DOC PREVIEW
UTD CS 4398 - Honeypots, Honeynets, Bots and Botenets

This preview shows page 1-2-3-4-26-27-28-54-55-56-57 out of 57 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 57 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 57 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 57 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 57 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 57 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 57 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 57 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 57 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 57 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 57 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 57 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 57 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Honeypots, Honeynets, Bots and BotenetsWhy HoneyPotsWhat are HoneypotsTypes of HoneyPotSlide 5Slide 6Examples Of HoneypotsHoneynetsHow It WorksHoneynet ArchitectureData ControlNo Data ControlSlide 13Data CaptureSebekSebek ArchitectureHoneywall CDROMRoo Honeywall CDROMInstallationFurther InformationNetwork TelescopeHoneytokenSlide 23HoneymonkeySlide 25TarpitBotnetsSlide 28BotBotnetHistoryTimeLineCases in the newsHow The Botnet GrowsSlide 35Slide 36Slide 37Recruiting New MachinesSlide 39What Is It Used ForHow Are They UsedExample : SDBotExample : RBotExample : AgobotSlide 45Slide 46DDos AttackDDoS attackWhy DDoS attack?Botnet DetectionHost-based detectionNetwork Intrusion Detection SystemsAnomaly DetectionIRC NicknamesHoneyPot and HoneyNetSlide 56Slide 57Honeypots, Honeynets, Honeypots, Honeynets, Bots and BotenetsBots and BotenetsSource: The HoneyNet Project http://www.honeynet.org/Why HoneyPotsWhy HoneyPots A great deal of the security profession and the IT world depend on honeypots. Honeypots◦Build anti-virus signatures.◦Build SPAM signatures and filters.◦ISP’s identify compromised systems.◦Assist law-enforcement to track criminals.◦Hunt and shutdown botnets.◦Malware collection and analysis.What are HoneypotsWhat are HoneypotsHoneypots are real or emulated vulnerable systems ready to be attacked.Primary value of honeypots is to collect information.This information is used to better identify, understand and protect against threats.Honeypots add little direct value to protecting your network.Types of HoneyPotTypes of HoneyPotServer: Put the honeypot on the Internet and let the bad guys come to you. Client: Honeypot initiates and interacts with serversOther: ProxiesTypes of HoneyPotTypes of HoneyPotLow-interaction◦Emulates services, applications, and OS’s.◦Low risk and easy to deploy/maintain, but capture limited information.High-interaction◦Real services, applications, and OS’s◦Capture extensive information, but high risk and time intensive to maintain.Types of HoneyPotTypes of HoneyPotProduction◦Easy to use/deploy◦Capture limited information◦Mainly used by companies/corporations◦Placed inside production network w/other servers◦Usually low interactionResearch◦Complex to maintain/deploy◦Capture extensive information◦Primarily used for research, military, or govt. orgsExamples Of HoneypotsExamples Of HoneypotsBackOfficer FriendlyKFSensorHoneydHoneynetsLow InteractionHigh InteractionHoneynetsHoneynetsHigh-interaction honeypot designed to capture in-depth information.Information has different value to different organizations.Its an architecture you populate with live systems, not a product or software. Any traffic entering or leaving is suspect.How It WorksHow It Works A highly controlled network where every packet entering or leaving is monitored, captured, and analyzed.◦Data Control◦Data Capture◦Data AnalysisHoneynet ArchitectureHoneynet ArchitectureData ControlData Control•Mitigate risk of honeynet being used to harm non-honeynet systems.•Count outbound connections.•IPS (Snort-Inline)•Bandwidth ThrottlingNo Data ControlNo Data ControlInternetNo RestrictionsNo RestrictionsHoneypotHoneypotData ControlData ControlInternetHoneywallHoneypotHoneypotNo RestrictionsConnections Limited Packet ScrubbedData CaptureData CaptureCapture all activity at a variety of levels.Network activity.Application activity.System activity.SebekSebekHidden kernel module that captures all host activityDumps activity to the network.Attacker cannot sniff any traffic based on magic number and dst port.Sebek ArchitectureSebek ArchitectureHoneywall CDROMHoneywall CDROMAttempt to combine all requirements of a Honeywall onto a single, bootable CDROM.May, 2003 - Released EeyoreMay, 2005 - Released RooRoo Honeywall CDROMRoo Honeywall CDROMBased on Fedora Core 3Vastly improved hardware and international support.Automated, headless installationNew Walleye interface for web based administration and data analysis.Automated system updating.InstallationInstallationJust insert CDROM and boot, it installs to local hard drive.After it reboots for the first time, it runs a hardening script based on NIST and CIS security standards.Following installation, you get a command prompt and system is ready to configure.Further InformationFurther Informationhttp://www.honeynet.org/http://www.honeynet.org/bookNetwork TelescopeNetwork TelescopeAlso known as a darknet, internet motion sensor or black hole Allows one to observe different large-scale events taking place on the Internet. The basic idea is to observe traffic targeting the dark (unused) address-space of the network.Since all traffic to these addresses is suspicious, one can gain information about possible network attacks ◦random scanning worms, and DDoS backscatter As well as other misconfigurations by observing it.HoneytokenHoneytokenhoneytokens are honeypots that are not computer systems. Their value lies not in their use, but in their abuse. As such, they are a generalization of such ideas as the honeypot and the canary values often used in stack protection schemes. Honeytokens can exist in almost any form, ◦from a dead, fake account to a ◦database entry that would only be selected by malicious queries, ◦making the concept ideally suited to ensuring data integrity—any use of them is inherently suspicious if not necessarily malicious.HoneytokenHoneytokenIn general, they don't necessarily prevent any tampering with the data, ◦but instead give the administrator a further measure of confidence in the data integrity.An example of a honeytoken is a fake email address used to track if a mailing list has been stolenHoneymonkeyHoneymonkeyHoneyMonkey, ◦short for Strider HoneyMonkey Exploit Detection System, is a Microsoft Research honeypot. The implementation uses a network of computers ◦to crawl the World Wide Web searching for websites that use browser exploits to install malware on the HoneyMonkey computer. ◦A snapshot of the memory, executables and registry of the honeypot computer is recorded before crawling a site. ◦After visiting the site, the state of memory, executables, and registry is compared to the previous snapshot. ◦The changes are analyzed to determine whether the visited site installed malware onto the honeypot


View Full Document

UTD CS 4398 - Honeypots, Honeynets, Bots and Botenets

Documents in this Course
Botnets

Botnets

33 pages

Botnets

Botnets

33 pages

Load more
Download Honeypots, Honeynets, Bots and Botenets
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Honeypots, Honeynets, Bots and Botenets and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Honeypots, Honeynets, Bots and Botenets 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?