A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire
Feb 05, 2016
A Virtual Honeypot Framework
Niels ProvosGoogle, Inc.
The 13th USENIX Security Symposium, August 9–13, 2004
San Diego, CA
Presented by: Sean Mondesire
2
Honeyd’s Contributions
• Provides an alternative technique for detecting attacks
• Extremely low-cost option for honeypots
• A model framework for low-interaction honeypots.
3
Agenda
1. Introduction of Honeypots 1. Introduction of Honeypots
2. Honeyd 2. Honeyd
3. Critique of Honeyd 3. Critique of Honeyd
4. Recent Work 4. Recent Work
5. Honeyd’s Contributions 5. Honeyd’s Contributions
4
What are Honeypots?
• Monitored computer system with the hopes of being probed, attacked, and compromised.
• Monitors all incoming and outgoing data.– Any contact is considered suspicious.
• Can support any OS with any amount of functionality.
5
Honeypots’ Goals
• Capture information about attacks– System vulnerabilities– System responses
• Capture information about attackers– Attack methods– Scan patterns– Identities
• Be attacked!
6
Etymology of Honeypots
• Winnie-the-Pooh– His desire for pots of honey lead him
to various predicaments
• Cold War terminology– Female communist agent vs. Male
Westerner
• Outhouses– “Honey” : euphemism for waste– Attackers are flies attracted to honey’s
stench
7
Physical vs. Virtual Honeypots
• Physical Honeypot:– Real machine– Runs one OS to be attacked– Has its own IP address
• Virtual Honeypot:– Virtual machine on top of a real machine– Can run a different OS than the real machine– Real machine responds to network traffic sent
to the virtual machine
8
Physical vs. Virtual Honeypots
Internet
Internet
Physical Honeypots
Internet
Internet
Virtual Honeypots
9
Virtual Honeypot Types
• High-Interaction:– Simulates all aspects of an OS– Can be compromised completely
• Low-Interaction– Simulates some parts of an OS
• Example: Network Stack
– Simulates only services that cannot lead to complete system compromise
10
Honeyd
• A virtual honeypot framework
• Can simulate different OS’s at once– Each honeypot allocated its own IP address
• Low-Interaction– Only the network stack is simulated– Attackers only interact with honeypots at the
network level
• Supports TCP and UDP services– Handles ICMP message as well.
11
Honeyd: The Architecture
• Configuration Database
• Central Packet Dispatch
• Protocol handlers• Personality Engine• Routing Component
(optional)
12
Personality Engine
• Virtual Honeypots Personality:– The network stack behavior of a given
operating system
• Personality Engine alters outgoing packets to mimic that VH’s OS– Changes protocol headers
• Used to thwart fingerprinting tools:– Example: Xprobe and Nmap
13
Routing Options
• Proxy ARP• Configured Routing
– Routing Tables– Routing Trees
• Generic Routing Encapsulation– Network Tunneling– Load balancing
14
Experiments
• Virtual Honeypots for every detectable fingerprint in Nmap were used.– 600 distinct fingerprints
• Each VH had one port open to run a web server.
• Nmap was tested against the address space allocated for all the VH’s– 555 fingerprints were correctly identified– 37 fingerprints list possible OS’s– 8 were failed to be identified
15
Applications
• Network Decoys– Lure attackers to virtual honeypots, not real
machines
• Detecting and Countering Worms– Capture packets sent by worms– Use large amounts of VH’s across large
address space
• Spam Prevention– Monitor open proxy servers and open mail
relays– Forward suspicious data to spam filters
16
Conclusions
• Honeyd is a framework for supporting multiple virtual honeypots
• Mimics OS network stack behaviors to trick attackers
• Provides a tool for network security research– Network decoy– Spam – Worm detection
17
Honeyd’s Strengths
• Supports an array of different OS network stacks– Fool attackers
• Can support a large number of VH’s for large address spaces
• Easily configurable to test various security issues– Routing configuration– OS options
18
Honeyd’s Weaknesses
• Low-Interaction– Only network stacks were implemented– Not all OS services available– Not all system vulnerabilities cannot be tested
• Personality Engine is not 100%– The 37 failed identifications– Could leave clues to attackers of which
sections are honeypots.
19
Future Work
• Implement Middle-Interaction– Increase the number of OS services per VH
• Experiment with honeyd’s and physical honeypots on same network
• Increase stability of personality engine
20
Related Current Work
• Middle-Interaction– mwcollect– nepenthes
• The Honeynet Project– Raise Awareness– Teach and Inform– Research
21
Honeyd’s Contributions
• Provides an alternative technique for detecting attacks– Detecting worms, attackers, and spam
• Extremely low-cost option for honeypots– Cost of physical honeypots vs. virtual
• A model framework for low-interaction honeypots.– Simulates only an OS’s network stack– Can cover large amounts of IP addresses