Slide Background Graphics by Paul Sagona

1
Slide Background Graphics by Paul Sagona
2
Overview

• Introduction
• Related Work
• Proposed Approach
• Experiment
• Results
• Conclusion

3
Introduction Honeypot

• Etymology Winnie-the-Pooh, who was lured into
  various predicaments by his desire for pots of
  honey1
• A trap set to detect, deflect or in some manner
  counteract attempts at unauthorized use of
  information systems2

4
Introduction Honeypots

• Serve as decoys used to distract adversaries from
  more valuable machines and resources on a network
• Valuable as a surveillance and early-warning tool
• Coupled with IDS, can be effective in detecting
  systems with Internet worms and random port
  scanners
• Personal experience with Offensive Security using
  Honeypots (IIS, SSH)

5
Denial-of-Service (DoS) Attack

• DoS attacks aim at disrupting the legitimate
  utilization of network and server resources
• Threat to both high traffic public services, such
  as Google, and private services, i.e.
  subscription based business services

6
Denial-of-Service (DoS) Attack

• Difficult to prevent due to inevitable software
  vulnerabilities
• Adversaries directly attack victim machine or use
  zombies (any number of compromised machines used
  to attack a victims resources)

7
Network level DoS Attack

• Purpose of network DoS is to congest network
  resources like router buffers and link capacity
• Good Defensives
• D-WARD19 detects and stops abnormal one-way
  flows
• Ingress Filtering 9 Stops most spoofed attacks

8
Service-level DoS Attack

• A large number of attack machines acquire service
  from a victim server
• Consumes server memory and processing, as well as
  networking resources along the out path from
  server
• Not possible using a spoofed source address as a
  three-way handshake is required for the TCP
  service
• Honeypots can provide a way to mitigate these
  attacks by tricking adversaries

9
Related Works

• Honeynet 4
• High-interaction honeypot designed to capture
  extensive information on threats
• Network that contains one or more honeypots
• Network of real computers for attackers to
  interact with
• All captured activity is assumed to be
  unauthorized or malicious

10
Related Works

• Honeynet Architecture4
• Honeywall is the key to the honeynet
  Archietecture
• Its a gateway device that separates honeypots
  from the rest of the world
• 2-layer bridging device

11
Related Works

• Honeynet 4 Basic Jobs
• Data Control Containment of risk, Safeguard that
  non-honeynet systems are safe
• Data Capture detect and capture attackers
  activities
• Data Analysis to analyze and thus prevent
  further attacks

12
Related Works

• Honeynet 4 Risks
• Harm when a honeynet system is used to attack a
  non-honeynet system
• If attackers detect that a system is used as
  honeypot, this systems value is dropped
  dramatically
• Risk of disabling honeynet functionality
• System compromised to house illegal data
  (anonymous FTP)

13
Related Works

• Virtual Honeypots 5
• Deploying a physical honeypot can be intensive
  and expensive
• Different operating systems require specialized
  hardware and every honeypot requires its own
  physical system
• Honeyd is a framework for virtual honeypots that
  simulates virtual computer systems at the network
  level

14
Related Works

• Virtual Honeypots 5
• Require fewer computer systems, thus reducing
  costs
• Possible to populate a network with hosts running
  numerous OSs
• Honeyd simulates virtual networks that consist of
  arbitrary routing topologies
• For example, if a networking mapping tool like
  traceroute were used, it would only discover the
  topologies simulated by Honeyd

15
Related Works

• Virtual Honeypots 5
• Honeyd is used for system security in detecting
  and disabling worms, distracting adversaries,
  and/or preventing the spread of spam email
• Honeyd is a low-interaction virtual honeypot that
  only simulates the network layer
• Coupled with tools like Vmware, high-interaction
  can be simulated

16
Related Works

• Virtual Honeypots 5
• Honeyd mimics the network stack behavior of
  operating systems to deceive fingerprinting tools
  like Nmap and Xprobe
• Honeyds personality engine can modify packets to
  match the fingerprints of other operating systems
  and creates arbitrary virtual routing topologies

17
Related Works

• Server Roaming (Work from their previous paper)
• Proactive server roaming to mitigate the effects
  of Denial-of-Service (DoS) attacks
• The active server changes its location within a
  pool of servers to defend against unpredictable
  and undetectable attacks
• Only legitimate clients can follow the active
  server as it roams

18
Related Works

• Proactive Server Roaming Limitations
• Handles only one server active at a time
• Requires offline service subscription, which is
  not a flexible service model
• Servers must keep track of all subscribed client
  addresses to send them roaming update
  messages(reduces flexibility)
• Requires changes in client software
• Easy to compromise client and discover service
  secrets or eavesdrop to find server address

19
Problem with Honeypots

• Problem with standard honeypots is that they are
  deployed at fixed locations.
• Sophisticated attacks can avoid the decoys and
  thus focus back on legitimate servers

20
Proposed Approach

• Roaming Honeypots can mitigate service-level DoS
  attacks against back-end private services
• Achieved by a pool of back-end servers
  unpredictably changing from service providers to
  acting as honeypots
• The service is subscription-based that is,
  clients need subscribe through front-ends to gain
  access to the service

21
Roaming Honeypots

• Benefits against service-level
• Filtering effect Detect attacker addresses so
  that their future attempts are filtered out. Good
  for attacks outside the firewall.
• Connection-dropping When server switches from
  idle to active, it drops all current (attack)
  connections, opening and window for legitimate
  users before attack build up. Good for attacks
  inside the firewall.

22
Service Model

• AGN (Access Gateways Network)
• Keeps track of current active servers
• Clients contact AGs to subscribe and request
  services
• After the request is authenticated and
  authorized, AG redirect the request to one of the
  active servers
• Also support dynamic-Load balancing

23
Service Model

• AGN

24
Service Model

• AGN Handles Spoofed Attacks
• Legitimate requests are tunneled through the AGN
• For this attack to be successful an attacker
  needs to spoof an AGs address
• An AG can easily detect that it is under such an
  attack (all its requests are being dropped) and
  can respond by changing its IP address.
• The AG updates its address registration with the
  new IP address

25
Attack Model

• Two attack models types
• Fixed-target attacks
• Follower attacks
• Fixed-Target Attack
• The attacker selects few servers and attacks
  them continuously
• Follower Attacks
• The attacker tries to continuously direct the
  attack into active servers

26
Simulation

• They used a ns-2(Network Simulator)
• A ns is a discrete event simulator for doing
  network research
• Supports simulation of TCP, routing and multicast
  protocols over both wired or wireless networks

27
Simulation Model

• Used FTP server and client modules to be used as
  test bed application for simulation
• Code works on top of socket layer, where roaming
  and TCP agent management takes place
• FTP connection stays active until FTP request is
  filled or roaming occurs
• If roaming is scheduled to cause server to be
  idle during an active connection, client module
  will record current FTP state (remaining bytes)
  to resume state on new randomly selected server

28
Simulation Topology
29
Simulation

• To study the connection-dropping effect
  separately, they also modeled a roaming scheme in
  which no filtering takes place
• Roaming honeypots scheme as filter-roaming (or
  FR),
• The full replication scheme as non-roaming
• The scheme with no filtering as roaming (or R).
• They refer to the migration interval as
  M-interval (or just M)

30
Results
31
Results
32
Results Mitigation Values

• There exists a critical value of M
• Below Critical Value
• Roaming overhead is dominant
• M increases -gt frequency of connection
  re-establishment decreases resulting in a
  decreased ART.
• Beyond Critical Value
• M increases -gt ART increases.
• Two reasons
• Connection-dropping effect occurs less frequently
• More client requests are issued to attacked
  server

33
Results
34
Results
35
Results Attack Load

• Filter Roaming
• Keeps the ART stable with increasing attack loads
• Non-roaming
• ART is less for small loads
• Art increases for large loads
• Roaming
• ART increases with increasing attack load

36
Results
37
Results
38
Results Follow Delay

• FR
• ART decreases as follow delay increases
• R
• ART decreases as follow delay increases
• Non-roaming
• ART is same for follower and fixed-target attacks

39
Conclusion Limitations

• This scheme has an overhead that causes
  performance degradation
• It occurs both in the absence of attacks and
  under low attack.
• This is mainly because the load is distributed
  over k instead of all N servers
• During Active to idle state switch, all the
  active connections have to be re-established

40
Conclusion Future Work

• The exact mitigation value depends on the types
  of services
• Authors see need for mechanism that adaptively
  changes the number of concurrent active servers
  depending on attack loads and client loads

41
Conclusion

• This scheme is described as a subset of servers
  that are active and providing service while rest
  are acting as honeypots, mitigating attacks
• All legitimate requests are directed by the
  Access Gateway Network
• Although the scheme requires an overhead time for
  connections, it shows a high performance gain
  during high attack loads

42
Questions?

• My opinion? Interesting idea, but I believe it is
  pointless. Internal DoS attacks is a failure of
  proper security at an organization. IDS and
  Firewalls are the choke point of a DoS. Filtering
  would be done at this point. Honeypots could be
  used to find zombies?
• Forcing clients to drop connection and reinstate
  services is unacceptable, too much overhead.
• Honeypots are used for gathering information, not
  mitigating DoS.

43
References

• 1 Wikipedia Honeypot, http//en.wikipedia.org/w
  iki/Honeypot_28computing292007
• 2 Mosse, http//oldwww.cs.pitt.edu/mosse/course
  s/cs2001/melhem_fall06.ppt, 2006
• 3 Previous presentation by Nikhil Mahajan and
  Sriharsha Hammika
• 4 Honeynet, http//www.honeynet.org/papers/honey
  net/
• 5 Provos, Niels , A Virtual Honeypot Framework
  http//www.citi.umich.edu/u/provos/papers/honeyd.p
  df