Pacific North West Honeynet Project Dave Dittrich The Information School University of Washington DIMACS Large Scale Attack Workshop, Sept. 23, 2003 Research areas • Prototyping a distributed honeynet using GenII “Honeywall” technologies • SU grad students producing database for clean/compromised system images • Developing a client/server in FIRE for loading these images onto systems over the network • Developing host integrity checking functions in FIRE to simplify/semi-automate analysis • Aim to isolate malware artifacts for reverse engineering • Aim to study cross-sector activity and trends Honeynet Research Alliance • Pacific North West Honeynet Project • Open to UW, SU, ISU, UI students/fac/staff • Provides • • • • Lots of hands/eyes to install, monitor, test… Network diversity Honeypot diversity Increased chances of “interesting” activity Honeynet Research Alliance • Locations: UW, SU, ISU, UI networks • Future: Extend to REN ISAC? Honeynets • Using new GenII “Honeywall CD-ROM” • x86 compatible PC with three NICs • >= 20GB hard drive • >= 512MB RAM • One or more honeypots per honeynet • Initially independent, later will centralize logs Honeywall Data Control Is it perfect? …No Honeypots • Preparation • Entire drive written with zeros (no residue) • Partitions as small as possible (minimize footprint in database and network transfer time) • 2 - 3 partitions on each drive • Operating System “live” partition • Image copy of OS (not mounted) • Swap partition (if OS requires one) • MD5 hash both OS partitions before going “live” (to verify integrity) • MD5 hash all blocks (to find changes faster) • [Automate using database & client/server] Database • Index on useful attributes • • • • • • • • • OS type (e.g., Windows, Linux) OS version (e.g., Win2k, RH7.2) Services enabled Partitions used Partition sizes MD5/SHA1 hashes of partitions MD5/SHA1 hashes of blocks on OS partition Status (e.g., Clean, Compromised) Etc… Front end • Runs on custom FIRE CD • User interface to database • Client/server to manage bits on disk • • • • Upload bits on disk to database Hash partitions/blocks, gather attributes, etc. Chose image, prep drive, load Chose image, compare with bits on disk (detect changes since install) • Potential for hardware assist (or NG-TCB?) Use in Forensic Course Lab • Student boots lab system using custom FIRE CD • Chooses which compromised system to analyze • Bits loaded to disk, verified • Student performs analysis, answers specific questions (which are compared with analysis in database) • Repeat… Resources • “The Use of Honeynets to Detect Exploited Systems Across Large Enterprise Networks” http://www.tracking-hackers.com/papers/gatechhoneynet.pdf • http://project.honeynet.org/ • http://staff.washington.edu/dittrich/pnw-honeynet/reading/