HONEYPOTS PRESENTATION TEAM: Ankur Sharma Ashish Agrawal Elly Bornstein Santak Bhadra Srinivas Natarajan Topics to be covered Network IDS - Brief Intro What is a Honeypot ? Honeypot - in a Network environment A Three Layered Approach Types of Honeypot Honeypot and IDS - Traditional detection problem Honeypot as detection solution Honeypot implementation and an example attack Virtual Honeypot Advantages and Disadvantages Demo References Network IDS – Brief Intro An IDS which detects malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by monitoring network traffic. Inspect incoming network traffic and studies the packets. Reads valuable information about an ongoing intrusion from outgoing or local traffic as well. It can co-exist with other systems as well. For example, update some firewalls' blacklist IP database about computers used by (suspected) hackers. What is a Honeypot ? A trap set to detect, deflect and counteract attempts at unauthorized use of information systems. A security resource whose value lies in being probed, attacked, or compromised. A Valuable system that can be used as surveillance and early-warning tool. Honeypot in a Network Environment In general, it consists of a computer or a network site that appears to be part of network but which is actually isolated, unprotected and monitored. It can also take other forms, such as files or data records, or even unused IP address space. Honeypot in a Network Environment A Three Layered Approach Honeypot can be defined in a three layered approach: Prevention Detection Response A Three Layered Approach Prevention: Honeypots can be used to slow down or stop automated attacks. It can utilize psychological weapons such as deception or deterrence to confuse or stop attacks. Detection: It is used to detect unauthorized activity and capture unknown attacks. Generate very few alerts, but when they do you can almost be sure that something malicious has happened. Response: Production honeypots can be used to respond to an attack. Information gathered from the attacked system can be used to respond to the break-in. Types of Honeypot Classified based on two categories: Deployment 1. Production 2. Research Levels of interaction 1. Low Interaction 2. High Interaction Deployment Types Production Honeypots: Easy to use, capture only limited information, and primarily used by companies or corporations. They are placed along with other production network and help to mitigate risk in an organization. Research Honeypots: Run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of Blackhat community targeting different networks. Levels of Involvement Low Interaction (Honeyd) Able to simulate big network structures on a single host. With one single instance of the daemon, many different hosts running different services can be simulated. High Interaction (HoneyNet) Network of real systems. A stealth inline network bridge that closely monitors and controls the network data flow to and from the honeypots in the network. Honeypot and IDS - Traditional detection problems Data overload False positives False negatives Resources Encryption IPv6 Honeypot as detection solution Small data sets Reduced false positives Catching false negatives Minimal resources Encryption IPv6 Honeyd It's designed to be used on Unix-based operating systems, such as OpenBSD or Linux; however, it may soon be ported to Windows. Since this solution is OpenSource, not only is it free, but we also have full access to the source code, which is under the BSD license. Continue….. Honeyd The primary purpose of Honeyd is detection, specifically to detect unauthorized activity within your organization. It does this by monitoring all the unused IPs in your network. Any attempted connection to an unused IP address is assumed to be unauthorized or malicious activity Example…. Configuring Honeyd To implement Honeyd we need to compile and use two tools: Arpd and Honeyd. Arpd is used for ARP spoofing Monitors the unused IP space and directs attacks to the Honeyd honeypot. Building honeypot with UML UML allows to run multiple instances of Linux on the same system at the same time The UML kernel receives the system call from its application and sends/requests them to the host kernel UML has many capabilities, among them It can log all the keystrokes even if the attacker uses encryption It reduces the chances of revealing its identity as honeypot Makes UML kernel data secure from tampering by its processes. Honey Net Network of Honeypots Supplemented by firewalls and intrusion detection system. Advantages: More realistic environment Improved possibility to collect data How Honey net works A highly controlled network where every packet entering or leaving is monitored, captured and analyzed Virtual Honeypot Virtual machines allow different OS to run at the same time at the same machine Honeypots are guest on the top of another OS. We can implement guest OS on host OS in two ways Raw disc- actual disc partition Virtual disc- file on host file system Most Exploited Vulnerabilities Top 5 most frequently exploited vulnerabilities with a rating of "severe." The Five Most Attacked Ports X-Axis: Port Number Y-Axis: Number of attackers with the rating of “severe” per honeypot in the last week Advantages Productive environment: distraction from the real target Can peek into guest operating system at anytime. Reinstallation of contaminated guest is also easy. And it is very easy way. Disadvantages Sub-optimal utilization of computational resources. Reinstallation of polluted system is very difficult. Difficulty in monitoring of such system in a safe way. Detecting the honeypot is easy References http://www.securityfocus.com Honeypots: Simple, Cost-Effective Detection Open Source Honeypots: Learning with Honeyd Specter: A Commercial Honeypot Solution for Windows http://www.honeypots.net/ http://en.wikipedia.org/wiki/Honeypot_(computing) http://www.tracking-hackers.com/ Thank You! We are happy to answer any questions……