Feb 05, 2016
A Virtual Honeypot FrameworkNiels Provos Google, Inc.The 13th USENIX Security Symposium, August 913, 2004 San Diego, CA Presented by: Sean Mondesire
Honeyds ContributionsProvides an alternative technique for detecting attacksExtremely low-cost option for honeypotsA model framework for low-interaction honeypots.
Agenda1. Introduction of Honeypots 2. Honeyd 3. Critique of Honeyd 4. Recent Work 5. Honeyds Contributions
What are Honeypots?Monitored computer system with the hopes of being probed, attacked, and compromised.Monitors all incoming and outgoing data.Any contact is considered suspicious.Can support any OS with any amount of functionality.
Honeypots GoalsCapture information about attacksSystem vulnerabilitiesSystem responsesCapture information about attackersAttack methodsScan patternsIdentitiesBe attacked!
Etymology of HoneypotsWinnie-the-PoohHis desire for pots of honey lead him to various predicamentsCold War terminologyFemale communist agent vs. Male WesternerOuthousesHoney : euphemism for wasteAttackers are flies attracted to honeys stench
Physical vs. Virtual HoneypotsPhysical Honeypot:Real machineRuns one OS to be attackedHas its own IP addressVirtual Honeypot:Virtual machine on top of a real machineCan run a different OS than the real machineReal machine responds to network traffic sent to the virtual machine
Physical vs. Virtual HoneypotsInternetPhysical HoneypotsInternetVirtual Honeypots
Virtual Honeypot TypesHigh-Interaction:Simulates all aspects of an OSCan be compromised completelyLow-InteractionSimulates some parts of an OSExample: Network StackSimulates only services that cannot lead to complete system compromise
HoneydA virtual honeypot frameworkCan simulate different OSs at onceEach honeypot allocated its own IP addressLow-InteractionOnly the network stack is simulatedAttackers only interact with honeypots at the network levelSupports TCP and UDP servicesHandles ICMP message as well.
Honeyd: The ArchitectureConfiguration DatabaseCentral Packet DispatchProtocol handlersPersonality EngineRouting Component (optional)
Personality EngineVirtual Honeypots Personality:The network stack behavior of a given operating systemPersonality Engine alters outgoing packets to mimic that VHs OSChanges protocol headersUsed to thwart fingerprinting tools:Example: Xprobe and Nmap
Routing OptionsProxy ARPConfigured RoutingRouting TablesRouting TreesGeneric Routing EncapsulationNetwork TunnelingLoad balancing
ExperimentsVirtual Honeypots for every detectable fingerprint in Nmap were used.600 distinct fingerprintsEach VH had one port open to run a web server.Nmap was tested against the address space allocated for all the VHs555 fingerprints were correctly identified37 fingerprints list possible OSs8 were failed to be identified
ApplicationsNetwork DecoysLure attackers to virtual honeypots, not real machinesDetecting and Countering WormsCapture packets sent by wormsUse large amounts of VHs across large address spaceSpam PreventionMonitor open proxy servers and open mail relaysForward suspicious data to spam filters
ConclusionsHoneyd is a framework for supporting multiple virtual honeypotsMimics OS network stack behaviors to trick attackersProvides a tool for network security researchNetwork decoySpam Worm detection
Honeyds StrengthsSupports an array of different OS network stacksFool attackersCan support a large number of VHs for large address spacesEasily configurable to test various security issuesRouting configurationOS options
Honeyds WeaknessesLow-InteractionOnly network stacks were implementedNot all OS services availableNot all system vulnerabilities cannot be testedPersonality Engine is not 100%The 37 failed identificationsCould leave clues to attackers of which sections are honeypots.
Future WorkImplement Middle-InteractionIncrease the number of OS services per VHExperiment with honeyds and physical honeypots on same networkIncrease stability of personality engine
Related Current WorkMiddle-Interactionmwcollectnepenthes
The Honeynet ProjectRaise AwarenessTeach and InformResearch
Honeyds ContributionsProvides an alternative technique for detecting attacksDetecting worms, attackers, and spamExtremely low-cost option for honeypotsCost of physical honeypots vs. virtualA model framework for low-interaction honeypots.Simulates only an OSs network stackCan cover large amounts of IP addresses