A Virtual Honeypot Framework

1
A Virtual Honeypot Framework

• Author Niels Provos
• Published in CITI Report 03-1
• Presenter Tao Li

2
Outline

• Introduction
• Honeyd
• What is Honeyd?
• Design and Implementation of Honeyd
• Evaluation of Honeyd
• Application
• Discussion

3
Outline

• Introduction
• Honeyd
• What is Honeyd?
• Design and Implementation of Honeyd
• Evaluation of Honeyd
• Application
• Discussion

4
Introduction

• Network Security Background
• Were unable to make secure computer systems or
  even measure their security.
• New vulnerabilities kept being exploited
• Exploit automation and massive global scanning
  for vulnerabilities to compromise computer
  systems
• We use Honeypot as one way to get early
  warnings of new vulnerabilities.

5
Introduction

• What is a honeypot?
• A closely monitored computing resource intended
  to be probed, attacked or compromised.
• Network decoy to deter from real targets
• Network sensor monitoring blackhole
• Provide IDS functionality

6
Introduction

• Why using honeypots instead of NIDS ?
• All data entering or leaving a honeypot is
  closely monitored and collected for forensic
  analysis
• It can detect vulnerabilities not yet understood
• Less likely to lead to false positives
• Can run any OS and any number of services
• The configured services determine the vectors
  available for an adversary to attack

7
Introduction

• Categories of honeypots
• Interaction
• High-interaction honeypots simulate all aspects
  of OS, can be compromised completely
• Low-interaction honeypots simulate only parts of
  OS, to gather high level information
• Implementation
• Phisical honeypots real machines with itself IP
• Virtual honeypots simulated by another machine

8
Outline

• Introduction
• Honeyd
• Information of Honeyd
• Design and Implementation of Honeyd
• Evaluation of Honeyd
• Application
• Discussion

9
What is Honeyd ?

• Honeyd is a low-interaction virtual honeypot, a
  lightweight framework for creating virtual
  honeypots to instrument thousands of IP addresses
  with virtual machines and corresponding network
  services.

10
(No Transcript)
11
What can Honeyd do?

• Simulate TCP and UDP services
• Support ICMP
• Handle multiple IP addresses simultaneously
• Simulate arbitrary network topologies
• Support topologically dispersed address spaces
• Support network tunneling for load sharing

12
Design and Implementation

• Receiving Network Data
• Architecture
• Personality Engine
• Routing Topology
• Configuration
• Logging

13
Receiving Network Data

• Three ways for Honeyd to receives traffic for its
  virtual honeypots
• Special route lead data to honeyd host
• Proxy ARP for honeypots
• Support Network Tunnelsgeneric routing
  encapsulation (GRE)

14
Architecture

• Incoming packets are dispatched to correct
  protocol handler. For TCP and UDP, the configured
  services receive new data and send repsonses if
  necessary. All outgoing packets are modified by
  the personality engine to mimic the behavior of
  the configured network stack. The routing
  component is optional and used only Honeyd
  simulated network topology.

15
Architecture

• Configuration database
• Store the personalities of the configured network
  stack.
• Central packet dispatcher
• Dispatch Incoming packets to the correct protocol
  handler.
• Protocol handlers
• Personality engine
• Option routing component

16
Architecture

• Support subsystem
• An application that runs in the name space of the
  virtual honeypotno need to create a new process
  for each connection
• Support redirection of connections
• Forward connection request for a service to a
  real server
• Reflect connections back to an adversary!!!

17
Personality Engine

• Why to use it?
• Different operating system have different network
  stack behaviors.
• Adversaries commonly run fingerprinting tools
  like Xprobe or Nmap to gather information about a
  target system.
• Personality Engine make honeypots appear like
  real target to a probe to fool the fingerprinting
  tools

18
Personality Engine

• How to fool the adversaries?
• Use Nmaps fingerprint database as reference for
  TCP and UDP protocol
• Use Xprobes fingerprint database for ICMP
• Introduces changes to the headers of every
  outgoing packet before sent to the network to
  match the characteristics of the configured
  operating system

19
Personality Engine

• Example
• Nmap s fingerprinting is mostly concerned with
  an OSs TCP implementation
• Nmap uses the size of the advertised receiver
  windows which varies between implementations as
  part of the fingerprint.

20
Personality Engine

• Example of Nmaps fingerprint specifying the
  network behavior

Fingerprint IRIX 6.5.15m on SGI
O2 TSeq(ClassTDgcdlt104SIlt1AEIPIDITS2HZ) T
1(DFNWEF2AACKSFlagsASOpsMNWNNTNNM) T2(R
espYDFNW0ACKSFlagsAROps) T3(RespYDFN
WEF2AACKOFlagsAOpsNNT) T4(DFNW0ACKOF
lagsROps) T5(DFNW0ACKSFlagsAROps) T6
(DFNW0ACKOFlagsROps) T7(DFNW0ACKSFl
agsAROps) PU(RespN)
21
Routing Topology

• Honeyd can simulate arbitrary virtual routing
  topologies
• Simulation of route tree
• Configure the entry router
• Configurable latency and packet loss
• Simulation of arbitrary routing
• Extension
• Integrate physical machines into topology
• Distributed Honeyd via GRE tunneling

22
(No Transcript)
23
How to Configure?

• Each virtual honeypot is configured with a
  template.
• Commands
• Create Creates a new template
• Set
• Assign personality (fingerprint database) to a
  template
• Specify default behavior of network protocols
• Block All packets dropped
• Reset All ports closed by default
• Open All ports open by default
• Add Specify available services
• Proxy Used for connection forwarding
• Bind Assign template to specific IP address

24
Logging

• Honeyd supports several ways of logging network
  activity.
• Honeyd creat connection logs to report attempted
  and completed connections for all protocols.
• Information also can be gathered from the
  services themselves and be reported to Honeyd via
  stderr.
• Honeyd can be runs in conjunction with a NIDS.

25
Evaluation

• Honeyd did fools Nmap
• Among totally 600 fingerprints, Nmap uniquely
  identified the operating system simulated by
  Honey in 555, generated a list of possible
  answers including the simulated personality in
  37.
• Only 8 fingerprints out of 600 failed!
• It works pretty effectively.

26
Outline

• Introduction
• Honeyd
• What is Honeyd?
• Design and Implementation of Honeyd
• Evaluation of Honeyd
• Application
• Discussion

27
Application

• Network Decoys
• Instrument the unallocated addresses of a
  production network, confuse and deter adversaries
  scanning the production network
• Conjunction with a NIDS, the resulting network
  traffic may help in getting early warning of
  attacks.

28
Application

• Detecting and Countering Worms
• Deploy a large number of virtual honeypots as
  gateways in front of a smaller number of
  high-interaction honeypots.
• Use Honeyds subsystem support to expose regular
  UNIX applications like OpenSSH to worms.

29
Application

• Spam Prevention
• Spammers abuse two Internet services proxy
  servers and open mail relays
• Use the Honeyd framework to instrument networks
  with open proxy servers and open mail relays.

30
Outline

• Introduction
• Honeyd
• What is Honeyd?
• Design and Implementation of Honeyd
• Evaluation of Honeyd
• Application
• Discussion

31
Strength

• Honeyd has many advantages over NIDS
• Collects more useful information
• Detects vulnerabilities not yet understood
• Less likely leads to high false positives
• It cheats the fingerprint tools effectively
• Effective network decoysconfuse and defer the
  attackers
• Detecting and immunizing new worms
• Spam prevention

32
Weakness

• Limit interaction only at network level
• Not simulate the whole OS
• Adversaries never gain full access to systems
• Limited number of simulated services and
  protocols
• What if the warm is smart to cheat us? Honeyd
  will become attackers.

33
How to improve?

• Combine Honeyd with high-interaction virtual
  honeypots using User Mode Linux or VMware to
  have a better forensic analysis of the attacker
• Cheat more fingerprint tools, eg. P0fpassive
  analyze the network traffic
• Simulate more services and protocols, eg. has a
  better TCP state machine.

34

• Thank you.
• Any questions?