en
04. 12. 2007
0 views

ciaa summary en

mccarthywipo
27. 11. 2007
0 views

mccarthywipo

chatguide KS3
28. 12. 2007
0 views

chatguide KS3

WB20070713
25. 10. 2007
0 views

WB20070713

0903BROWNFIELDS8DALE
01. 01. 2008
0 views

0903BROWNFIELDS8DALE

Black History Month slides
02. 01. 2008
0 views

Black History Month slides

Ch17 Acid Base A
03. 01. 2008
0 views

Ch17 Acid Base A

birds mammals 2007
03. 01. 2008
0 views

birds mammals 2007

The Nineteenth Century
07. 01. 2008
0 views

The Nineteenth Century

lhj Tudor Fashion
23. 08. 2007
0 views

lhj Tudor Fashion

sigirtutorial2004
23. 08. 2007
0 views

sigirtutorial2004

436group6
03. 08. 2007
0 views

436group6

071F1301 Fire Commands
07. 11. 2007
0 views

071F1301 Fire Commands

conf faking ellingson
03. 08. 2007
0 views

conf faking ellingson

talk
16. 10. 2007
0 views

talk

Caldwell1
15. 10. 2007
0 views

Caldwell1

H113k
07. 12. 2007
0 views

H113k

Dangerous MarketsMcKinseyl
15. 10. 2007
0 views

Dangerous MarketsMcKinseyl

202636
24. 02. 2008
0 views

202636

sigir05 if
21. 11. 2007
0 views

sigir05 if

976 Tues Costello
28. 02. 2008
0 views

976 Tues Costello

Llewellyn
07. 11. 2007
0 views

Llewellyn

TRL
06. 03. 2008
0 views

TRL

midterm review 1
02. 11. 2007
0 views

midterm review 1

ProducingGender
19. 02. 2008
0 views

ProducingGender

politru
20. 03. 2008
0 views

politru

HauWei 110306
26. 10. 2007
0 views

HauWei 110306

mail defence methods
07. 10. 2007
0 views

mail defence methods

mishkin ppt09
09. 04. 2008
0 views

mishkin ppt09

chinarisk
10. 04. 2008
0 views

chinarisk

rt1 maeda
13. 04. 2008
0 views

rt1 maeda

mabrouk undergraduate research
30. 10. 2007
0 views

mabrouk undergraduate research

8 Stock Markets
18. 04. 2008
0 views

8 Stock Markets

Genmeet 2005 Marques
22. 04. 2008
0 views

Genmeet 2005 Marques

PaulJourdan
28. 04. 2008
0 views

PaulJourdan

afghan
27. 02. 2008
0 views

afghan

ai intro
30. 04. 2008
0 views

ai intro

Munich Airport
16. 10. 2007
0 views

Munich Airport

tudor banquet costume
23. 08. 2007
0 views

tudor banquet costume

New Arrivals
02. 10. 2007
0 views

New Arrivals

dansereau
18. 06. 2007
0 views

dansereau

brantley 2
18. 06. 2007
0 views

brantley 2

anthrax
18. 06. 2007
0 views

anthrax

Anne geneve cours6
18. 06. 2007
0 views

Anne geneve cours6

anne geneve cours4
18. 06. 2007
0 views

anne geneve cours4

amm pres wilson apnic rpt
18. 06. 2007
0 views

amm pres wilson apnic rpt

91 Presentation Desc
18. 06. 2007
0 views

91 Presentation Desc

WCU07Recordkeeping
16. 02. 2008
0 views

WCU07Recordkeeping

DC1 Talk
18. 06. 2007
0 views

DC1 Talk

Learn Geometric Patterns
15. 06. 2007
0 views

Learn Geometric Patterns

Learn Fractions
15. 06. 2007
0 views

Learn Fractions

Learn Fractions XIV
15. 06. 2007
0 views

Learn Fractions XIV

Learning Percent II
15. 06. 2007
0 views

Learning Percent II

Fraction X
15. 06. 2007
0 views

Fraction X

foresbiome
15. 06. 2007
0 views

foresbiome

favorite animal
15. 06. 2007
0 views

favorite animal

Fact Families
15. 06. 2007
0 views

Fact Families

Asia Barabash
26. 10. 2007
0 views

Asia Barabash

ContentFile57
16. 10. 2007
0 views

ContentFile57

Learning Geological Features
15. 06. 2007
0 views

Learning Geological Features

Learn Fractions VIII
15. 06. 2007
0 views

Learn Fractions VIII

Foldable for Quadrilaterals
15. 06. 2007
0 views

Foldable for Quadrilaterals

lecture6
15. 11. 2007
0 views

lecture6

ASPLOS 2000
18. 06. 2007
0 views

ASPLOS 2000

Dude watercontrol team
30. 12. 2007
0 views

Dude watercontrol team

cuc kl 0105 kka
04. 09. 2007
0 views

cuc kl 0105 kka

tudor monarchs afterhenry
23. 08. 2007
0 views

tudor monarchs afterhenry

McKee 10 11 05
30. 10. 2007
0 views

McKee 10 11 05

WN NLTN March 9 2004
21. 10. 2007
0 views

WN NLTN March 9 2004

sbdc naples june05
22. 10. 2007
0 views

sbdc naples june05

PARCCppt040506
29. 10. 2007
0 views

PARCCppt040506