Transcript Slide 1
HONEYPOTS PRESENTATION
TEAM:
Ankur Sharma
Ashish Agrawal
Elly Bornstein
Santak Bhadra
Srinivas Natarajan
Topics to be covered
Network IDS - Brief Intro
What is a Honeypot ?
Honeypot - in a Network environment
A Three Layered Approach
Types of Honeypot
Honeypot and IDS - Traditional detection problem
Honeypot as detection solution
Honeypot implementation and an example attack
Virtual Honeypot
Advantages and Disadvantages
Demo
References
Network IDS – Brief Intro
An IDS which detects malicious activity such as denial of service
attacks, port scans or even attempts to crack into computers by
monitoring network traffic.
Inspect incoming network traffic and studies the packets.
Reads valuable information about an ongoing intrusion from
outgoing or local traffic as well.
It can co-exist with other systems as well. For example, update
some firewalls' blacklist IP database about computers used by
(suspected) hackers.
What is a Honeypot ?
A trap set to detect, deflect and counteract
attempts at unauthorized use of information
systems.
A security resource whose value lies in being
probed, attacked, or compromised.
A Valuable system that can be used as
surveillance and early-warning tool.
Honeypot in a Network
Environment
In general, it consists of a computer or a
network site that appears to be part of network
but which is actually isolated, unprotected and
monitored.
It can also take other forms, such as files or
data records, or even unused IP address space.
Honeypot in a Network
Environment
A Three Layered Approach
Honeypot can be defined in a three layered
approach:
Prevention
Detection
Response
A Three Layered Approach
Prevention: Honeypots can be used to slow down or stop
automated attacks. It can utilize psychological weapons such
as deception or deterrence to confuse or stop attacks.
Detection: It is used to detect unauthorized activity and capture
unknown attacks. Generate very few alerts, but when they do
you can almost be sure that something malicious has
happened.
Response: Production honeypots can be used to respond to an
attack. Information gathered from the attacked system can be
used to respond to the break-in.
Types of Honeypot
Classified based on two categories:
Deployment
1. Production
2. Research
Levels of interaction
1. Low Interaction
2. High Interaction
Deployment Types
Production Honeypots:
Easy to use, capture only limited information, and
primarily used by companies or corporations. They
are placed along with other production network and
help to mitigate risk in an organization.
Research Honeypots:
Run by a volunteer, non-profit research organization
or an educational institution to gather information
about the motives and tactics of Blackhat community
targeting different networks.
Levels of Involvement
Low Interaction (Honeyd)
Able to simulate big network structures on a single
host. With one single instance of the daemon, many
different hosts running different services can be
simulated.
High Interaction (HoneyNet)
Network of real systems. A stealth inline network
bridge that closely monitors and controls the network
data flow to and from the honeypots in the network.
Honeypot and IDS - Traditional
detection problems
Data overload
False positives
False negatives
Resources
Encryption
IPv6
Honeypot as detection solution
Small data sets
Reduced false positives
Catching false negatives
Minimal resources
Encryption
IPv6
Honeyd
It's designed to be used on Unix-based
operating systems, such as OpenBSD or
Linux; however, it may soon be ported to
Windows.
Since this solution is OpenSource, not only is
it free, but we also have full access to the
source code, which is under the BSD license.
Continue…..
Honeyd
The primary purpose of Honeyd is detection,
specifically to detect unauthorized activity
within your organization.
It does this by monitoring all the unused IPs in
your network.
Any attempted connection to an unused IP
address is assumed to be unauthorized or
malicious activity
Example….
Configuring Honeyd
To implement Honeyd we need to compile and
use two tools: Arpd and Honeyd.
Arpd is used for ARP spoofing
Monitors the unused IP space and directs
attacks to the Honeyd honeypot.
Building honeypot with UML
UML allows to run multiple instances of Linux
on the same system at the same time
The UML kernel receives the system call from
its application and sends/requests them to the
host kernel
UML has many capabilities, among them
It can log all the keystrokes even if the attacker uses
encryption
It reduces the chances of revealing its identity as
honeypot
Makes UML kernel data secure from tampering by its
processes.
Honey Net
Network of Honeypots
Supplemented by firewalls and intrusion
detection system.
Advantages:
More realistic environment
Improved possibility to collect data
How Honey net works
A highly controlled
network where
every packet
entering or leaving
is monitored,
captured and
analyzed
Virtual Honeypot
Virtual machines allow different OS to run at
the same time at the same machine
Honeypots are guest on the top of another OS.
We can implement guest OS on host OS in two
ways
Raw disc- actual disc partition
Virtual disc- file on host file system
Most Exploited Vulnerabilities
Top 5 most frequently exploited vulnerabilities
with a rating of "severe."
The Five Most Attacked Ports
X-Axis: Port Number
Y-Axis: Number of attackers with the rating of
“severe” per honeypot in the last week
Advantages
Productive environment: distraction from the
real target
Can peek into guest operating system at
anytime.
Reinstallation of contaminated guest is also
easy.
And it is very easy way.
Disadvantages
Sub-optimal utilization of computational
resources.
Reinstallation of polluted system is very
difficult.
Difficulty in monitoring of such system in a
safe way.
Detecting the honeypot is easy
References
http://www.securityfocus.com
Honeypots: Simple, Cost-Effective Detection
Open Source Honeypots: Learning with Honeyd
Specter: A Commercial Honeypot Solution for Windows
http://www.honeypots.net/
http://en.wikipedia.org/wiki/Honeypot_(computing)
http://www.tracking-hackers.com/
Thank You!
We are happy to answer any questions……