A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire Honeyd’s Contributions • Provides an alternative technique for detecting attacks • Extremely low-cost option for honeypots • A model framework for low-interaction honeypots. 2 Agenda 1. Introduction of Honeypots 2. Honeyd 3. Critique of Honeyd 4. Recent Work 5. Honeyd’s Contributions 3 What are Honeypots? • Monitored computer system with the hopes of being probed, attacked, and compromised. • Monitors all incoming and outgoing data. – Any contact is considered suspicious. • Can support any OS with any amount of functionality. 4 Honeypots’ Goals • Capture information about attacks – System vulnerabilities – System responses • Capture information about attackers – Attack methods – Scan patterns – Identities • Be attacked! 5 Etymology of Honeypots • Winnie-the-Pooh – His desire for pots of honey lead him to various predicaments • Cold War terminology – Female communist agent vs. Male Westerner • Outhouses – “Honey” : euphemism for waste – Attackers are flies attracted to honey’s stench 6 Physical vs. Virtual Honeypots • Physical Honeypot: – Real machine – Runs one OS to be attacked – Has its own IP address • Virtual Honeypot: – Virtual machine on top of a real machine – Can run a different OS than the real machine – Real machine responds to network traffic sent to the virtual machine 7 Physical vs. Virtual Honeypots Physical Honeypots Virtual Honeypots Interne t Interne t 8 Virtual Honeypot Types • High-Interaction: – Simulates all aspects of an OS – Can be compromised completely • Low-Interaction – Simulates some parts of an OS • Example: Network Stack – Simulates only services that cannot lead to complete system compromise 9 Honeyd • A virtual honeypot framework • Can simulate different OS’s at once – Each honeypot allocated its own IP address • Low-Interaction – Only the network stack is simulated – Attackers only interact with honeypots at the network level • Supports TCP and UDP services – Handles ICMP message as well. 10 Honeyd: The Architecture • Configuration Database • Central Packet Dispatch • Protocol handlers • Personality Engine • Routing Component (optional) 11 Personality Engine • Virtual Honeypots Personality: – The network stack behavior of a given operating system • Personality Engine alters outgoing packets to mimic that VH’s OS – Changes protocol headers • Used to thwart fingerprinting tools: – Example: Xprobe and Nmap 12 Routing Options • Proxy ARP • Configured Routing – Routing Tables – Routing Trees • Generic Routing Encapsulation – Network Tunneling – Load balancing 13 Experiments • Virtual Honeypots for every detectable fingerprint in Nmap were used. – 600 distinct fingerprints • Each VH had one port open to run a web server. • Nmap was tested against the address space allocated for all the VH’s – 555 fingerprints were correctly identified – 37 fingerprints list possible OS’s – 8 were failed to be identified 14 Applications • Network Decoys – Lure attackers to virtual honeypots, not real machines • Detecting and Countering Worms – Capture packets sent by worms – Use large amounts of VH’s across large address space • Spam Prevention – Monitor open proxy servers and open mail relays – Forward suspicious data to spam filters 15 Conclusions • Honeyd is a framework for supporting multiple virtual honeypots • Mimics OS network stack behaviors to trick attackers • Provides a tool for network security research – Network decoy – Spam – Worm detection 16 Honeyd’s Strengths • Supports an array of different OS network stacks – Fool attackers • Can support a large number of VH’s for large address spaces • Easily configurable to test various security issues – Routing configuration – OS options 17 Honeyd’s Weaknesses • Low-Interaction – Only network stacks were implemented – Not all OS services available – Not all system vulnerabilities cannot be tested • Personality Engine is not 100% – The 37 failed identifications – Could leave clues to attackers of which sections are honeypots. 18 Future Work • Implement Middle-Interaction – Increase the number of OS services per VH • Experiment with honeyd’s and physical honeypots on same network • Increase stability of personality engine 19 Related Current Work • Middle-Interaction – mwcollect – nepenthes • The Honeynet Project – Raise Awareness – Teach and Inform – Research 20 Honeyd’s Contributions • Provides an alternative technique for detecting attacks – Detecting worms, attackers, and spam • Extremely low-cost option for honeypots – Cost of physical honeypots vs. virtual • A model framework for low-interaction honeypots. – Simulates only an OS’s network stack – Can cover large amounts of IP addresses 21