Attachment

Published on July 2016 | Categories: Documents | Downloads: 84 | Comments: 0 | Views: 588
of 23
Download PDF   Embed   Report

Comments

Content

Seminar Report On

HONEYPOTS
(A tool to fight against the hackers)
By Bijay Kumar ( Y2M007) S4MCA Department of computer science and engineering National Institute of Technology Calicut-673601 February 2004

1

Seminar Report On

HONEYPOTS
(A tool to fight against the hackers)
By Bijay Kumar (Y2M007) S4MCA Department of computer science and engineering National Institute of Technology Calicut-673601 February 2004

1

2

Certificate
This is to certify that this seminar report titled Honeypot is a bonafide record of the Seminar presented by Bijay Kumar (Y2M007) fourth semester MCA student, National Institute of Technology Calicut

Coordinator Place Date

Professor and head

2

3

Acknowledgement

I would like to put on records my sincere thanks to: Dr.V.K.Govindan, H.O.D., Computer science and engineering department. Mrs. Priya Chandran and Miss. Nisha, who helped me in preparing this seminar and given a useful guidance. I would also like to thank all of my friends and well wishers who helped me alot in the successful presentation of my seminar.

3

4

CONTENTS

1. Abstract -------------------------------------------2. Definition of honeypots -------------------------------------------3. Types of honeypots -------------------------------------------a. High interaction honeypots -------------------------------------------b.Low interaction honeypots -------------------------------------------4. Values of honeypots -------------------------------------------a.Spector -------------------------------------------b.Hoemade honeypots -------------------------------------------c.Mantrap -------------------------------------------5. How honeypots work -------------------------------------------a.Prevention -------------------------------------------b.Detection --------------------------------------------c.Reaction ---------------------------------------------d.Research --------------------------------------------6.Advantages of honeypots --------------------------------------------7. Disadvantages of honeypots--------------------------------------------8. Diffrences --------------------------------------------9. Conclusion -----------------------------------------------10. References ----------------------------------------

05 06 07 07 08 11 12 13 13 14 14 15 16 17 17 18 19 21 22

4

5

HONEYPOTS
Abstract
Honeypot is an Internet-attached server that acts as a decoy, luring in potential hackers in order to study their activities and monitor how they are able to break into a system. Honeypots are designed to mimic systems that an intruder would like to break into but limit the intruder from having access to an entire network. If a honeypot is successful, the intruder will have no idea that he is being tricked and monitored. Most honeypots are installed inside firewalls so that they can better be controlled, though it is possible to install them outside of firewalls. A firewall in a honeypot works in the opposite way that a normal firewall works: instead of restricting what comes into a system from the Internet, the honeypot firewall allows all traffic to come in from the Internet and restricts what the system sends back out. By luring a hacker into a system, a honeypot serves several purposes:


• •

The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned. The hacker can be caught and stopped while trying to obtain root access to the system. By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers.

Over the last years, network-based intrusions have increased exponentially, due to the popularity of scripted or automated attack tools. This increase in intrusions has rekindled interest in honeypot systems, which can be used to trap and decode the attack methods used by the black hat community.

5

6

Definition of Honeypots Honeypots are an exciting new technology with enormous potential for the security community. The first step to understanding honeypots is defining what a honeypot is unlike firewalls or Intrusion Detection Systems, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes... It is also this flexibility that can make them challenging to define and understand. Honey pots can be defined as A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. This is a general defintion covering all the different forms of honeypots. We will be discussing in this report different examples of honeypots and their value to security. All will fall under the definition we use above; their value lies in the bad guys interacting with them. Conceptually almost all honeypots work they same. They are a resource that has no authorized activity; they do not have any production value. Theoreticlly, a honeypot should see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise.

6

7

Honeypots are a highly flexible security tool with different applications for security. They don't fix a single problem. Instead they have multiple uses, such as prevention, detection, or information gathering. Honeypots all share the same concept: a security resource that should not have any production or authorized activity. In other words, deployment of honeypots in a network should not affect critical network services and applications. A honeypot is a security resource whose value lies in being probed, attacked, or compromised.

There are two general types of honeypots: production and research. Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.

One example of a honeypot is a system used to simulate one or more network services that you designate on your computer's ports. An attacker assumes you're running vulnerable services that can be used to break into the machine. This kind of honeypot can be used to log access attempts to those ports including the attacker's keystrokes. This could give you advanced warning of a more concerted attack.

Types of honeypots
Honeypots comes in many shapes and sizes. To help us better understand honeypots and all the different types, we break them down into two general categories, 1. Low-interaction honeypots 2. High-interaction honeypots

7

8

Low-interaction honeypots These categories help us understand what type of honeypot we are dealing with, its strengths, and weaknesses. Interaction defines the level of activity a honeypot allows an attacker. Low-interaction honeypots have limited interaction; they normally work by emulating services and operating systems. Attacker activity is limited to the level of emulation by the honeypot. These honeypots tend to be easier to deploy and maintain, with minimal risk. Usually they involve installing software, selecting the operating systems and services we want to emulate and monitor, and letting the honeypot go from there. This plug and play approach makes deploying them very easy for most organizations. Also, the emulated services mitigate risk by containing the attacker's activity, the attacker never has access to an operating system to attack or harm others. The main disadvantages with low interaction honeypots is that they log only limited information and are designed to capture known activity. The emulated services can only do so much. Also, it’s easier for an attacker to detect a low-interaction honeypot, no matter how good the emulation is, skilled attacker can eventually detect their presence. Examples of low-interaction honeypots include Specter,Honeyd, and KF sensor Honeyd: Low-interaction honeypot Honeyd is a low-interaction honeypot. Developed by Niels Provos, Honeyd is Open Source and designed to run primarily on UNIX systems (though it has been ported to Windows). Honeyd works on the concept of monitoring unused IP space. Anytime it sees a connection attempt to an unused IP, it intercepts the connection and then interacts with the attacker, pretending to be the victim. By default, Honeyd detects and logs any connection to any UDP or TCP port. In addition, you can configure emulated services to monitor specific ports, such as an emulated FTP server monitoring TCP port 21. When an attacker connects to the emulated service, not only does the honeypot detect and log the activity, but it captures all of the attacker's interaction with the emulated service. In the case of the emulated FTP server, we can potentially capture the attacker's login and password, the commands

8

9

they issue, and perhaps even learn what they are looking for or their identity. It all depends on the level of emulation by the honeypot. Most emulated services work the same way. They expect a specific type of behavior, and then are programmed to react in a predetermined way. If attack A does this, then react this way. If attack B does this, then respond this way. The limitation is if the attacker does something that the emulation does not expect, then it does not know how to respond. Most low-interaction honeypots, including Honeyd, simply generate an error message. High-interaction honeypots High-interaction honeypots are different; they are usually complex solutions as they involve real operating systems and applications. Nothing is emulated; we give attackers the real thing. If you want a Linux honeypot running an FTP server, you build a real Linux system running a real FTP server. The advantages with such a solution are two fold. First, you can capture extensive amounts of information... The second advantage is highinteraction honeypots make no assumptions on how an attacker will behave. Instead, they provide an open environment that captures all activity. This allows high-interaction solutions to learn behavior we would not expect. An excellent example of this is how a Honeynet). However, this also increases the risk of the honeypot as attackers can use this real operating system to attack non-honeypot systems. As result, additional technologies have to be implement that prevent the attacker from harming other non-honeypot systems. In general, high-interaction honeypots can do everything low-interaction honeypots can do and much more. However, they can be more complex to deploy and maintain. Examples of high-interaction honeypots include honeynets. Honeynets: High-interaction honeypot Honeynets are a prime example of high-interaction honeypot. Honeynets are not a product, they are not a software solution that you install on a computer. Instead, Honeyents are an architecture, an entire network of computers designed to attacked. The idea is to have an architecture that creates a highly

9

10

controlled network, one where all activity is controlled and captured. Within this network we place our intended victims, real computers running real applications. The bad guys find, attack, and break into these systems on their own initiative. When they do, they do not realize they are within a Honeynet. All of their activity, from encrypted SSH sessions to emails and files uploads, are captured without them knowing it. This is done by inserting kernel modules on the victim systems that capture all of the attacker's actions. At the same time, the Honeynet controls the attacker's activity. Honeynets do this using a Honeywall gateway. This gateway allows inbound traffic to the victim systems, but controls the outbound traffic using intrusion prevention technologies. This gives the attacker the flexibility to interact with the victim systems, but prevents the attacker from harming other non-Honeynet computers. An example of such a deployment can be seen in Figure 1. How honeynets are connected to main server

10

11

Figure 1

Value of Honeypots
Now that we have understanding of two general categories of honepyots, we can focus on their value. Specifically, how we can use honeypots. Once again, we have two general categories, honeypots can be used for production purposes or research. When used for production purposes, honeypots are protecting an organization. This would include preventing, detecting, or helping organizations respond to an attack. When used for research purposes, honeypots are being used to collect information. This information has different value to different organizations. Some may want to be studying trends in attacker activity, while others are interested in early warning and prediction, or law enforcement. In general, low-interaction honeypots are often used for production purposes, while high-interaction honeypots are used for research purposes. However, either type of honeypot can be used for either purpose. When used for production purposes, honeypots can protect organizations in one of three ways; prevention, detection, and response. We will take a more in-depth look at how a honeypot can work in all three. Now that we discuss different types of honeypots and and their value, lets discuss some examples. The more a honeypot can do and the more an attacker can do to a honeypot, the more information can be derived from it. However, by the same token, the more an attacker can do to the honeypot, the more potential damage an attacker can do. For example, a low interaction honeypot would be one that is easy to install and simply emulates a few services. Attackers can merely scan, and potentially connect to several ports. Here the information is limited (mainly who connected to what ports when) however there is little that the attacker can exploit. On the other extreme would be high interaction honeypots. These would be actual systems. We can learn far much more, as there is an actual operating system for the attacker to compromise and interact with, however there is also a far greater level of risk, as the attacker has an actual operating system to work with. Neither solution is a better honeypot. It all depends on what you are attempting to achieve. Remember,
11

12

honeypots are not a solution. Instead, they are a tool. Their value depends on what your goal is, from early warning and detection to research. Based on 'level of interaction', lets compare some possible honeypot solutions. For this report we will discuss three more honeypots. There are a variety of other possible honeypots, however this selection covers a range of options. We will cover Specter, Honeyd, homemade honeypots, Mantrap, and Honeynets. This paper is not meant to be a comprehensive review of these products. I only highlight some of their features. Instead, I hope to cover the different types of honeypots, how they work, and demonstrate the value they add and the risks involved. If you wish to learn more about the capabilities of these solutions, I highly recommend you try them out on your own in a controlled, lab environment.

Specter Specter is a commercial product 'low interaction' production honeypot. It can emulate a far greater range of services and functionality. In addition, not only can it emulate services, but emulate a variety of operating systems. It is easy to implement and low risk. Specter works by installing on a Windows system. The risk is reduced as there is no real operating system for the attacker to interact with. For example, Specter can emulate a webserver or telent server of the operating system of ours choice. When an attacker connects, it is then prompted with an http header or login banner. The attacker can then attempt to gather web pages or login to the system. This activity is captured and recorded by Specter, however there is little else the attacker can do. There is no real application for the attacker to interact with, instead just some limited, emulated functionality. Specters value lies in detection. It can quickly and easily determine who is looking for what. As a honeypot, it reduces both false positives and false negatives, simplifying the detection process. Specter also support a variety of alerting and logging mechanisms. One of the unique features of Specter is that it also allows for information gathering, or the automated ability to gather more information about the attacker. Some of this information
12

13

gathering is relatively passive, such as DNS lookups. However, some of this research is active, such as port scanning the attacker. While this intelligence functionality may be of value, many times you do not want the attacker to know he is being watched. Be careful when implementing any active, automated responses to the attacker.

Homemade Honeypots Another common honeypot is homemade. These honeypots tend to be low interaction. Their purpose is usually to capture specific activity, such as Worms or scanning activity. These can be used as production or research honeypots, depending on their purpose. Once again, there is not much for the attacker to interact with, however the risk is reduced because there is less damage the attacker can do. One common example is creating a service that listens on port 80 (http) capturing all traffic to and from the port. This is commonly done to capture Worm attacks. One such implementation would be using netcat, as follows: Homemade honeypots can be modified to do (and emulate) much more, requiring a higher level of invovlement, and incurring a higher level of risk. For example, FreeBSD has a jail functionality, allowing an administrator to create a controlled environment within the operating system. The attacker can then interact with this controlled environment. The value here is the more the attacker can do, the more can be potentially learned. However, care must be taken, as the more functionality the attacker can interact with, the more can go wrong, with the honeypot potentially compromised. Mantrap Mantrap is a commercial honeypot. Instead of emulating services, Mantrap creates up to four sub-systems, often called 'jails'. These 'jails' are logically discrete operating systems separated from a master operating system. This makes the honeypot far more flexible, as it can do much more. The attacker has a full operating system to interact with, and a variety of applications to attack. All of this activity is then captured and recorded. Not only can we detect port scans and telnet logins, but we can capture rootkits, application level attacks, IRC chat session, and a
13

14

variety of other threats. However, just as far more can be learned, so can more go wrong. Once compromised, the attacker can use that fully functional operating system to attack others. Care must be taken to mitigate this risk. As such, I would categorize this as a mid-high level of interaction. Also, these honeypots can be used as either a production honeypot (used both in detection and reaction) or a research honeypot to learn more about threats. There are limitations to this solution. The biggest one is you are limited to what the vendor supplies you. Currently, Mantrap only exists on Solaris operating system. How honeypots works? According to the Lance Spitzener definition of the security it lies in the three regions.

1> Prevention 2 >Detection 3 >Reaction

Prevention
Honeypots add little value to prevention, honeypots will not help keep the bad guys out. What will keep the bad guys out are best practices, such as disabling unneeded or insecure services, using strong authentication mechanisms. It is the best practices and procedures such as these that will keep the bad guys out. A honeypot, a system to be compromised, will not help keep the bad guys out. In fact, if incorrectly implemented, a honeypot may make it easier for an attacker to get in. Some individuals have discussed the value of deception as a method to deter attackers. The concept is to have attackers spend time and resource attacking honeypots, as opposed to attacking production systems. The attacker is deceived into attacking the honeypot, protecting production resources from attack. While this may prevent attacks on production systems, most organizations are much better off spending their limited time and resources on securing their systems, as opposed to deception. Deception may

14

15

contribute to prevention, but organization will most likely get greater prevention putting the same time and effort into security best practices. Also, deception fails against two of the most common attacks today; automated toolkits and worms. Today, more and more attacks are automated. These automated tools will probe, attack, and exploit anything they can find vulnerable. Yes, these tools will attack a honeypot, but they will also just as quickly attack every other system in our organization. If we have a coffee pot with an IP stack, it will be attacked. Deception will not prevent these attacks, as there is no consciously acting individual to deceive. Organizations are better off focusing their resources on security best practices.

Detection
While honeypots add little value to prevention, for many organizations, it is extremely difficult to detect attacks. Often organizations are so overwhelmed with production activity, such as gigabytes of system logging, that it can be extremely difficult to detect when a system is attacked, or even when successfully compromised. Intrusion Detection Systems (IDS) are one solution designed for detecting attacks. However, IDS administrators can be overwhelmed with false positives. False positives are alerts that were generated when the sensor recognized the configured signature of an "attack", but in reality was just valid traffic. The problem here is that system administrators may receive so many alerts on a daily basis that they cannot respond to all of them. Also, they often become conditioned to ignore these false positive alerts as they come in day after day, similar to the story of "the boy who cried wolf". The very IDS sensors that they were depending on to alert them to attacks can become ineffective unless these false positives are reduced. This does not mean that honeypots will never have false positives, only that they will be dramatically fewer than with most IDS implementations. Another risk is false negatives, when IDS systems fail to detect a valid attack. Many IDS systems, whether they are signature based, protocol verification, etc, can potentially miss new or unknown attacks. It is likely that a new attack will go undetected by currently IDS methodologies. Also, new IDS evasion methods are constantly being developed and distributed.

15

16

Honeypots address false negatives as they are not easily evaded or defeated by new exploits. In fact, one of their primary benefits is that they can most likely detect when a compromise occurs via a new or unknown attack by virtue of system activity, not signatures. Administrators also do not have to worry about updating a signature database or patching anamoly detection engines. Honeypots happily capture any attacks thrown their way. As discussed earlier though, this only works if the honeypot itself is attacked. Honeypots can simplify the detection process. Since honeypots have no production activity, all connections to and from the honeypot are suspect by nature. By definition, anytime a connection is made to your honeypot, this is most likely an unauthorized probe, scan, or attack. Anytime the honeypot initiates a connection, this most likely means the system was successfully compromised. This helps reduce both false positives and false negatives greatly simplifying the detection process. By no means should honeypots replace your IDS systems or be your sole method of detection. However, they can be a powerful tool to complement your detection capabilities.

Reaction
Though not commonly considered, honeypots also add value to reaction. Often when a system within an organization is compromised, so much production activity has occurred after the fact that the data has become polluted. Incident response team cannot determine what happened when users and system activity have polluted the collected data. For example, I have often come onto sites to assist in incident response, only to discover that hundreds of users had continued to use the compromised system. Evidence is far more difficult to gather in such an environment. The second challenge many organizations face after an incident is that compromised systems frequently cannot be taken off-line. The production services they offer cannot be eliminated. As such, incident response teams cannot conduct a proper or full forensic analysis. Honeypots can add value by reducing or eliminating both problems. They offer a system with reduced data pollution, and an expendable system that can be taken off-line. For example, let’s say an organization had three web servers, all of which were compromised by an attacker. However, management has only allowed us to go in and clean up specific holes. As such, we can never learn in detail what failed, what damage was done, is

16

17

there attacker still had internal access, and if we were truly successful in cleanup. However, if one of those three systems was a honeypot, we would now have a system we could take off-line and conduct a full forensic analysis. Based on that analysis, we could learn not only how the bad guy got in, but what he did once he was in there. These lessons could then be applied to the remaining web servers, allowing us to better identify and recover from the attack.

Research
As discussed at the beginning, there are two categories for honeypots; production and research. We have already discussed how production honeypots can add value to an organization. We will now discuss how research honeypots add value. One of the greatest challenges the security community faces is lack of information on the enemy. Questions like who is the threat, why do they attack, how do they attack, what are their tools, and possibly when will they attack? It is questions like these the security community often cannot answer. For centuries military organizations have focused on information gathering to understand and protect against an enemy. To defend against a threat, you have to first know about it. However, in the information security world we have little such information. Honeypots can add value in research by giving us a platform to study the threat. What better way to learn about the bad guys then to watch them in action, to record step-by-step as they attack and compromise a system. Of even more value is watching what they do after they compromise a system, such as communicating with other black hats or uploading a new tool kit. It is this potential of research that is one of the most unique characteristics of honeypots. Also, research honeypots are excellent tools for capturing automated attacks, such as auto rooters or Worms. Since these attacks target entire network blocks, research honeypots can quickly capture these attacks for analysis.

Advantages of honeypots

17

18

There are so many advantages of using honeypots as security agents it will make the security arrangement strong by the use of various IDS and fire walls. Some of them are very powerful and strong.








• •

Small data sets of high value: Honeypots collect small amounts of information. Instead of logging a one GB of data a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day. Remember, honeypots only capture bad activity, any interaction with a honeypot is most likely unauthorized or malicious activity. As such, honeypots reduce 'noise' by collection only small data sets, but information of high value, as it is only the bad guys. This means it’s much easier (and cheaper) to analyze the data a honeypot collects and derives value from it. New tools and tactics: Honeypots are designed to capture anything thrown at them, including tools or tactics never seen before. Minimal resources: Honeypots require minimal resources, they only capture bad activity. This means an old Pentium computer with 128MB of RAM can easily handle an entire class B network sitting off an OC-12 network. Encryption or IPv6: Unlike most security technologies (such as IDS systems) honeypots work fine in encrypted or IPv6 environments. It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it. Information: Honeypots can collect in-depth information that few, if any other technologies can match. Simplicity: Finally, honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update. The simpler a technology, the less likely there will be mistakes or misconfigurations.

Disadvantages of honeypots Like any technology, honeypots also have their weaknesses. It is because of this they do not replace any current technology, but work with existing technologies.
18

19




Limited view: Honeypots can only track and capture activity that directly interacts with them. Honeypots will not capture attacks against other systems, unless the attacker or threat interacts with the honeypots also. Risk: All security technologies have risk. Firewalls have risk of being penetrated, encryption has the risk of being broken, IDS sensors have the risk of failing to detect attacks. Honeypots are no different, they have risk also. Specifically, honeypots have the risk of being taken over by the bad guy and being used to harm other systems. This risk varies for different honeypots. Depending on the type of honeypot, it can have no more risk then an IDS sensor, while some honeypots have a great deal of risk.

Differences

between High and Low interaction honeypots

There is even an easy deployment of Honeyd on Linux computers. Low-interaction honeypots have the advantage of being easier to deploy and little risk, as they contain the activity of the attacker. Once you have had an opportunity to work with low-interaction solutions, you can take the skills and understanding you have developed and work with highinteraction solutions. To help you better understand honeypots, below is a chart summarizing what we just covered.

Low-interaction

High-interaction
19

20

Solution emulates operating systems and services. • Easy to install and deploy. Usually requires simply installing and configuring 2software on a computer. • Minimal risk, as the emulated services control what attackers can and cannot do. • Captures limited amounts of information, mainly transactional data and some limited interaction.

No emulation, real operating systems and services are provided.






Can capture far more information, including new tools, communications, or attacker keystrokes. Can be complex to install or deploy (commercial versions tend to be much simpler). Increased risk, as attackers are provided real operating systems to interact with

Finally, no paper on honeypots would be complete without a discussion about legal issues. There are many misconnects about the legal issues of honeypots. Instead of briefly covering the legal issues in this paper, I will be releasing a new paper at the end of May, 2003 dedicated to the legal issues of honeypot technologies. What are the legal issues of honeypots? As a new technology, people often ask what the legal issues of honeypots are. While honeypots are not specifically addressed in federal statutes or regulation, the following issues can be seen as a starting point. For specific information, refer to the paper Honeypots: Are They Illegal?

20

21


Liability: We can potentially be held liable if your honeypot is used to attack or harm other systems or organizations. This risk is the greatest with high-interaction honeypots.



Privacy: Honeypots can capture extensive amounts of information about attackers, which can potentially violate their privacy, such as IRC chats or emails. This could violate the privacy of the attacker, or more likely people he is communicating with. Once again, this risk is primarily with highinteraction honeypots.



Entrapment: For some odd reason, many people are concerned with the issue of entrapment. Entrapment is a legal defense used to avoid a conviction, you cannot be charged with entrapment. Most legal experts believe that entrapment is not an issue for honeypots

Conclusion

The purpose of this seminar report is to define what honeypots are and their value to the security community. We identified two different types of honeypots, low-interaction and high-interaction honeypots. Interaction defines how much activity a honeypot allows an attacker. The value of these solutions is both for production or research purposes. Honeypots can be used for production purposes by preventing, detecting, or responding to attacks. Honeypots can also be used for research, gathering information on threats so we can better understand and defend against them. If you are interested in learning more about honeypots, you may want to consider the book, the first and only book dedicated to honeypot technologies.

21

22

References http://www.tracking-hackers.com/papers/honeypots.html http://www.securityfocus.com/infocus/1757 http://www.securitywizardry.com/honeypots.html http://en.wikipedia.org/wiki/Honeypot http://www.honeynet.org/papers/honeynet/

22

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close