HoneypotsWhat are honeypots ?How do honeypots address security ?Values & RisksHow to build a honeypot ?How to build a honeypot (cont…)How to build a honeypot ? (cont…)Popular honeypotsPopular honeypots (cont…)Win98 honeypotWin98 honeypot (cont…)Slide 12Slide 13Slide 14ConclusionHoneypotsMargaret AsamiWhat are honeypots ?an intrusion detection mechanismentices intruders to attack and eventually take over the system, while their moves are being monitored without them knowing2 types:productionresearchHow do honeypots address security ?preventioncan’t prevent bad guys !detectionleverages traditional IDS - no false positives nor false negativesreactionprovides incident response team un-polluted data & stoppable systemValues & Risks+ simple to build+ high signal/noise ratio- playing with fireHow to build a honeypot ?how do we attract intruders ?choose enticing names (e.g., mail.sjsu.edu)how do we know we’re probed ? put honeypot on isolated net behind a firewallset firewall to log all traffichow do we protect our peers ?set firewall to allow all in-coming traffic, but limit out-going trafficICMP, FTP, DNS are common protocols intruders needHow to build a honeypot (cont…)how do we track intruder’s moves ? layer 1: firewall logslayer 2: syslogd hacklayer 3: snifferlayer 4: tripwirelayer 5: kernel/shell hackeach layer lets us learn different thingsmultiple layers spread the risk of compromised dataHow to build a honeypot ? (cont…)how do we kick them out ?shut-down, take honeypot off-line, remove backdoors, fix vulnerabilities, then put it back on-linehow do we make them not know ?by avoiding frequent & substantial changes to honeypotPopular honeypotsBackofficer Friendly (BOF)low level of interactionemulates basic servicesfakes repliesHoneydmid-high level of interactionemulates >400 OSs & servicesuse ARP spoofing to assume victim IP addrPopular honeypots (cont…)Honeynetshigh level of interactionnetwork of real systems, zero emulationused mostly in researchWin98 honeypot524 unique NetBIOS scansUDP port 137 (NetBIOS Naming Service)UDP port 139 (NetBIOS Session Service)we are not advertized, so why ?default Win98 installationenbale sharing of C:\ driveconnect to internet & waitWin98 honeypot (cont…)intruder copies distributed.net client config file to our honeypotWin98 honeypot (cont…)actual config file transfer reveals intruder’s identityWin98 honeypot (cont…)transfer the distributed.net client filetransfer the worm itselfWin98 honeypot (cont…)next, a crafted c:\windows\win.ini file is uploaded[windows] load=c:\windows\system\msi216.exeinfection completes !!next time honeypot reboots:distributed.net client will be runworm will scan and replicate itselfworm will add “bymer.scanner” to registryConclusiona tool, not a solutionlevel of interaction vs
View Full Document