A Virtual Honeypot Framework

Niels ProvosGoogle, Inc.

The 13th USENIX Security Symposium, August 9–13, 2004

San Diego, CA

Presented by: Sean Mondesire

2

Honeyd’s Contributions

• Provides an alternative technique for detecting attacks

• Extremely low-cost option for honeypots

• A model framework for low-interaction honeypots.

3

Agenda

1. Introduction of Honeypots 1. Introduction of Honeypots

2. Honeyd 2. Honeyd

3. Critique of Honeyd 3. Critique of Honeyd

4. Recent Work 4. Recent Work

5. Honeyd’s Contributions 5. Honeyd’s Contributions

4

What are Honeypots?

• Monitored computer system with the hopes of being probed, attacked, and compromised.

• Monitors all incoming and outgoing data.– Any contact is considered suspicious.

• Can support any OS with any amount of functionality.

5

Honeypots’ Goals

• Capture information about attacks– System vulnerabilities– System responses

• Capture information about attackers– Attack methods– Scan patterns– Identities

• Be attacked!

6

Etymology of Honeypots

• Winnie-the-Pooh– His desire for pots of honey lead him

to various predicaments

• Cold War terminology– Female communist agent vs. Male

Westerner

• Outhouses– “Honey” : euphemism for waste– Attackers are flies attracted to honey’s

stench

7

Physical vs. Virtual Honeypots

• Physical Honeypot:– Real machine– Runs one OS to be attacked– Has its own IP address

• Virtual Honeypot:– Virtual machine on top of a real machine– Can run a different OS than the real machine– Real machine responds to network traffic sent

to the virtual machine

8

Physical vs. Virtual Honeypots

Internet

Internet

Physical Honeypots

Internet

Internet

Virtual Honeypots

9

Virtual Honeypot Types

• High-Interaction:– Simulates all aspects of an OS– Can be compromised completely

• Low-Interaction– Simulates some parts of an OS

• Example: Network Stack

– Simulates only services that cannot lead to complete system compromise

10

Honeyd

• A virtual honeypot framework

• Can simulate different OS’s at once– Each honeypot allocated its own IP address

• Low-Interaction– Only the network stack is simulated– Attackers only interact with honeypots at the

network level

• Supports TCP and UDP services– Handles ICMP message as well.

11

Honeyd: The Architecture

• Configuration Database

• Central Packet Dispatch

• Protocol handlers• Personality Engine• Routing Component

(optional)

12

Personality Engine

• Virtual Honeypots Personality:– The network stack behavior of a given

operating system

• Personality Engine alters outgoing packets to mimic that VH’s OS– Changes protocol headers

• Used to thwart fingerprinting tools:– Example: Xprobe and Nmap

13

Routing Options

• Proxy ARP• Configured Routing

– Routing Tables– Routing Trees

• Generic Routing Encapsulation– Network Tunneling– Load balancing

14

Experiments

• Virtual Honeypots for every detectable fingerprint in Nmap were used.– 600 distinct fingerprints

• Each VH had one port open to run a web server.

• Nmap was tested against the address space allocated for all the VH’s– 555 fingerprints were correctly identified– 37 fingerprints list possible OS’s– 8 were failed to be identified

15

Applications

• Network Decoys– Lure attackers to virtual honeypots, not real

machines

• Detecting and Countering Worms– Capture packets sent by worms– Use large amounts of VH’s across large

address space

• Spam Prevention– Monitor open proxy servers and open mail

relays– Forward suspicious data to spam filters

16

Conclusions

• Honeyd is a framework for supporting multiple virtual honeypots

• Mimics OS network stack behaviors to trick attackers

• Provides a tool for network security research– Network decoy– Spam – Worm detection

17

Honeyd’s Strengths

• Supports an array of different OS network stacks– Fool attackers

• Can support a large number of VH’s for large address spaces

• Easily configurable to test various security issues– Routing configuration– OS options

18

Honeyd’s Weaknesses

• Low-Interaction– Only network stacks were implemented– Not all OS services available– Not all system vulnerabilities cannot be tested

• Personality Engine is not 100%– The 37 failed identifications– Could leave clues to attackers of which

sections are honeypots.

19

Future Work

• Implement Middle-Interaction– Increase the number of OS services per VH

• Experiment with honeyd’s and physical honeypots on same network

• Increase stability of personality engine

20

Related Current Work

• Middle-Interaction– mwcollect– nepenthes

• The Honeynet Project– Raise Awareness– Teach and Inform– Research

21

Honeyd’s Contributions

• Provides an alternative technique for detecting attacks– Detecting worms, attackers, and spam

• Extremely low-cost option for honeypots– Cost of physical honeypots vs. virtual

• A model framework for low-interaction honeypots.– Simulates only an OS’s network stack– Can cover large amounts of IP addresses