Distributed Honeynet System

1
Distributed Honeynet System

• Data Capture and Analysis
• C-DAC Mohali

2
Overview

• Honeynet/Honeypot Technology
• Honeypot/Honeynet Backgroud
• Type of Honeypots
• Deployment of Honeypots
• Data Collection
• Data Control
• Data Analysis

3
Honeypot/Honeynet concepts

• A honeypot is an information system resource
  whose value lies in unauthorized or illicit use
  of that resource
• Has no production value, anything going to or
  from a honeypot is likely a probe, attack or
  compromise
• A highly controlled network where every packet
  entering or leaving the honeypot system and
  related system activities are monitored, captured
  and analyzed.
• Primary value to most organizations is
  information

4
Advantages

• Fidelity Information of high value
• Reduced false positives
• Reduced false negatives
• Simple concept
• Not resource intensive

5
Attack Detection Techniques
Detection Techniques
Proactive Techniques
Defensive Techniques

• Honeynets

Anomaly-based
Signature-based
3/28/2021
CDAC-Mohali "NETWORK PACKET CAPTURING ANALYSIS"
6
How it works
Monitor
Detect
Response
3/28/2021
CDAC-Mohali "NETWORK PACKET CAPTURING ANALYSIS"
7
Honeynet Requirements Standards

• Data Control Contain the attack activity and
  ensure that the compromised honeypots do not
  further harm other systems.Out bound control
  without blackhats detecting control activities.
• Data Capture Capture all activity within the
  Honeynet and the information that enters and
  leaves the Honeynet, without blackhats knowing
  they are being watched.
• Data Collection captured data is to be Securely
  forwarded to a centralized data collection point
  for analysis and archiving.
• Attacker Luring Generating interest of attacker
  to attack the honeynet
• Static web server deployment, making it
  vulnerable
• Dynamic IRC, Chat servers,Hackers forums

3/28/2021
CDAC-Mohali "NETWORK PACKET CAPTURING ANALYSIS"
8
Classification

• By level of interaction
• High
• Low
• Middle?
• By Implementation
• Virtual
• Physical
• By purpose
• Production
• Research

3/28/2021
CDAC-Mohali "NETWORK PACKET CAPTURING ANALYSIS"
9
Types of Honeypots

• Low-interaction
• Emulates services and operating systems.
• Easy to deploy, minimal risk
• Captures limited information
• High Interaction
• Provide real operating systems and services, no
  emulation.
• Complex to deploy, greater risk.
• Capture extensive information.

10
Virtual Honeynet
11
What Honeynet Achieves

• Diverts attackers attention from the real
  network in a way that the main information
  resources are not compromised.
• Captures samples of new viruses and worms for
  future study
• Helps to build attackers profile in order to
  identify their preferred attack targets, methods.

3/28/2021
CDAC-Mohali "NETWORK PACKET CAPTURING ANALYSIS"
12
What value Honeynet adds

• Prevention of attacks
• through deception and deterrence
• Detection of attacks
• By acting as a alarm
• Response of attacks
• By collecting data and evidence of an attackers
  activity

3/28/2021
CDAC-Mohali "NETWORK PACKET CAPTURING ANALYSIS"
13
GEN III

• A highly controlled network where every packet
  entering or leaving is monitored, captured, and
  analyzed.
• Data Capture
• Data Control
• Data Analysis

3/28/2021
CDAC-Mohali "NETWORK PACKET CAPTURING ANALYSIS"
14
Honeynet Gen III
3/28/2021
CDAC-Mohali "NETWORK PACKET CAPTURING ANALYSIS"
15
Data Capture Mechanism
ETH0

APP LOGS
HIDS
IPTABLES
AISD
ARGUS
HFLOW DB
SNORT
HFLOWD
POF
CONVERT INTO UNIFIED FORMAT
SEBEKD
WALLEYE
ETH2
SYS LOGS
GUI WEB INTERFACE (192.168.2.2)
PCAP DATA
TCPDUMP
ETH1 (0.0.0.0)
SEBEK CLIENT
3/28/2021
CDAC-Mohali "NETWORK PACKET CAPTURING ANALYSIS"
HONEYPOT
(203.100.79.122)
16

Network Level Data Capture
System Level Data Capture
HONEYPOT
HONEYWALL
Raw Packet Capture
Analyzed Packet Capture
System Logs
Kernel Level Logs
Tcpdump
Argus
Syslogd
Sebek Client-Server
P0F
Snort
DATA CAPTURE TOOLS IN GEN 3 HONEYNET

17
Data Control
3/28/2021
CDAC-Mohali "NETWORK PACKET CAPTURING ANALYSIS"
18
DATA CONTROL

• PURPOSE
• Mitigate risk of COMPROMISED Honeypot being used
  to harm non-honeynet systems
• Count outbound connections (Reverse Firewall)
• IPS (Snort-Inline)
• Bandwidth Throttling (Reverse Firewall)

19
IPTABLES packet handling
20
Data Control

• Set the connection outbound limits for
  different protocols.SCALE"day"TCPRATE20"UDPR
  ATE"20"ICMPRATE"50"OTHERRATE"5
• iptables -A FORWARD -p tcp -i LAN_IFACE -m state
  --state NEW
• -m limit --limit TCPRATE/SCALE
  --limit-burst
• TCPRATE -s host -j tcpHandler
• iptables -A FORWARD -p tcp -i LAN_IFACE -m state
  --state NEW
• -m limit --limit 1/SCALE
  --limit-burst 1 -s host
• -j LOG --log-prefix "Drop TCP after
  TCPRATE attempts
• iptables -A FORWARD -p tcp -i LAN_IFACE -m state
  --state NEW
• -s host -j DROP

21
Distributed Honeynet System

• Distributed sensor Honeynet
• Configuration/reconfiguration
• Central Logging Alerting
• Honeypot management analysis (forensics take
  time!)

22

• Large Enterprise Network (STPI) /27
• Broadband Providers (BSNL,CONNECT,AIRTEL) /28,/28/
  29

23
Life Cycle of Distributed HoneyNet System

24
Remote Node Architecture

25
(No Transcript)
26
Malware Analysis
27

2
3
1
Malware Analysis Module
Malware Collection Module
Botnet Tracking

Remote Node of DHS
Bot Detection Engine
Anti virus
Bot hunter

Botnet Tracking engine
Low-Interaction Honeypot
High Interaction Honeynet
Sandbox (Bot Execution)
Malware collection Data Base
Bot Binary database
Botnet Tracking database
Central server

28
The Central Site of DHS
29
Main Functions
30
DATA ANALYSIS STEPS
HONEYWALL
REVERSE FIREWALL RULES (CONTROL OUTBOUND
TRAFFIC)
ETH0
IPTABLES
Collect Merge
ARGUS
HFLOW DB
SNORT
HFLOWD
POF
CONVERT INTO UNIFIED FORMAT
SEBEKD
WALLEYE
ETH2
PCAP DATA
ETH1 (0.0.0.0)
TCPDUMP
GUI WEB INTERFACE
SEBEK CLIENT
HONEYPOT

31
Walleye Web Interface

• Eye on the Honeywall is a web based interface
  for Honeywall Configuration, Administration and
  Data analysis

32
Honeywall Roo Logical Design
33
(No Transcript)
34
Walleye Analysis Interface
35
Botnet Detection
36
Introduction

• Botnet Problem
• Typical Botnet Life Cycle
• How Botnet Grows
• Challenges for Botnet detection
• Roadmap to Detection system
• Botnet Detection Approaches
• Our Implemented Approach
• Experiments and results

37
What Is a Bot/Botnet?

• Bot
• A malware instance that runs autonomously and
  automatically on a compromised computer (zombie)
  without owners consent
• Profit-driven, professionally written, widely
  propagated
• Botnet (Bot Army) network of bots controlled by
  criminals
• Definition A coordinated group of malware
  instances that are controlled by a botmaster via
  some CC channel
• Architecture centralized (e.g., IRC,HTTP),
  distributed (e.g., P2P)

38
Botnets are used for

• All DDoS attacks
• Spam
• Click fraud
• Information theft
• Phishing attacks
• Distributing other malware, e.g., spywarePCs are
  part of a botnet!

39
Typical Botnet Life Cycle

40
How the Botnet Grows
41
How the Botnet Grows
42
How the Botnet Grows
43
How the Botnet Grows
44
IRC Botnet Life Cycle
45
Challenges for Botnet Detection

• Bots are stealthy on the infected machines
• We focus on a network-based solution
• Bot infection is usually a multi-faceted and
  multiphase process
• Only looking at one specific aspect likely
  to fail
• Bots are dynamically evolving
• Botnets can have very flexible design of CC
• channels
• A solution very specific to a botnet
  instance is not
• desirable

46
Related Work

• Network Level
• G. Gu, J. Zhang, andW. Lee. BotSniffer Detecting
  botnet command and control channels in network
  traffic
• J. R. Binkley and S. Singh. An algorithm for
  anomaly-based botnet detection
• J. Goebel and T. Holz. Rishi Identify bot
  contaminated hosts by irc nickname evaluation
• C. Livadas, R. Walsh, D. Lapsley, and W. Strayer.
  Using machine learning technliques to identify
  botnet traffic

47
Related Work

• Host Level
• E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R.
  Kemmerer. Behavior-based spyware detection
• R. Sekar, M. Bendre, P. Bollineni, and D.
  Dhurjati. A fast automaton-based method for
  detecting anomalous program behaviors.
• Hybrid
• BotMiner Clustering analysis of network
  traffic for protocol- and structure independent
  botnet detection

48
Botnet Detection Approaches

• Setting up Honeynets (Honeynet Based Solutions)
• Network Traffic Monitoring
• Signature Based
• Anomaly Based
• DNS Based
• Mining Based

49
Honeynet Based Solution

• It enable us to isolate the bot from network and
  monitor its traffic in more controlled
  way, instead of waiting to be infected and
  then monitor the t traffic
• Bot execution in Honeynet test bed
• Monitor the traffic generated by bots
• Open Analysis
• Provides connection to Internet
• More flexible than closed analysis.

l
50
Our Implemented Approach

• Honeynet Based Solution
• Achievements
• Approach Implemented
• Honeynet Based Bot Analysis Architecture
• Payload Parser
• Web GUI and report generation

51
Flowchart
52
(No Transcript)
53
Features

• Systematically collect and analyze
• bot traffic over internet
• Provides controlled connection to
• Internet rate limit the outbound
• connections.
• It uses network-based anomaly
• detection to identify C C command
• sequences

54
Principal Mechanism for Botnet Detection

• Bot Execution
• - Bot Execution in Honeynet Based
  Environment
• - Collection of Execution traces to
  extract C C server
  information.
• - Complete payload sent to central server.
• Payload Parser
• - Extraction of IRC,HTTP command
  signatures
• Botnet Observation
• - extraction of attack,propagation scan
  or other attack
• commands
• - extraction of specific network
  patterns,secondary
• injections attempts
• Output
• - List of unique C C server
• - Command exchanged between bot client
  bot server

55
Experimental Result

• Botname B14 , MD5 a4dde6f9e4feb8a539974022cff5
  f92c
• Symantec W32.IRCBot, Microsoft
  BackdoorWin32/Poebot
• PASS 146751dhzx
• ftpelite.mine.nu
• NICK kcrbhf8wlzo
• USER XPUSA6059014236 0 0 o4dfmj2ctyc
• ftpelite.mine.nu
• PING AE645AF3
• PONG AE645AF3
• ftpelite.mine.nu 332 kcrbhf8wlzo 100 .vscan
  netapi 50 5 9999 216.x.x.x .sbk windows-krb.exe
  .sbk crscs.exe .sbk msdrive32.exe .sbk
  woot.exe .sbk dn.exe .sbk Zsnkstm.exe .sbk
  cndrive32.exe
• PRIVMSG 100 .4SC Random Port Scan started
  on 216.x.x.x445 with a delay of 5 seconds for
  9999 minutes using 50 threads.

56
Experimental Results IRC
57
Top IRC Bot Families Captured at Distributed
Honeynet System
Bot Family Number of Samples Percentage
Rbot 70 6.28
Poebot.gen 32 2.87
Rbot.gen 30 2.69
IRCbot.genK 22 1.99
Poebot.BT 12 1.08
IRCbot 8 0.71
Poebot.BI 6 0.54
IRCbot.genS 4 0.35
Poebot 4 0.35
Poebot.T 4 0.35
58
IRC Based Botnet Measurement

• In total we could identify 99 IRC-based bot
  binaries ,a rate of 8.25 of the overall binaries
  in 12 months

59
Botnet Command and Control Server Distribution
Botnet CC Server Info
60
Top Source IP and Ports Tejpur University Assam
Sno Source IP count
1 2 3 4 5 6 7 8 9 10 122.160.115.76 122.160.76.92 122.160.42.85 122.160.1.248 122.160.74.180 61.142.12.86 122.160.136.220 122.160.154.222 122.161.16.82 122.160.75.115 191 91 79 66 60 54 49 48 48 48
Sno Ports count
1 2 3 4 5 6 7 8 9 445 135 1434 139 80 25 3306 705 161 2571 139 111 42 35 12 7 6 1
61
Thank You