honeydv6
play

HoneydV6 A low-interaction IPv6 honeypot Sven Schindler Potsdam - PowerPoint PPT Presentation

May 19, 2023 •561 likes •890 views

HoneydV6 A low-interaction IPv6 honeypot Sven Schindler Potsdam University Institute for Computer Science Operating Systems and Distributed Systems Reykjavk, July 29, 2013 Outline 1 Introduction 2 An IPv6 darknet experiment HoneydV6 -

  1. HoneydV6 A low-interaction IPv6 honeypot Sven Schindler Potsdam University Institute for Computer Science Operating Systems and Distributed Systems Reykjavík, July 29, 2013

  2. Outline 1 Introduction 2 An IPv6 darknet experiment HoneydV6 - Development and Performance Measurements 3 Conclusion and Future work 4 Sven Schindler (Potsdam University) HoneydV6 Frame 2 of 26

  3. Introduction Outline 1 Introduction 2 An IPv6 darknet experiment HoneydV6 - Development and Performance Measurements 3 Conclusion and Future work 4 Sven Schindler (Potsdam University) HoneydV6 Frame 3 of 26

  4. Introduction Why do we need IPv6 dark- and honeynets? huge IPv6 address space makes brute-force network scanning impossible new scanning approaches in the wild? attacks aiming at IPv6 design weaknesses how to analyse IPv6 related attacks ? Sven Schindler (Potsdam University) HoneydV6 Frame 4 of 26

  5. Introduction THC and si6 - IPv6 Attack Toolkits IPv6 attack tools like THC toolkit [3] and si6 [8] available fragment6 (THC) - duplicate fragments fake_router6 (THC) - become the default router rsmurf6 (THC) - remote smurf attack tool dos-new-ip6 (THC) - block new hosts from joining a network scan6 (si6) - intelligent scan approaches Sven Schindler (Potsdam University) HoneydV6 Frame 5 of 26

  6. An IPv6 darknet experiment Outline 1 Introduction 2 An IPv6 darknet experiment HoneydV6 - Development and Performance Measurements 3 Conclusion and Future work 4 Sven Schindler (Potsdam University) HoneydV6 Frame 6 of 26

  7. An IPv6 darknet experiment Prior darknet experiments Why another IPv6 Darknet Experiment? /48 experiment from 2006 reported 12 ICMPv6 packets within 16 months [2] IPv4 class A darknet in 2004 captured 30,000 packets/second [5] 9 days /12 IPv6 darknet experiment received 21,000 non-malicious packets in 2010 [4] started our /48 darknet experiment in March 2012 (Hurricane Electric tunnel) Sven Schindler (Potsdam University) HoneydV6 Frame 7 of 26

  8. An IPv6 darknet experiment Darknet results Darknet results after 9 months 1172 packets received TCP traffic only most packets around IPv6 World Launch Day (6.6.2012) 2012 IPv6 /48 Darknet Activity 200 Darknet activity 180 160 Number of received Packets 140 120 100 80 60 40 20 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Date (months) Sven Schindler (Potsdam University) HoneydV6 Frame 8 of 26

  9. An IPv6 darknet experiment Darknet results Backscatter traffic 1157 packets seem to be backscatter caused by misconfiguration or spoofed source addresses Number of packets Source port 486 auth (113) 327 ssh (22) 186 ircd (6667) 158 http (80) Sven Schindler (Potsdam University) HoneydV6 Frame 9 of 26

  10. An IPv6 darknet experiment Darknet results Backscatter Sven Schindler (Potsdam University) HoneydV6 Frame 10 of 26

  11. An IPv6 darknet experiment Darknet results Some interesting facts about the backscatter traffic port 113 belongs to Ident protocol (RFC1413) 486 packets from 8 different sources to 457 different destinations most packets contained the same acknowledgement number port 22 327 packets from 8 different sources targeting 295 destinations again: most packets contained the same acknowledgement number port 6667 186 packets from the same source again: all packets contained the same acknowledgement number port 80 158 packets from the same source to different destinations all packets but one with the same acknowledgement number and target port → traffic indicates spoofed source addresses Sven Schindler (Potsdam University) HoneydV6 Frame 11 of 26

  12. An IPv6 darknet experiment Darknet results Darknet summary DoS-attacks observed? no connection attempts threat level in IPv6 network still low compared to IPv4 attackers interest in IPv6 networks is raising Sven Schindler (Potsdam University) HoneydV6 Frame 12 of 26

  13. HoneydV6 - Development and Performance Measurements Outline 1 Introduction 2 An IPv6 darknet experiment HoneydV6 - Development and Performance Measurements 3 Conclusion and Future work 4 Sven Schindler (Potsdam University) HoneydV6 Frame 13 of 26

  14. HoneydV6 - Development and Performance Measurements Introduction What is a virtual honeypot and why do we need it? Honeypot definition A virtual honeypot is a security device with the only purpose of attracting attackers, so that their attacks can be analysed. This can be something like a computer or even a mobile phone. The system itself has no real production value [7]. provides level of interaction classification based on level of interaction high-interaction honeypot drawback: hardware requirements low-interaction honeypots to simulate multiple hosts on single machine Dionea is able to simulate a single IPv6 connected machine [1] Sven Schindler (Potsdam University) HoneydV6 Frame 14 of 26

  15. HoneydV6 - Development and Performance Measurements Honeyd Honeyd open source low-interaction honeypot by Niels Provos custom network stack simulate entire networks supports OS fingerprinting provides framework for service scripts latest release v 1.5c does not support IPv6 Tiny Honeypot, SCADA HoneyNet Project based on Honeyd Sven Schindler (Potsdam University) HoneydV6 Frame 15 of 26

  16. HoneydV6 - Development and Performance Measurements Honeyd Honeyd architecture[6] Sven Schindler (Potsdam University) HoneydV6 Frame 16 of 26

  17. HoneydV6 - Development and Performance Measurements Honeyd Requirements allow to define virtual IPv6 hosts create hierarchical IPv6 networks allow nmap, ping6 and traceroute6 to find virtual hosts log IPv6 communication between attacker and honeypot keep IPv4 support Sven Schindler (Potsdam University) HoneydV6 Frame 17 of 26

  18. HoneydV6 - Development and Performance Measurements Adapting the configuration of virtual hosts Adapting the configuration of virtual hosts Example IPv4 configuration create windows set windows default tcp action reset add windows tcp port 21 "scripts/ftp.sh" set windows ethernet "aa:00:04:78:98:76" bind 192.168.1.5 windows bind 192.168.1.6 windows configuration parser modified to accept IPv6 addresses IPv6 and IPv4 templates managed in splay tree Sven Schindler (Potsdam University) HoneydV6 Frame 18 of 26

  19. HoneydV6 - Development and Performance Measurements ICMPv6 and NDP implementation Implementing the Neighbor Discovery Protocol and ICMPv6 IPv6 utilizes NDP instead of ARP send and process neighbor solicitations send router solicitations process router advertisements ICMPv6 echo request/reply ICMPv6 Time Exceeded and Destination Unreachable Sven Schindler (Potsdam University) HoneydV6 Frame 19 of 26

  20. HoneydV6 - Development and Performance Measurements Modifying packet processing Modifying packet processing new IPv6 dispatcher updated routing engine to simulate networks extension header processing fragmentation logging of length and offset TCP and UDP functionality updated Sven Schindler (Potsdam University) HoneydV6 Frame 20 of 26

  21. HoneydV6 - Development and Performance Measurements Random IPv6 request processing How to find an IPv6 honeypot? linear IPv6 address scan is impossible attacker needs to find hosts dynamically create new virtual hosts on demand all connection attempts logged observe new scan approaches Sven Schindler (Potsdam University) HoneydV6 Frame 21 of 26

  22. HoneydV6 - Development and Performance Measurements Random IPv6 request processing Configuration of random IPv6 request processing Configuration create randomdefault set randomdefault default tcp action reset add randomdefault tcp port 21 "scripts/ftp.sh" add randomdefault tcp port 80 "scripts/web.sh" set randomdefault ethernet "aa:00:04:78:98:78" randomipv6 0.5 randomdefault 256 randomexclude 2001:db8::1 randomexclude 2001:db8::2 randomexclude 2001:db8::3 Sven Schindler (Potsdam University) HoneydV6 Frame 22 of 26

  23. HoneydV6 - Development and Performance Measurements Scalability Performance tests - HTTP get request measurements generated log file containing 20.000 HTTP GET request from different source addresses 600 requests per second honeyd configured to simulate single host (IPv4 and IPv6 connected) web.sh script on port 80 1.5c (IPv4) V6 (IPv4) V6 (IPv6) 212.57 214.00 205.75 Table: Comparison of the number of HTTP GET requests per second that Honeyd 1.5c and HoneydV6 is able to handle without any packet loss. Sven Schindler (Potsdam University) HoneydV6 Frame 23 of 26

  24. Conclusion and Future work Outline 1 Introduction 2 An IPv6 darknet experiment HoneydV6 - Development and Performance Measurements 3 Conclusion and Future work 4 Sven Schindler (Potsdam University) HoneydV6 Frame 24 of 26

  25. Conclusion and Future work Conclusion and Future work HoneydV6 is the first low-interaction honeypot which can simulate entire IPv6 networks on a single host may be used to add IPv6 support for low-interaction honeypots based on honeyd new protocols implemented (NDP , ICMPv6) random IPv6 request processing helps to understand new scan approaches OS fingerprinting and tunnel support not yet implemented working on shellcode detection engine currently running at a major German hosting company HoneydV6 source code available on www.idsv6.de Questions? Sven Schindler (Potsdam University) HoneydV6 Frame 25 of 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande

A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande

Honeypots architecture Security Properties Statistical results Conclusion A Proposal for Securing a Large-Scale High-Interaction Honeypot J. Briffaut J.-F. Lalande C. Toinard LIFO Universit dOrlans ENSI de Bourges SHPCS08,

401 views • 19 slides
INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS JOSH PYORRE Security Researcher Threat Analyst at NASA Threat Analyst at Mandiant @joshpyorre HONEYPOTS CURRENTLY IN USE

1.25k views • 96 slides
Anti-Honeypot Technology Thorsten Holz Laboratory for Dependable Distributed Systems

Anti-Honeypot Technology Thorsten Holz Laboratory for Dependable Distributed Systems

Dependable Distributed Systems Anti-Honeypot Technology Thorsten Holz Laboratory for Dependable Distributed Systems holz@i4.informatik.rwth-aachen.de Thorsten Holz Laboratory for Dependable Distributed Systems 21st Chaos Communication

576 views • 57 slides
Course Introduction Constraint Programming Marco Chiarandini Department of Mathematics &

Course Introduction Constraint Programming Marco Chiarandini Department of Mathematics &

DM841 Discrete Optimization Lecture 1 Course Introduction Constraint Programming Marco Chiarandini Department of Mathematics & Computer Science University of Southern Denmark Outline 1. Motivation 2. Course Organization 2 Outline 1.

499 views • 25 slides
IST-Africa Talk Slides Conference Paper May 2016 CITATIONS READS 0 122 3 authors ,

IST-Africa Talk Slides Conference Paper May 2016 CITATIONS READS 0 122 3 authors ,

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/303210806 IST-Africa Talk Slides Conference Paper May 2016 CITATIONS READS 0 122 3 authors , including: Victor R Kebande Nickson

389 views • 23 slides
Network reconnaissance and IDS CS642: Computer Security

Network reconnaissance and IDS CS642: Computer Security

Network reconnaissance and IDS CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of

701 views • 44 slides
Picviz finding a needle in a haystack Sbastien Tricaud INL Usenix, San Diego 2008 Sbastien

Picviz finding a needle in a haystack Sbastien Tricaud INL Usenix, San Diego 2008 Sbastien

Picviz finding a needle in a haystack Sbastien Tricaud INL Usenix, San Diego 2008 Sbastien Tricaud (INL) Picviz finding a needle in a haystack Usenix, San Diego 2008 1 / 47 Speaker: Sebastien Tricaud I Live and work in Paris (FR)

601 views • 48 slides
Securing networks with Honeypots Motivation Scenario : Web server Internet SSH How to

Securing networks with Honeypots Motivation Scenario : Web server Internet SSH How to

Benjamin Braun, Klemens Mang Securing networks with Honeypots Motivation Scenario : Web server Internet SSH How to detect attackers accessing your service? How to analyze attack patterns? How to detect yet unknown attack

246 views • 13 slides
A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012 Phillip Porras, Vinod Yegneswaran

A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012 Phillip Porras, Vinod Yegneswaran

A Security Enforcement Kernel for OpenFlow Networks HotSDN 2012 Phillip Porras, Vinod Yegneswaran , Martin Fong, Mabry Tyson (SRI International) Seungwon Shin, Guofei Gu (Texas A&M University) Classic Network Perimeter Defense Security

207 views • 20 slides
Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti

Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti

Monitoring, Attack Detection and Mitigation Monitoring, Attack Detection and Mitigation MonAM 2006 MonAM 2006 Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti Authors: merson Virti, Liane

474 views • 16 slides
Catch me if you can! Angelo Dell'Aera Bologna 29/10/2016 A Little About Me Angelo Dell'Aera

Catch me if you can! Angelo Dell'Aera Bologna 29/10/2016 A Little About Me Angelo Dell'Aera

Catch me if you can! Angelo Dell'Aera Bologna 29/10/2016 A Little About Me Angelo Dell'Aera <angelo.dellaera@honeynet.org> Security Researcher @ Area 1 Security Full Member @ Honeynet Project Information Security Independent

680 views • 48 slides
Attack Patterns Recognition Framework Noor-ul-hassan Shirazi, Alberto Schaeffer-Filho and David

Attack Patterns Recognition Framework Noor-ul-hassan Shirazi, Alberto Schaeffer-Filho and David

Attack Patterns Recognition Framework Noor-ul-hassan Shirazi, Alberto Schaeffer-Filho and David Hutchison Lancaster University MSN2012:The Multi Service Networks Workshop Coseners House, Abingdon, Oxfordshire, UK 12-13 July 2012 1

348 views • 17 slides
Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security

Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security

WLCG Group Understanding and preventing common attacks Romain Wartel 7th March 2010, ISGC Security Workshop, Taiwan. 1 Overview Underground market The main motive behind most security attacks: money. 3 Exposure and motivation Grids

434 views • 25 slides
investigation Hackito Ergo Sum 2015 Paul Rascagneres & Sebastien Larinier Complex malware

investigation Hackito Ergo Sum 2015 Paul Rascagneres & Sebastien Larinier Complex malware

Complex malware & forensic investigation Hackito Ergo Sum 2015 Paul Rascagneres & Sebastien Larinier Complex malware & forensics investigation | about us Me: Paul Rascagnres Twitter account: @r00tbsd Senior threat researcher

442 views • 43 slides
Data Breaches: Measurement Efforts and Issues Chris Walsh chris@cwalsh.org ChoicePoint as

Data Breaches: Measurement Efforts and Issues Chris Walsh chris@cwalsh.org ChoicePoint as

Data Breaches: Measurement Efforts and Issues Chris Walsh chris@cwalsh.org ChoicePoint as Impetus Breach Law Passage Dates 8 6 Num States Breach focused attention, 4 spurred legislative action 2 But, what can we actually 0 measure,

647 views • 16 slides
Matthew Wright, PhD Director of the Center for Cybersecurity Professor of Computing Security

Matthew Wright, PhD Director of the Center for Cybersecurity Professor of Computing Security

http://www.rit.edu/cybersecurity Matthew Wright, PhD Director of the Center for Cybersecurity Professor of Computing Security Rochester Institute of Technology Center Mission Research Interdisciplinary Real-world Human-centered

838 views • 57 slides
Intrusion Detection Cyber Security Spring 2010 Reading material Chapter 25 from Computer

Intrusion Detection Cyber Security Spring 2010 Reading material Chapter 25 from Computer

Intrusion Detection Cyber Security Spring 2010 Reading material Chapter 25 from Computer Security, Matt Bishop Snort http://snort.org Distributed IDS DShield http://dshield.org Dark address space

590 views • 21 slides
Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing

Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing

Scrutinizing a Country using Passive DNS and Picviz or how to analyze big dataset without loosing your mind Sebastien Tricaud, Alexandre Dulaunoy March 10, 2012 Disclaimer Passive DNS is a technique to collect only valid answers from

772 views • 38 slides
Hot or Not: Fingerprinting hosts through clock skew ^ c = 95, min s ^ ( t ) = 0.11, max s ^ ( t

Hot or Not: Fingerprinting hosts through clock skew ^ c = 95, min s ^ ( t ) = 0.11, max s ^ ( t

Hot or Not: Fingerprinting hosts through clock skew ^ c = 95, min s ^ ( t ) = 0.11, max s ^ ( t ) = 0.22 ppm s 0 39.0

699 views • 38 slides
Active 802.11 Fingerprinting: gibberish and secret handshakes to know your AP Sergey

Active 802.11 Fingerprinting: gibberish and secret handshakes to know your AP Sergey

Active 802.11 Fingerprinting: gibberish and secret handshakes to know your AP Sergey Bratus, Cory Cornelius, Daniel Peebles Dartmouth College Shmoocon 2008 This talk in 5 minutes (1) How it started? TC7, Johnny Cache:

426 views • 23 slides
Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan

Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan

Lecture #5: IoT Honeypots Cristian Hesselman, Elmer Lastdrager, Ramin Yazdani, and Etienne Khan University of Twente | May 20, 2020 Lab assignment MUD descriptions: youll need to generate them yourselves, tools are available IoT

926 views • 38 slides
P ANDAcap A Framework for Streamlining Collection of Full-System Traces Manolis Stamatogiannakis

P ANDAcap A Framework for Streamlining Collection of Full-System Traces Manolis Stamatogiannakis

P ANDAcap A Framework for Streamlining Collection of Full-System Traces Manolis Stamatogiannakis , Herbert Bos, and Paul Groth April 27, 2020 EuroSec 2020 PANDAcap 1 In this Talk Motivation for this work Overview of

1.17k views • 35 slides
Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina

Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina

Neofelis High-Interaction Honeypot Framework for Mac OS X Joo Miguel Franco Francisco Nina Rente { jmfranco, frente } at dei.uc.pt Software and System Engineering Research Group FCT University of Coimbra Agenda Agenda

378 views • 16 slides
Secure and Private Smart Grid: The SPEAR Architecture Panagiotis Radoglou-Grammatikis

Secure and Private Smart Grid: The SPEAR Architecture Panagiotis Radoglou-Grammatikis

Secure and Private Smart Grid: The SPEAR Architecture Panagiotis Radoglou-Grammatikis University of Western Macedonia pradoglou@uowm.gr Nets Netsoft 2020 2020 Under SPEAR Project A u t h o r s UOWM TECNALIA TE SID SIDROCO CERTH

550 views • 20 slides

More recommend