Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines What is a honeypot? A closely monitored network decoy serving several purposes Distract adversaries from vulnerable machines Provide early warning (new attack &exploits) Allow in-depth examination of adversaries during and after exploitation Problems and Solution Physical machines are expensive and costly to maintain Attacks can corrupt machines Destroy box Destroy software Solution Honeyd or similar product Honeyd A program that can simulate multiple operating systems and multiple IPs One box can run many honeypots Simulate network stack of all OS Provide arbitrary routing Simulate stack Can only monitor connection and compromise Why Honeyd is better? NIDS requires signatures of known attack With Honeyd all traffic is saved and can be viewed later so there is no worries about new means of exploit being unregistered Honeypot has no value so all traffic is suspect therefore less false positives are found Honeyd + Virtual Machine Honeyd can only simulate the TCP/IP stack Combined with a virtual machine the hacker now can try exploits on the whole operating system Can detect and learn about all new types of exploits and dangers as opposed to just connection Design Honeyd will reply to network packets whose destination IP address belongs to one of the simulated honeypots Router receives packet and sends it on via iptables Honeypots can be set behind multiple firewalls Combination Honeyd alone cannot provide us with enough information to prevent future attacks Combined with a VM we can now register the new method of the attack and what attacker was after New attack methods can potentially lead to more violent attacks Conclusion Since all traffic is monitored no attack goes unnoticed With VM we can build new defense for real systems Great flexibility and record keeping is possible