honeypots against worms 101 honeypots against worms 101
play

Honeypots against Worms 101 Honeypots against Worms 101 Black Hat - PowerPoint PPT Presentation

Oct 21, 2023 •205 likes •733 views

Honeypots against Worms 101 Honeypots against Worms 101 Black Hat Asia 2003 oudot at oudot at rstack rstack.org .org http://www.rstack http://www. rstack.org/ .org/oudot oudot team rstack.org Overview Overview 1. About Worms

  1. Honeypots against Worms 101 Honeypots against Worms 101 Black Hat Asia 2003 oudot at oudot at rstack rstack.org .org http://www.rstack http://www. rstack.org/ .org/oudot oudot team rstack.org

  2. Overview Overview 1. About Worms – History, Functionality (infection, payload, propagation) 2. About Honeypots – What, how and why ? 3. Honeypots against worms – Theory (catch, slow, stop, contain, destroy) – Case study : Honeyd versus MSBlast 4. Conclusions 2

  3. 1. 1. 1. About Worms 1. About Worms Internet Worms : mischievous code that spreads itself over networks by usually attacking vulnerable hosts. After a remote infection, they can bounce or propagate to other vulnerable targets.

  4. History History 1. 1. • 1988 : Robert T. Morris – Young network called Internet was partially down … • 2003 : MSBlast – Millions of hosts infected (?) – Rumors of nuclear plants down (?!) … • 2018 : Skynet :-) – Human extinction 4

  5. Worm’s life Worm’s life 1. 1. • Old description of internet worms [AMOROSO, 1994] : virus: while true do find_host(h); PROPAGATION remote_copy(h, virus); INFECTION 1/2 perform_damage; PAYLOAD remote_execute(h, virus); INFECTION 2/2 od; 5

  6. Worm’s behavior Worm’s behavior 1. 1. We have three main characteristics [EEYE/BH] : • « Infection » – The way it comes in a system (intrusion) – Ex: vulnerability on an email reader, a web server... • « Propagation » – The way it tries to propagate to other victims – Ex: via emails, multithreads, random IP addresses... • « Payload » – The final attack launched (after a successful infection) – Ex: MSBlast launched a DOS on Windows Update 6

  7. Worms : birth and death Worms : birth and death 1. 1. “Peace” “Peace” “Peace” “Peace” Worm Worm High risks High risks propagation propagation Conclusions Conclusions Proof of concepts Proof of concepts Remaining Remaining worms worms Remote Worm Patches vulnerability created and applied found launched 7

  8. 2. 2. 2. About Honeypots 2. About Honeypots

  9. About Honeypots About Honeypots 2. 2. • « A honeypot is a security ressource whose value lies in being probed, attacked or compromised. », Lance Spitzner • Main goal : delude aggressors ! – they lose time by attacking non production computers. – you can study their tools and methods (0-day ?) • Security sensors ? • dedicated host : no role linked to systems in production. • incoming requests to the honeypot are suspect ! (false positive) – Modes ? • high interaction: real (sacrificed) hosts waiting for aggressors • low interaction: services and/or hosts simulated. – Fake answers 9

  10. More about Honeypots More about Honeypots 2. 2. • Legal issues – Entrapment, tracking, recording, privacy… – Bounces ! • What if an attacker uses your honeypot to jump elsewhere ? • Technical issues – Hardening the network (no bounce, etc) and systems – Stealth problems (!) : fingerprinting... – You need time to monitor the box and analyze intrusions • Psycho ? – Do you really want to play with aggressors ? What about the strike-back if they become angry ? 1 0

  11. 3. 3. 3. Honeypots against Worms 3. Honeypots against Worms 3a. Theory 3a. Theory 3b. Case Study 3b. Case Study

  12. 3a. 3a. 3a. Theory 3a. Theory Using honeypots technologies to fight worms... 1 2

  13. Infection and Honeypots Infection and Honeypots 3a. 3a. • What can be done during the infection phase ? • Architectures – Let the evil worms come in : redirection • Ex: if incoming = [ TCP dest port 135 ] then forward to honeypots – Honey Farms • Redirect incoming unwanted packets to a remote honeypots’ farms (over a VPN [Ex: GRE Tunnels with Honeyd] ) • Bait and switch technology – Control the incoming data : if attack then forward to honeypot • Ex: if it’s a buffer overflow coming to TCP port 135, then let’s send this stream to a honeypot zone. – B&S, Hogwash... 1 3

  14. Payload and Honeypots Payload and Honeypots 3a. 3a. • Catch the payload : – Sacrificial Lamb, Padded Cell • Pros : install & wait for infection • Cons: dangerous / difficult – System may crash, worms may try to bounce or use complex protocols – Virtual Honeypots • Pros : few risks (huh?) • Cons: difficult because it’s a specific trap, and it ’s almost impossible to predicate the behavior to adapt a honeypot for a new fresh worm – 1) Know the worm (aka your enemy) – 2) Catch the worm with a specific catcher 1 4

  15. Payload and Honeypots Payload and Honeypots 3a. 3a. • Study the payload : – Sacrificial Lamb, Padded Cell • Cons: risks (crash…) • Pros: you will be able to see more things => real environment – Virtual Honeypots • Cons: difficult to simulate a real world ( Matrix ) so that important points could be missed • Pros: so safe... • Honeypots are valuable to study such payloads because they are non production systems 1 5

  16. Propagation and Honeypots Propagation and Honeypots 3a. 3a. 1) Replying to incoming requests of worms 2) Slowing down worms 3) Counter-measure 4) Counter-attack 5) Toward automatic protections ? 1 6

  17. Propagation and Honeypots Propagation and Honeypots 3a. 3a. 1) Replying to incoming requests of worms – this is the first step of interaction (needed for a honeypot) – if will force the dialog with foreign entities (worms ?), – at least, they’ll loose time 1 7

  18. Propagation and Honeypots Propagation and Honeypots 3a. 3a. 2) Slowing down the worm – Usually, worms use user-mode API (sockets…) => no raw control on network dialogs => slow that ! • RFC TCP : Window size 0 [STEVENS] Ex1: LABREA vs Codered Ex2: iptables -A INPUT -p tcp -m tcp --dport 135 -j TARPIT – Pros : CPU, Memory, File Descriptors… => consume ! • Worms should verify the limits => bigger code / more visible – Cons : Threads, forks • Worms may simultaneously attack multiple systems without waiting for an answer from 1 blocking host 1 8

  19. Propagation and Honeypots Propagation and Honeypots 3a. 3a. 3) Counter-measure – ~ World of IDS • Ex: A sensor detects an attack, and alerts a device for actions – Sending orders of counter-measure (through SNMP, etc) • Network isolation • Host(s) isolation (switches : port shutdown…) • Services/ports closed • Hijacking, trafic insertion : TCP>RST or UDP>ICMP Unreach • Firewall rules insertion • IPS features (marketing inside) : automatic patches… – Cons : false positive => unwanted DOS (!) – Limitations : honeypots cannot see what is not for them (whereas NIDS try to look at everything) 1 9

  20. Propagation and Honeypots Propagation and Honeypots 3a. 3a. 4) Counter-attack – Legal issues ? • Only target your own computers (under legal control) – Theory : • A attacks B with a worm W • So, A is infected by W • So, A is vulnerable to attacks used by W • So, it’s possible to come on A with the infection process of W • So, it’s possible to clean A on the fly ! – Reality : • B is a honeypot, ready to clean its friends – Cons : • That’s theory : it may not work so easily ! • Is it an ugly activity ? dangerous activity ? 20

  21. Future (?) Future (?) 3a. 3a. 5) Toward automatic protections ? • Nicolas Weaver’s propositions – Use honeypots as worms detectors – Honey farms with automatic analysis and detection • Detect violent spreading (bursts of sessions, activities…) – Example with MSBlast, SQLWorm, etc : » One (evil ?) packet received thousands of times... • Take automatic decisions – Risks with false positive or specific DOS (?) • Is it a far future ? – Though it seems very difficult to build a perfect architecture, we can expect improvements. 21

  22. 3b. 3b. 3b. Case study : Honeyd Honeyd / MSBlast / MSBlast 3b. Case study : 22

  23. 3b. 3b. About Honeyd Honeyd About 23

  24. About Honeyd Honeyd About 3b. 3b. • Open source [BSD] project (Unix daemon) by Niels Provos – Simulates thousands of virtual hosts at the same time. – Configuration of arbitrary services via simple configuration file. – Simulates operating systems at TCP/IP stack level • Fools nmap and xprobe , • Adjustable fragment reassembly policy & FIN-scan policy. – Simulation of arbitrary routing topologies • Configurable latency and packet loss. – Subsystem virtualization • Run real applications under virtual IP addresses : web servers, ftp servers – ... 24

  25. Inside Honeyd Honeyd Inside 3b. 3b. Personalities Engine ICMP Virtual LIBPCAP TCP IP Stack Services UDP stdin stdout err External programs logs 25

  26. Honeyd : : config config Honeyd 3b. 3b. • Honeyd ? Go create ! Just imagine your own fake networks and systems eg: “I would like a fake box with Linux on 192.168.1.23 with a fake web server, and ……….” create template set template personality "Linux Kernel 2.4.0 - 2.4.18 (X86)" add template tcp port 25 "perl scripts/fake-sendmail.pl" add template tcp port 3128 "sh scripts/squid.sh $ipsrc $dport" add template tcp port 1080 proxy 192.168.1.34:1080 set template default tcp action reset bind 192.168.1.23 template 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots

Overview Intrusion Detection w ith Motivation Honeypots What is a honeypot? Types of honeypots What can you do with them? Claire OShea Problems with honeypots COMP 290 Spring 2005 Overview Motivation Examples of

645 views • 15 slides
FILARIAL WORMS Found mainly in tropical regions in Asia Threadlike worms live in the

FILARIAL WORMS Found mainly in tropical regions in Asia Threadlike worms live in the

FILARIAL WORMS Found mainly in tropical regions in Asia Threadlike worms live in the blood and lymph vessels of birds and mammals. They are transmitted by mosquitoes. Cause severe infections Worms block passage of lymph

390 views • 8 slides
Early DoS and Worms Examples of recent worms and DoS attacks Slammer Worm Shaft DoS attack

Early DoS and Worms Examples of recent worms and DoS attacks Slammer Worm Shaft DoS attack

Outline Introduction to worms Potential damage that *could* be caused (theoretical) Early DoS and Worms Examples of recent worms and DoS attacks Slammer Worm Shaft DoS attack Ben Wilde Mstream DoS attack 7 February, 2005

718 views • 14 slides
Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and

Nomadic Honeypots A Novel Concept for Smartphone Honeypots Steffen Liebergeld , Matthias Lange and Collin Mulliner Security in Telecommunications Technische Universit at Berlin, Germany { steffen,mlange } @sec.t-labs.tu-berlin.de Northeastern

713 views • 11 slides
INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE

INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS INTELLIGENT HONEYNET ACTIONABLE INFORMATION FROM HONEYPOTS JOSH PYORRE Security Researcher Threat Analyst at NASA Threat Analyst at Mandiant @joshpyorre HONEYPOTS CURRENTLY IN USE

1.25k views • 96 slides
Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha

Honeypots Mathias Gibbens Harsha vardhan Rajendran April 22, 2012 Mathias Gibbens, Harsha vardhan Rajendran () Honeypots April 22, 2012 1 / 28 Outline Introduction 1 History 2 Types of honeypots 3 Deception techniques using Honeypots

632 views • 61 slides
Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. !

Honeypots: Catching the Insider Threat Your Speaker ! President, Honeypot Technologies Inc. ! Founder, Honeynet Project & Moderator, honeypot mailing list ! Author, Honeypots: Tracking Hackers & Co- author, Know Your Enemy ! Work

676 views • 52 slides
On Instant Messaging Worms, Analysis and Countermeasures Mohammad Mannan School of Computer

On Instant Messaging Worms, Analysis and Countermeasures Mohammad Mannan School of Computer

COMP 4108 Presentation - Sept 20, 2005 On Instant Messaging Worms, Analysis and Countermeasures Mohammad Mannan School of Computer Science Carleton University, Canada Goals of this talk Discuss a few IM worms Analyze well-known

402 views • 26 slides
fka Can of Worms Harrison Community Center June 13, 2016 Purpose To introduce the

fka Can of Worms Harrison Community Center June 13, 2016 Purpose To introduce the

fka Can of Worms Harrison Community Center June 13, 2016 Purpose To introduce the potential Twin Ports Interchange (TPI) project. Jct I-35/I- 535/Hwy 53 fka Can of Worms I-535 at Garfield Avenue Gather community input

225 views • 18 slides
Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O.

CPS-SPC 16 @ Vienna AU Towards High-Interaction Virtual ICS Honeypots-in-a-Box D ANIELE A NTONIOLI A NAND A GRAWAL N. O. T IPPENHAUER daniele_antonioli@sutd.edu.sg Towards High-Interaction Virtual ICS Honeypots-in-a-Box 1 Overview In this

922 views • 25 slides
Malware: Worms CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John

Malware: Worms CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John

Malware: Worms CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ April 14, 2010 The Problem of Worms

582 views • 22 slides
Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti

Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti

Monitoring, Attack Detection and Mitigation Monitoring, Attack Detection and Mitigation MonAM 2006 MonAM 2006 Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: merson Virti Authors: merson Virti, Liane

474 views • 16 slides
Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter

Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter

Metasploit- able Honeypots Wouter Katz Research Project 2: Metasploit-able Honeypots Research questions Introduction Approach Wouter Katz Results wouter.katz@os3.nl Conclusions References University of Amsterdam July 4th 2013 Wouter

623 views • 30 slides
SELF-PROPAGATING MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2

SELF-PROPAGATING MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2

WORMS AND SELF-PROPAGATING MALWARE Ben Livshits, Microsoft Research Overview of Todays Lecture 2 Malware: taxonomy JavaScript worms History, evolution, and Spectator : JavaScript progression of worms: worm detection and an

643 views • 51 slides
Responding to Mobile Worms with Location-Based Quarantine Boundaries Baik Hoh (baikhoh@winlab)

Responding to Mobile Worms with Location-Based Quarantine Boundaries Baik Hoh (baikhoh@winlab)

Responding to Mobile Worms with Location-Based Quarantine Boundaries Baik Hoh (baikhoh@winlab) Marco Gruteser (gruteser@winlab) Research Review 2006 1 Threats of Mobile Worms Current Trends in Pervasive Devices Multi-radio support :

791 views • 20 slides
Bitter Harvest: S ystematically Fingerprinting Low- and Medium- interaction Honeypots at

Bitter Harvest: S ystematically Fingerprinting Low- and Medium- interaction Honeypots at

Bitter Harvest: S ystematically Fingerprinting Low- and Medium- interaction Honeypots at Internet S cale Alexander Vet t erl and Richard Clayt on University of Cambridge 12th USENIX Workshop on Offensive Technologies August 13-14, 2018

481 views • 21 slides
Disclosures Homelessness and Health Care of People Experiencing Homelessness Barry Zevin is an

Disclosures Homelessness and Health Care of People Experiencing Homelessness Barry Zevin is an

Treating Addiction in the Homeless Population | Barry Zevin, MD Disclosures Homelessness and Health Care of People Experiencing Homelessness Barry Zevin is an employee of the San Francisco Department of Public Health Barry Zevin MD There are no

384 views • 17 slides
Gender Segregation in Education and Its Implications for Labour Market Outcomes: Evidence from

Gender Segregation in Education and Its Implications for Labour Market Outcomes: Evidence from

Gender Segregation in Education and Its Implications for Labour Market Outcomes: Evidence from India Soham Sahoo (Indian Institute of Management Bangalore) Stephan Klasen (University of Goettingen) UNU-WIDER Conference, Bangkok, September 2019

585 views • 17 slides
POLI 100M: Poli-cal Psychology Lecture 10: Implicit A;tudes and Race Taylor N. Carlson

POLI 100M: Poli-cal Psychology Lecture 10: Implicit A;tudes and Race Taylor N. Carlson

POLI 100M: Poli-cal Psychology Lecture 10: Implicit A;tudes and Race Taylor N. Carlson Ceenstr@ucsd.edu Announcements Final project is due Saturday, Sept. 9, 11:30am Submit to Turn it In on TritonEd Review the rubric and detailed

607 views • 33 slides
WE NEED DIVERSE BOOKS A Social Cognition Approach What does diversity mean? Why do we need

WE NEED DIVERSE BOOKS A Social Cognition Approach What does diversity mean? Why do we need

WE NEED DIVERSE BOOKS A Social Cognition Approach What does diversity mean? Why do we need diverse books? Vermont Demographics (census.gov) Discuss What are the barriers to exposing children to diverse books? Who worries about what

376 views • 25 slides
Presented by: http://ifma.org/my-account/login Facility Management IFMA Insider: Informative The

Presented by: http://ifma.org/my-account/login Facility Management IFMA Insider: Informative The

March Member Benefit of the Month: Risk Reduction Synergistic Strategies Presented by: http://ifma.org/my-account/login Facility Management IFMA Insider: Informative The Wire: Biweekly e- FM Knowledge Center: 24/7 FM Job Search: IFMA Journal :

618 views • 35 slides
Leading in Crisis: The Best of Times, The Worst of Times Dr. Kevin Nourse Leap Advocates

Leading in Crisis: The Best of Times, The Worst of Times Dr. Kevin Nourse Leap Advocates

Leading in Crisis: The Best of Times, The Worst of Times Dr. Kevin Nourse Leap Advocates American Association of Port Authorities Executive Management Conference May 2010 Best of Times, Worst of Times? Significant challenges exist today for

744 views • 57 slides
Modeling Vocal Interaction for Text-Independent Participant Characterization in Multi-Party

Modeling Vocal Interaction for Text-Independent Participant Characterization in Multi-Party

Introduction Framework Experiments Conclusions Modeling Vocal Interaction for Text-Independent Participant Characterization in Multi-Party Conversation Kornel Laskowski 1 , 2 , Mari Ostendorf 3 & Tanja Schultz 1 , 2 1 Cognitive Systems

1.16k views • 99 slides
Introd u ction to EFA FAC TOR AN ALYSIS IN R Jennifer Br u sso w Ps y chometrician Ps y cho +

Introd u ction to EFA FAC TOR AN ALYSIS IN R Jennifer Br u sso w Ps y chometrician Ps y cho +

Introd u ction to EFA FAC TOR AN ALYSIS IN R Jennifer Br u sso w Ps y chometrician Ps y cho + metrics ps y cho = " of the mind " metrics = " related to meas u rement " FACTOR ANALYSIS IN R Learning objecti v es R u n a u

414 views • 30 slides

More recommend