Honeypots - PowerPoint PPT Presentation

About This Presentation
Title:

Honeypots

Description:

emulates basic services. fakes replies. Honeyd. mid-high level of interaction. emulates 400 OSs & services. use ARP spoofing to assume victim IP addr. Popular ... – PowerPoint PPT presentation

Number of Views:126
Avg rating:3.0/5.0
Slides: 16
Provided by: margare160
Learn more at: http://www.cs.sjsu.edu
Category:

less

Transcript and Presenter's Notes

Title: Honeypots


1
Honeypots
  • Margaret Asami

2
What are honeypots ?
  • an intrusion detection mechanism
  • entices intruders to attack and eventually take
    over the system, while their moves are being
    monitored without them knowing
  • 2 types
  • production
  • research

3
How do honeypots address security ?
  • prevention
  • cant prevent bad guys !
  • detection
  • leverages traditional IDS - no false positives
    nor false negatives
  • reaction
  • provides incident response team un-polluted data
    stoppable system

4
Values Risks
  • simple to build
  • high signal/noise ratio
  • - playing with fire

5
How to build a honeypot ?
  • how do we attract intruders ?
  • choose enticing names (e.g., mail.sjsu.edu)
  • how do we know were probed ?
  • put honeypot on isolated net behind a firewall
  • set firewall to log all traffic
  • how do we protect our peers ?
  • set firewall to allow all in-coming traffic, but
    limit out-going traffic
  • ICMP, FTP, DNS are common protocols intruders need

6
How to build a honeypot (cont)
  • how do we track intruders moves ?
  • layer 1 firewall logs
  • layer 2 syslogd hack
  • layer 3 sniffer
  • layer 4 tripwire
  • layer 5 kernel/shell hack
  • each layer lets us learn different things
  • multiple layers spread the risk of compromised
    data

7
How to build a honeypot ? (cont)
  • how do we kick them out ?
  • shut-down, take honeypot off-line, remove
    backdoors, fix vulnerabilities, then put it back
    on-line
  • how do we make them not know ?
  • by avoiding frequent substantial changes to
    honeypot

8
Popular honeypots
  • Backofficer Friendly (BOF)
  • low level of interaction
  • emulates basic services
  • fakes replies
  • Honeyd
  • mid-high level of interaction
  • emulates gt400 OSs services
  • use ARP spoofing to assume victim IP addr

9
Popular honeypots (cont)
  • Honeynets
  • high level of interaction
  • network of real systems, zero emulation
  • used mostly in research

10
Win98 honeypot
  • 524 unique NetBIOS scans
  • UDP port 137 (NetBIOS Naming Service)
  • UDP port 139 (NetBIOS Session Service)
  • we are not advertized, so why ?
  • default Win98 installation
  • enbale sharing of C\ drive
  • connect to internet wait

11
Win98 honeypot (cont)
intruder copies distributed.net client config
file to our honeypot
12
Win98 honeypot (cont)
actual config file transfer reveals intruders
identity
13
Win98 honeypot (cont)
transfer the distributed.net client file
transfer the worm itself
14
Win98 honeypot (cont)
  • next, a crafted c\windows\win.ini file is
    uploaded
  • windows loadc\windows\system\msi216.exe
  • infection completes !!
  • next time honeypot reboots
  • distributed.net client will be run
  • worm will scan and replicate itself
  • worm will add bymer.scanner to registry

15
Conclusion
  • a tool, not a solution
  • level of interaction vs risk
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Honeypots" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!