A Virtual Honeypot Framework Author: Niels Provos Published in: CITI Report 03-1 Presenter: Tao Li

Outline Introduction Honeyd What is Honeyd? Design and Implementation of Honeyd Evaluation of Honeyd Application Discussion

Outline Introduction Honeyd What is Honeyd? Design and Implementation of Honeyd Evaluation of Honeyd Application Discussion

Introduction Network Security Background We’re unable to make secure computer systems or even measure their security. New vulnerabilities kept being exploited Exploit automation and massive global scanning for vulnerabilities to compromise computer systems We use “Honeypot” as one way to get early warnings of new vulnerabilities.

Introduction What is a honeypot? A closely monitored computing resource intended to be probed, attacked or compromised. Network decoy to deter from real targets Network sensor monitoring blackhole Provide IDS functionality

Introduction Why using honeypots instead of NIDS ? All data entering or leaving a honeypot is closely monitored and collected for forensic analysis It can detect vulnerabilities not yet understood Less likely to lead to false positives Can run any OS and any number of services The configured services determine the vectors available for an adversary to attack

Introduction Categories of honeypots Interaction High-interaction honeypots simulate all aspects of OS, can be compromised completely Low-interaction honeypots simulate only parts of OS, to gather high level information Implementation Phisical honeypots: real machines with itself IP Virtual honeypots: simulated by another machine

Outline Introduction Honeyd Information of Honeyd Design and Implementation of Honeyd Evaluation of Honeyd Application Discussion

What is Honeyd ? Honeyd is a low-interaction virtual honeypot, a lightweight framework for creating virtual honeypots to instrument thousands of IP addresses with virtual machines and corresponding network services.

What can Honeyd do? Simulate TCP and UDP services Support ICMP Handle multiple IP addresses simultaneously Simulate arbitrary network topologies Support topologically dispersed address spaces Support network tunneling for load sharing

Design and Implementation Receiving Network Data Architecture Personality Engine Routing Topology Configuration Logging

Receiving Network Data Three ways for Honeyd to receives traffic for its virtual honeypots Special route lead data to honeyd host Proxy ARP for honeypots Support Network Tunnels—generic routing encapsulation (GRE)

Architecture Incoming packets are dispatched to correct protocol handler. For TCP and UDP, the configured services receive new data and send repsonses if necessary. All outgoing packets are modified by the personality engine to mimic the behavior of the configured network stack. The routing component is optional and used only Honeyd simulated network topology.

Architecture Configuration database Store the personalities of the configured network stack. Central packet dispatcher Dispatch Incoming packets to the correct protocol handler. Protocol handlers Personality engine Option routing component

Architecture Support subsystem An application that runs in the name space of the virtual honeypot—no need to create a new process for each connection Support redirection of connections Forward connection request for a service to a real server Reflect connections back to an adversary!!!

Personality Engine Why to use it? Different operating system have different network stack behaviors. Adversaries commonly run fingerprinting tools like Xprobe or Nmap to gather information about a target system. Personality Engine make honeypots appear like real target to a probe to fool the fingerprinting tools

Personality Engine How to fool the adversaries? Use Nmap’s fingerprint database as reference for TCP and UDP protocol Use Xprobe’s fingerprint database for ICMP Introduces changes to the headers of every outgoing packet before sent to the network to match the characteristics of the configured operating system

Personality Engine Example Nmap’ s fingerprinting is mostly concerned with an OS’s TCP implementation Nmap uses the size of the advertised receiver windows which varies between implementations as part of the fingerprint.

Personality Engine Example of Nmap’s fingerprint specifying the network behavior Fingerprint IRIX m on SGI O2 TSeq(Class=TD%gcd=<104%SI=<1AE%IPID=I%TS=2HZ) T1(DF=N%W=EF2A%ACK=S++%Flags=AS%Ops=MNWNNTNNM) T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) T3(Resp=Y%DF=N%W=EF2A%ACK=O%Flags=A%Ops=NNT) T4(DF=N%W=0%ACK=O%Flags=R%Ops=) T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=) T6(DF=N%W=0%ACK=O%Flags=R%Ops=) T7(DF=N%W=0%ACK=S%Flags=AR%Ops=) PU(Resp=N)

Routing Topology Honeyd can simulate arbitrary virtual routing topologies Simulation of route tree Configure the entry router Configurable latency and packet loss Simulation of arbitrary routing Extension Integrate physical machines into topology Distributed Honeyd via GRE tunneling

How to Configure? Each virtual honeypot is configured with a template. Commands: Create: Creates a new template Set: Assign personality (fingerprint database) to a template Specify default behavior of network protocols Block: All packets dropped Reset: All ports closed by default Open: All ports open by default Add: Specify available services Proxy: Used for connection forwarding Bind: Assign template to specific IP address

Logging Honeyd supports several ways of logging network activity. Honeyd creat connection logs to report attempted and completed connections for all protocols. Information also can be gathered from the services themselves and be reported to Honeyd via stderr. Honeyd can be runs in conjunction with a NIDS.

Evaluation Honeyd did fools Nmap Among totally 600 fingerprints, Nmap uniquely identified the operating system simulated by Honey in 555, generated a list of possible answers including the simulated personality in 37. Only 8 fingerprints out of 600 failed! It works pretty effectively.

Outline Introduction Honeyd What is Honeyd? Design and Implementation of Honeyd Evaluation of Honeyd Application Discussion

Application Network Decoys Instrument the unallocated addresses of a production network, confuse and deter adversaries scanning the production network Conjunction with a NIDS, the resulting network traffic may help in getting early warning of attacks.

Application Detecting and Countering Worms Deploy a large number of virtual honeypots as gateways in front of a smaller number of high- interaction honeypots. Use Honeyd’s subsystem support to expose regular UNIX applications like OpenSSH to worms.

Application Spam Prevention Spammers abuse two Internet services proxy servers and open mail relays Use the Honeyd framework to instrument networks with open proxy servers and open mail relays.

Outline Introduction Honeyd What is Honeyd? Design and Implementation of Honeyd Evaluation of Honeyd Application Discussion

Strength Honeyd has many advantages over NIDS Collects more useful information Detects vulnerabilities not yet understood Less likely leads to high false positives It cheats the fingerprint tools effectively Effective network decoys—confuse and defer the attackers Detecting and immunizing new worms Spam prevention

Weakness Limit interaction only at network level Not simulate the whole OS Adversaries never gain full access to systems Limited number of simulated services and protocols What if the warm is smart to cheat us? Honeyd will become attackers.

How to improve? Combine Honeyd with high-interaction virtual honeypots using User Mode Linux or VMware to have a better forensic analysis of the attacker; Cheat more fingerprint tools, eg. P0f—passive analyze the network traffic; Simulate more services and protocols, eg. has a better TCP state machine.

Thank you. Any questions?