Defeat and Defend Honeynet - PowerPoint PPT Presentation

1 / 15
About This Presentation
Title:

Defeat and Defend Honeynet

Description:

... versions of Sebek work by hijacking the read() system call. Components. Data ... hijacking ... real-time re-patching/re-hijacking. Do local analysis as much as ... – PowerPoint PPT presentation

Number of Views:54
Avg rating:3.0/5.0
Slides: 16
Provided by: yufa
Category:

less

Transcript and Presenter's Notes

Title: Defeat and Defend Honeynet


1
Defeat and Defend Honeynet
  • Group 2
  • Internet Security with Applications

2
Honeypot - Recap
  • Honeypot
  • A closely monitored network decoy whose value
    lies in being attacked, probed and compromised
  • Capture attacks information
  • Analyze the attacks
  • Can be categorized by level of interaction
  • High Interaction present complete vulnerable
    operating environment (all aspects of the OS),
    capture all information, most risky, research
    honeypots ? Honeynet

3
Honeynet
  • A highly controlled network where every packet
    entering or leaving is monitored, captured and
    analyzed.
  • 2 key functions
  • Data capture
  • Data capture at various levels Application,
    Network, OS level
  • Data logging analysis
  • Data analysis investigate malware and forensic
    purpose
  • Components
  • Honeywall Gateway capture network based data
    packet capture, IDS, firewall, OS fingerprints,
    and netflow.
  • Honeypot capture host based data Syslogs and
    Sebek
  • High interaction honeypot

4
Honeynet Architecture
5
To serve data capture goal - Sebek was born
  • Traditional data capture methods
  • Patch /bin/sh to log every keystroke of an
    intruder
  • Redirect the output of syslogd to another host on
    the network
  • BUT!
  • Attacker can install his own binaries to bypass
    these logs
  • New method on an Linux system
  • A kernel-based rootkit called Sebek

6
Into. to Sebek
  • A de-facto data capture tool of Honeynet
    architecture
  • All versions of Sebek work by hijacking the
    read() system call
  • Components
  • Data capture tool
  • patches system-calls (open/fork/read/write/socket)
  • send out gathered data via network-stack (UDP
    protocol)
  • Central logging server
  • Client/Server architecture
  • Sebek server (sebekd) Honeywall Gateway
  • Sebek client Honeypot

7
How Sebek fit into this picture
Sebekd
Sebek
8
Does Sebek work? Not Really!
9
Sebek (Honeypot) traces/properties that can be
fingerprinted by attackers
  • Sebek by default chooses a random number below
    1,000,000,000 as the module name
  • All its symbol names start with a letter,
    followed by a number with up to three digits
  • Conversion table to translate IP addresses into
    integers is left in memory
  • Hidden Sebek module still has a complete module
    header structure in memory
  • Possible to locate the variable storage block via
    the module header

10
Attacks can detect Sebekd (Honeywall)
  • Sebekd often puts a limit on outgoing TCP
    connections per day to minimize the risk of a
    successful attack on third parties systems
  • This limit can be easily discovered
  • Sebekd also uses snort_inline, an inline packet
    modification engine, to rewrite potential
    dangerous code
  • Send code that could be modified by snort_inline
    to the machine, see the code got changed ?
    possible Sebekd

11
Seven methods to defeat Sebek
  • Can be discovered by even unprivileged user (c)
  • Network statistics disclose Sebek (c)
  • Brute-force scanning method (b)
  • System-call address checking (a)
  • Remove Sebek is feasible (a)
  • Sniff at the right place (b)
  • Bring down the central logging server (c)
  • Why? Because Sebek is implemented in the
    following ways
  • (a) Hijacking the read()
  • system call
  • (b) Hidden kernel module
  • (c) Dumps activity to the
  • network via UDP protocol to
  • a central logging machine

12
Problem with hijacking Read()
???? Why at this address?
0x000011E
0x000011E
0x000011F
0x003F001
13
One Proposed Solution - Xen-based honeynet
  • Xens Approach Xebek (Xen-based Sebek)
  • Capture data by patches the system-calls, so
    Xebek does not run as a kernel module.
  • Xebek does not use network stack to deliver data,
    it uses shared memory, less traces
  • Central logging server not exposed to the
    network.
  • However it is still detectable
  • If attacker gain kernel access or use syscall
    lantency

14
We Propose Enhancements
  • Extensive hijacking/patching
  • Not only open/fork/read/write/socket syscalls,
    also any other syscall can be used to bypass
    logging such as mmap()
  • Patch exec()
  • Restrict syscall function modification privilege
  • Alarm if read() has been restored
  • Possible real-time re-patching/re-hijacking
  • Do local analysis as much as possible
  • More clean-up on memory traces

15
References
  • A Whirlwind Introduction to Honeypots  Marcus J.
    Ranum, 2002
  • Honeypots, Honeynets, and the Honeywall  David
    Dittrich, Mar 2004
  • Towards an Invisible Honeypot Monitoring
    Tool  Nguyen Anh Quynh, Keio university, Japan
  • A Virtual Honeypot Framework  Niels Provos, Aug
    2004
  • NoSEBrEaK - Attacking Honeynets  Maximillian
    Dornseif, Thorsten Holz, Christian N. Klein, Jun
    2004
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Defeat and Defend Honeynet" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!