DOC PREVIEW
SJSU CS 265 - honeypots

This preview shows page 1-2-3-4-5 out of 15 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 15 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 15 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 15 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 15 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 15 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 15 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

HoneypotsWhat are honeypots ?How do honeypots address security ?Values & RisksHow to build a honeypot ?How to build a honeypot (cont…)How to build a honeypot ? (cont…)Popular honeypotsPopular honeypots (cont…)Win98 honeypotWin98 honeypot (cont…)Slide 12Slide 13Slide 14ConclusionHoneypotsMargaret AsamiWhat are honeypots ?an intrusion detection mechanismentices intruders to attack and eventually take over the system, while their moves are being monitored without them knowing2 types:productionresearchHow do honeypots address security ?preventioncan’t prevent bad guys !detectionleverages traditional IDS - no false positives nor false negativesreactionprovides incident response team un-polluted data & stoppable systemValues & Risks+ simple to build+ high signal/noise ratio- playing with fireHow to build a honeypot ?how do we attract intruders ?choose enticing names (e.g., mail.sjsu.edu)how do we know we’re probed ? put honeypot on isolated net behind a firewallset firewall to log all traffichow do we protect our peers ?set firewall to allow all in-coming traffic, but limit out-going trafficICMP, FTP, DNS are common protocols intruders needHow to build a honeypot (cont…)how do we track intruder’s moves ? layer 1: firewall logslayer 2: syslogd hacklayer 3: snifferlayer 4: tripwirelayer 5: kernel/shell hackeach layer lets us learn different thingsmultiple layers spread the risk of compromised dataHow to build a honeypot ? (cont…)how do we kick them out ?shut-down, take honeypot off-line, remove backdoors, fix vulnerabilities, then put it back on-linehow do we make them not know ?by avoiding frequent & substantial changes to honeypotPopular honeypotsBackofficer Friendly (BOF)low level of interactionemulates basic servicesfakes repliesHoneydmid-high level of interactionemulates >400 OSs & servicesuse ARP spoofing to assume victim IP addrPopular honeypots (cont…)Honeynetshigh level of interactionnetwork of real systems, zero emulationused mostly in researchWin98 honeypot524 unique NetBIOS scansUDP port 137 (NetBIOS Naming Service)UDP port 139 (NetBIOS Session Service)we are not advertized, so why ?default Win98 installationenbale sharing of C:\ driveconnect to internet & waitWin98 honeypot (cont…)intruder copies distributed.net client config file to our honeypotWin98 honeypot (cont…)actual config file transfer reveals intruder’s identityWin98 honeypot (cont…)transfer the distributed.net client filetransfer the worm itselfWin98 honeypot (cont…)next, a crafted c:\windows\win.ini file is uploaded[windows] load=c:\windows\system\msi216.exeinfection completes !!next time honeypot reboots:distributed.net client will be runworm will scan and replicate itselfworm will add “bymer.scanner” to registryConclusiona tool, not a solutionlevel of interaction vs


View Full Document

SJSU CS 265 - honeypots

Documents in this Course
Stem

Stem

9 pages

WinZip

WinZip

6 pages

Rsync

Rsync

7 pages

Hunter

Hunter

11 pages

SSH

SSH

16 pages

RSA

RSA

7 pages

Akenti

Akenti

17 pages

Blunders

Blunders

51 pages

Captcha

Captcha

6 pages

Radius

Radius

8 pages

Firewall

Firewall

10 pages

SAP

SAP

6 pages

SECURITY

SECURITY

19 pages

Rsync

Rsync

18 pages

MDSD

MDSD

9 pages

VPN

VPN

6 pages

Wang

Wang

18 pages

TKIP

TKIP

6 pages

ESP

ESP

6 pages

Dai

Dai

5 pages

Load more
Download honeypots
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view honeypots and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view honeypots 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?