A VIRTUAL HONEYPOT FRAMEWORK

1
A VIRTUAL HONEYPOT FRAMEWORK

• Author Niels Provos
• Publication Usenix Security Symposium 2004.
• Presenter Hiral Chhaya for CAP6103

2
Security Situation

• Were unable to make secure computer systems or
  even measure their security.
• New vulnerabilities kept being exploited
• Exploit automation and massive global scanning
  for vulnerabilities to compromise computer
  systems
• We use Honeypot as one way to get early
  warnings of new vulnerabilities

3
Introduction

• What Is Honeypot ????
• Defunation--A honeypot is an information system
  resource whose value lies in unauthorized or
  illicit use of that resource.
• Has no production value
• Used for monitoring, detecting and analyzing
  attacks
• Does not solve a specific problem
• Honeypots have a low false positive rate

4
Classification

• By level of interaction
• High
• Low
• By Implementation
• Virtual
• Physical

5
What is Honeyd

• Honeyd A virtual honeypot application, which
  allows us to create thousands of IP addresses
  with virtual machines and corresponding network
  services.

6
What Can Honeyd Do ???

• Simulate TCP and UDP services
• Support ICMP
• Handle multiple IP addresses simultaneously
• Simulate arbitrary network topologies
• Support topologically dispersed address spaces
• Support network tunneling for load sharing

7
HONEYD DESIGN

• Receiving Network Data
• Architecture
• Personality Engine
• Routing Topology
• Logging

8
RECEIVING NETWORK DATA
Ways for Honeyd to receives traffic for its
virtual honeypots Special route lead data to
honeyd host Proxy ARP for honeypots
9
ARCHITECTURE

• Configuration database
• Central packet dispatcher
• Protocol handles
• Personality engine
• Option routing component

10
PERSONALITY ENGIN

• To fool fingerprinting tools
• Uses fingerprint databases by
• Nmap, for TCP, UDP
• Xprobe, for ICMP
• Introduces changes to the headers of every
  outgoing packet before sent to the network

11
ROUTING TOPOLOGY

• Simulates virtual network topologies
• Some honeypots are also configured as routers
• Latency and loss rate for each edge is
  configured
• Support network tunneling and traffic
  redirection

12
How To CONFIGURE

• Each virtual honeypot is configured with a
  template.
• Commands
• Create Creates a new template
• Set
• Assign personality (fingerprint database) to a
  template
• Specify default behavior of network protocols
• Block All packets dropped
• Reset All ports closed by default
• Open All ports open by default
• Add Specify available services
• Proxy Used for connection forwarding
• Bind Assign template to specific IP address

13
Logging

• Honeyd supports several ways of logging network
  activity.
• Honeyd creat connection logs to report attempted
  and completed connections for all protocols.
• Honeyd can be runs in conjunction with a NIDS.

14
APPLICATIONS

• Network decoys
• Spam Prevention

15
CONCLUSION

• Honeyd has many advantages over NIDS
• Collects more useful information
• Detects vulnerabilities not yet understood
• Less likely leads to high false positives
• Cheats the fingerprint tools
• Effective network decoys
• Detecting and immunizing new worms
• Spam prevention

16
WEAKNESSES

• Limit interaction only at network level
• Not simulate the whole OS
• Adversaries never gain full access to systems
• Limited number of simulated services and
  protocols
• What if the warm is smart to cheat us? Honeyd
  will become attackers.

17
HOW TO IMPROVE

• Combine Honeyd with high-interaction virtual
  honeypots using User Mode Linux or VMware to
  have a better forensic analysis of the attacker
• Cheat more fingerprint tools, eg. P0fpassive
  analyze the network traffic
• Simulate more services and protocols, eg. has a
  better TCP state machine.

18

• THANK YOU !!!!!