Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion.

Published bySamuel Ray Modified over 8 years ago

Similar presentations

Presentation on theme: "Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion."— Presentation transcript:

1 Slide Background Graphics by Paul Sagona

2 Overview Introduction Related Work Proposed Approach Experiment Results Conclusion

3 Introduction: Honeypot Etymology: Winnie-the-Pooh, who was lured into various predicaments by his desire for pots of honey[1] A trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems[2]

4 Introduction: Honeypots Serve as decoys used to distract adversaries from more valuable machines and resources on a network Valuable as a surveillance and early-warning tool Coupled with IDS, can be effective in detecting systems with Internet worms and random port scanners Personal experience with Offensive Security using Honeypots (IIS, SSH)

5 Denial-of-Service (DoS) Attack DoS attacks aim at disrupting the legitimate utilization of network and server resources Threat to both high traffic public services, such as Google, and private services, i.e. subscription –based business services

6 Denial-of-Service (DoS) Attack Difficult to prevent due to inevitable software vulnerabilities Adversaries directly attack victim machine or use zombies (any number of compromised machines used to attack a victim’s resources)

7 Network level DoS Attack Purpose of network DoS is to congest network resources like router buffers and link capacity Good Defensives: – D-WARD[19]: detects and stops abnormal one- way flows – Ingress Filtering [9] Stops most spoofed attacks

8 Service-level DoS Attack A large number of attack machines acquire service from a victim server Consumes server memory and processing, as well as networking resources along the out path from server Not possible using a spoofed source address as a three-way handshake is required for the TCP service Honeypots can provide a way to mitigate these attacks by tricking adversaries

9 Related Works Honeynet [4] High-interaction honeypot designed to capture extensive information on threats Network that contains one or more honeypots Network of real computers for attackers to interact with All captured activity is assumed to be unauthorized or malicious

10 Related Works Honeynet Architecture[4] Honeywall is the key to the honeynet Archietecture It’s a gateway device that separates honeypots from the rest of the world 2-layer bridging device

11 Related Works Honeynet [4]: Basic Jobs Data Control: Containment of risk, Safeguard that non-honeynet systems are safe Data Capture: detect and capture attackers activities Data Analysis: to analyze and thus prevent further attacks

12 Related Works Honeynet [4]: Risks Harm when a honeynet system is used to attack a non-honeynet system If attackers detect that a system is used as honeypot, this system’s value is dropped dramatically Risk of disabling honeynet functionality System compromised to house illegal data (anonymous FTP)

13 Related Works Virtual Honeypots [5] Deploying a physical honeypot can be intensive and expensive Different operating systems require specialized hardware and every honeypot requires its own physical system Honeyd is a framework for virtual honeypots that simulates virtual computer systems at the network level

14 Related Works Virtual Honeypots [5] Require fewer computer systems, thus reducing costs Possible to populate a network with hosts running numerous OS’s Honeyd simulates virtual networks that consist of arbitrary routing topologies For example, if a networking mapping tool like traceroute were used, it would only discover the topologies simulated by Honeyd

15 Related Works Virtual Honeypots [5] Honeyd is used for system security in detecting and disabling worms, distracting adversaries, and/or preventing the spread of spam email Honeyd is a low-interaction virtual honeypot that only simulates the network layer Coupled with tools like Vmware, high-interaction can be simulated

16 Related Works Virtual Honeypots [5] Honeyd mimics the network stack behavior of operating systems to deceive fingerprinting tools like Nmap and Xprobe Honeyd’s personality engine can modify packets to match the fingerprints of other operating systems and creates arbitrary virtual routing topologies

17 Related Works Server Roaming (Work from their previous paper) Proactive server roaming to mitigate the effects of Denial-of-Service (DoS) attacks The active server changes its location within a pool of servers to defend against unpredictable and undetectable attacks Only legitimate clients can follow the active server as it roams

18 Related Works Proactive Server Roaming Limitations – Handles only one server active at a time – Requires offline service subscription, which is not a flexible service model – Servers must keep track of all subscribed client addresses to send them roaming update messages (reduces flexibility) – Requires changes in client software – Easy to compromise client and discover service secrets or eavesdrop to find server address

19 Problem with Honeypots Problem with standard honeypots is that they are deployed at fixed locations. Sophisticated attacks can avoid the decoys and thus focus back on legitimate servers

20 Proposed Approach Roaming Honeypots can mitigate service-level DoS attacks against back-end private services Achieved by a pool of back-end servers unpredictably changing from service providers to acting as honeypots The service is subscription-based; that is, clients need subscribe through front-ends to gain access to the service

21 Roaming Honeypots Benefits against service-level: – Filtering effect: Detect attacker addresses so that their future attempts are filtered out. Good for attacks outside the firewall. – Connection-dropping: When server switches from idle to active, it drops all current (attack) connections, opening and window for legitimate users before attack build up. Good for attacks inside the firewall.

22 Service Model AGN (Access Gateways Network) – Keeps track of current active servers – Clients contact AG’s to subscribe and request services – After the request is authenticated and authorized, AG redirect the request to one of the active servers – Also support dynamic-Load balancing

23 Service Model AGN

24 Service Model AGN Handles Spoofed Attacks – Legitimate requests are tunneled through the AGN – For this attack to be successful an attacker needs to spoof an AG’s address – An AG can easily detect that it is under such an attack (all its requests are being dropped) and can respond by changing its IP address. – The AG updates its address registration with the new IP address

25 Attack Model Two attack models types – Fixed-target attacks – Follower attacks Fixed-Target Attack – The attacker selects few servers and attacks them continuously Follower Attacks – The attacker tries to continuously direct the attack into active servers

26 Simulation They used a ns-2(Network Simulator) A ns is a discrete event simulator for doing network research Supports simulation of TCP, routing and multicast protocols over both wired or wireless networks

27 Simulation Model Used FTP server and client modules to be used as test bed application for simulation Code works on top of socket layer, where roaming and TCP agent management takes place FTP connection stays active until FTP request is filled or roaming occurs If roaming is scheduled to cause server to be idle during an active connection, client module will record current FTP state (remaining bytes) to resume state on new randomly selected server

28 Simulation Topology

29 Simulation To study the connection-dropping effect separately, they also modeled a roaming scheme in which no filtering takes place Roaming honeypots scheme as filter-roaming (or FR), The full replication scheme as non-roaming The scheme with no filtering as roaming (or R). They refer to the migration interval as M-interval (or just M)

30 Results

31

32 Results: Mitigation Values There exists a critical value of M Below Critical Value – Roaming overhead is dominant – M increases -> frequency of connection re- establishment decreases resulting in a decreased ART. Beyond Critical Value – M increases -> ART increases. – Two reasons: Connection-dropping effect occurs less frequently More client requests are issued to attacked server

33 Results

34

35 Results: Attack Load Filter Roaming: – Keeps the ART stable with increasing attack loads Non-roaming: – ART is less for small loads – Art increases for large loads Roaming: – ART increases with increasing attack load

36 Results

37

38 Results: Follow Delay FR: – ART decreases as follow delay increases R: – ART decreases as follow delay increases Non-roaming: – ART is same for follower and fixed-target attacks

39 Conclusion: Limitations This scheme has an overhead that causes performance degradation It occurs both in the absence of attacks and under low attack. This is mainly because the load is distributed over k instead of all N servers During Active to idle state switch, all the active connections have to be re-established

40 Conclusion: Future Work The exact mitigation value depends on the types of services Authors see need for mechanism that adaptively changes the number of concurrent active servers depending on attack loads and client loads

41 Conclusion This scheme is described as a subset of servers that are active and providing service while rest are acting as honeypots, mitigating attacks All legitimate requests are directed by the Access Gateway Network Although the scheme requires an overhead time for connections, it shows a high performance gain during high attack loads

42 Questions? My opinion? Interesting idea, but I believe it is pointless. Internal DoS attacks is a failure of proper security at an organization. IDS and Firewalls are the choke point of a DoS. Filtering would be done at this point. Honeypots could be used to find zombies? Forcing clients to drop connection and reinstate services is unacceptable, too much overhead. Honeypots are used for gathering information, not mitigating DoS.

43 References [1] Wikipedia: Honeypot, http://en.wikipedia.org/wiki/Honeypot_%28computing%29 2007 http://en.wikipedia.org/wiki/Honeypot_%28computing%29 [2] Mosse, http://oldwww.cs.pitt.edu/~mosse/courses/cs2001/melhe m_fall06.ppt, 2006 http://oldwww.cs.pitt.edu/~mosse/courses/cs2001/melhe m_fall06.ppt [3] Previous presentation by Nikhil Mahajan and Sriharsha Hammika [4] Honeynet, http://www.honeynet.org/papers/honeynet/http://www.honeynet.org/papers/honeynet/ [5] Provos, Niels, A Virtual Honeypot Framework http://www.citi.umich.edu/u/provos/papers/honeyd.pdfhttp://www.citi.umich.edu/u/provos/papers/honeyd.pdf

Download ppt "Slide Background Graphics by Paul Sagona. Overview Introduction Related Work Proposed Approach Experiment Results Conclusion."

Similar presentations

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Greg Williams CS691 Summer 2011. Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.

Greg Williams CS691 Summer Honeycomb  Introduction  Preceding Work  Important Points  Analysis  Future Work.
1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.

1 Chapter 7 Intrusion Detection. 2 Objectives In this chapter, you will: Understand intrusion detection benefits and problems Learn about network intrusion.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Honeypots Presented by Javier Garcia April 21, 2010.

Honeypots Presented by Javier Garcia April 21, 2010.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Ragib Hasan Johns Hopkins University en.600.412 Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.

Ragib Hasan Johns Hopkins University en Spring 2011 Lecture 11 04/25/2011 Security and Privacy in Cloud Computing.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,

Simulation and Analysis of DDos Attacks Poongothai, M Department of Information Technology,Institute of Road and Transport Technology, Erode Tamilnadu,
Dec, 20081 Honeyd Virtual Honeypot Frame Work Niels Provos Presented by: Fadi MohsenSupervised by: Dr. Chow CS591 Research Project Presented by: Fadi Mohsen.

Dec, Honeyd Virtual Honeypot Frame Work Niels Provos Presented by: Fadi MohsenSupervised by: Dr. Chow CS591 Research Project Presented by: Fadi Mohsen.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Security Awareness: Applying Practical Security in Your World

Security Awareness: Applying Practical Security in Your World
DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric (07016080)

DFence: Transparent Network-based Denial of Service Mitigation CSC7221 Advanced Topics in Internet Technology Presented by To Siu Sang Eric ( )
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.

Beyond the perimeter: the need for early detection of Denial of Service Attacks John Haggerty,Qi Shi,Madjid Merabti Presented by Abhijit Pandey.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
WXES2106 Network Technology Semester 1 2004/2005 Chapter 8 Intermediate TCP CCNA2: Module 10.

WXES2106 Network Technology Semester /2005 Chapter 8 Intermediate TCP CCNA2: Module 10.
Authors: Thomas Ristenpart, et at.

Authors: Thomas Ristenpart, et at.

Similar presentations

Ads by Google