leurr com com leurr
play

Leurr.com com: : Leurr. a worldwide distributed platform a - PowerPoint PPT Presentation

Aug 20, 2023 •282 likes •607 views

Leurr.com com: : Leurr. a worldwide distributed platform a worldwide distributed platform to study Internet threats to study Internet threats Deployed and and Managed Managed by by Deployed The Eurecom Eurecom Institute Institute

  1. Leurré.com com: : Leurré. a worldwide distributed platform a worldwide distributed platform to study Internet threats to study Internet threats Deployed and and Managed Managed by by Deployed The Eurecom Eurecom Institute Institute The ( (teaching teaching and and research research institute institute located located on on the the French Riviera) French Riviera) Contact Point: Contact Point: dacier@eurecom.fr dacier@eurecom.fr

  2. 02/24/2005 – APRICOT Security Track – Dacier M. 2/31 Overview Overview • Leurré. • Leurré.com com: : why why and and how how • Web interface: a • Web interface: a few few examples examples • Some • Some ‘non trivial’ ‘non trivial’ results results. . • Conclusions • Conclusions

  3. 02/24/2005 – APRICOT Security Track – Dacier M. 3/31 Motivations Motivations • We • We do do not not precisely precisely know know the the threats threats we we are are facing and and we we do do not not know know if/ if/ how how they they evolve evolve … … facing • … • … because of the lack of model to characterize because of the lack of model to characterize them … … them • … because • … because of of the the lack lack of of unbiased, quantitative unbiased, quantitative data available to build such model … … data available to build such model • … because • … because of of the the lack lack of of environment environment to to collect collect such data! data! such

  4. 02/24/2005 – APRICOT Security Track – Dacier M. 4/31 Leurré.com com Leurré. • This • This project project aims aims at at deploying deploying the the very very same same honeypots in a large number number of of diverse diverse honeypots in a large locations. locations. • Early • Early results results demonstrate demonstrate the the complementarity complementarity of this this approach approach to to so so- -called called Internet Internet telescopes telescopes of and Darknets Darknets. . and • You • You can can see see this this as a simple, as a simple, widely widely distributed distributed, , fine grained grained network monitoring network monitoring system system fine

  5. 02/24/2005 – APRICOT Security Track – Dacier M. 5/31 Experimental Set Set Up Up Experimental R Mach0 e Windows 98 Workstation v e V i r Mach1 r t s Windows NT (f tp u I nternet + web server) e a l S F W Mach2 i I T Redhat 7. 3 (f tp r C server) H e w a l Observer (tcpdump) l

  6. 02/24/2005 – APRICOT Security Track – Dacier M. 6/31 30 platforms platforms, 20 countries, 5 continents , 20 countries, 5 continents 30

  7. 02/24/2005 – APRICOT Security Track – Dacier M. 7/31 In Europe … In Europe …

  8. 02/24/2005 – APRICOT Security Track – Dacier M. 8/31 Win- -Win Win Partnership Partnership Win • The interested partner provides … • One old PC (pentiumII, 128M RAM, 233 MHz…), • 4 routable IP addresses, • EURECOM offers … • Installation CD Rom • Remote logs collection and integrity check. • Access to the whole SQL database by means of a secure web access.

  9. 02/24/2005 – APRICOT Security Track – Dacier M. 9/31 Overview Overview • Leurré. • Leurré.com com: : why why and and how how • Web interface: a • Web interface: a few few examples examples • Some • Some ‘non trivial’ ‘non trivial’ results results. . • Conclusions • Conclusions

  10. 02/24/2005 – APRICOT Security Track – Dacier M. 10/31 6 months months of of data, by country data, by country 6 • Count • Count all all IP sources IP sources that that have have contacted contacted all our our platforms platforms during during the the last last six six all months. . months • Identify • Identify the the country country of of the the attacking attacking IP IP • Plot • Plot one one curve curve per per country country

  11. 02/24/2005 – APRICOT Security Track – Dacier M. 11/31

  12. 02/24/2005 – APRICOT Security Track – Dacier M. ? ? ? ? 12/31

  13. 02/24/2005 – APRICOT Security Track – Dacier M. 13/31 YU: Serbia Serbia and and Montenegro Montenegro YU: • YU • YU has has contacted contacted only only one one platform platform • Identify • Identify the the sequence sequence of of ports ports probed probed by by each attacking attacking IP IP each • Plot • Plot one one curve curve per per sequence sequence of of ports ports

  14. 02/24/2005 – APRICOT Security Track – Dacier M. 14/31 High similarity High similarity between two between two different attack different attack But … tools!? tools!? ?

  15. 02/24/2005 – APRICOT Security Track – Dacier M. 15/31 W32.Welchia.D.Worm ??? W32.Welchia.D.Worm ??? • Exploits multiple vulnerabilities, including: • Exploits multiple vulnerabilities, including: – The DCOM RPC vulnerability using TCP port 135. The DCOM RPC vulnerability using TCP port 135. – – The Workstation service buffer overrun vulnerability The Workstation service buffer overrun vulnerability – using TCP port 445. using TCP port 445. – The Locator service vulnerability using TCP port 445 The Locator service vulnerability using TCP port 445 – • Targets • Targets Windows XP Windows XP and and Windows 2000 Windows 2000 (Windows NT also also vulnerable vulnerable to to the the first first 2 2 attacks attacks) ) (Windows NT

  16. 02/24/2005 – APRICOT Security Track – Dacier M. 16/31 One more viewpoint viewpoint One more • Use passive OS • Use passive OS fingerprinting fingerprinting tools tools (p0f, (p0f, disco, ettercap) against against each each attacking attacking IP. IP. disco, ettercap) • Plot • Plot one one curve curve for for each each OS type. OS type.

  17. 02/24/2005 – APRICOT Security Track – Dacier M. 17/31

  18. 02/24/2005 – APRICOT Security Track – Dacier M. 18/31

  19. 02/24/2005 – APRICOT Security Track – Dacier M. 19/31 Discussion Discussion • Welchia • Welchia does does not not seem seem to to be be the the only only cause cause of of these attacks attacks because because of of: : these – The The bizarre bizarre peak peak of of attacks attacks coming coming from from NT boxes NT boxes – – The The fact fact that that only only one one platform platform is is targeted targeted by by this this – country country • Are • Are there there attackers attackers ‘ ‘surfing surfing’ on ’ on the the traces traces of of other attacks attacks in in order order to to hide themselves hide themselves? ? other • More • More research research is is required required. .

  20. 02/24/2005 – APRICOT Security Track – Dacier M. 20/31 Overview Overview • Leurré. • Leurré.com com: : why why and and how how • Web interface: a • Web interface: a few few examples examples • Some • Some ‘non trivial’ ‘non trivial’ results results. . • Conclusions • Conclusions

  21. 02/24/2005 – APRICOT Security Track – Dacier M. 21/31 ISC (Dshield) Limitations ? 400 350 300 250 200 150 100 50 0 2004-09-19 2004-09-22 2004-09-25 2004-09-28 Source: Leurré.com Source: Internet Storm Center

  22. 02/24/2005 – APRICOT Security Track – Dacier M. 22/31 During the last 6 months During the last 6 months • 345718 • 345718 IPs IPs have have all probed only 1 host probed only 1 host hosts per platform per platform 26% • 36287 have probed • 36287 have probed only 2 hosts per only 2 hosts per 1 host 2 platform platform 67% hosts • 136331 • 136331 IPs IPs have have 7% probed all hosts of a probed all hosts of a given platform given platform

  23. P(sending sending a a packet packet to an open port) to an open port) 02/24/2005 – APRICOT Security Track – Dacier M. 23/31 P( for an attacker attacker who who sends sends packets packets to to all all for an machines of of a a given given environment environment machines 100 80 60 40 20 Mach1 Mach2 Mach3 0 Envi1 Envi2 Envi4 Envi5 Envi6 Envi8 Envi9 Envi13 Envi14 Envi20 Envi21 Envi22 Envi23 Envi25 Envi26 Envi27 Envi28 Envi30 Envi31 ALL

  24. P(sending sending a a packet packet to an open port) to an open port) 02/24/2005 – APRICOT Security Track – Dacier M. 24/31 P( for an attacker attacker who who sends sends packets packets to to only only for an one machine machine of of a a given given environment environment one 100 80 60 40 20 mach1 mach2 mach3 0 Envi1 Envi2 Envi4 Envi5 Envi6 Envi8 Envi9 Envi13 Envi14 Envi20 Envi21 Envi22 Envi23 Envi25 Envi26 Envi27 Envi28 Envi30 Envi31 ALL

  25. 02/24/2005 – APRICOT Security Track – Dacier M. 25/31 Targeted attacks attacks: Port 1433 : Port 1433 example example Targeted 12/ 01/ 04 14 3 12 10 24/ 01/ 04 8 4 6 06/ 11/ 03 4 20/ 10/ 03 2 1 2 0 18/10/2003 02/11/2003 17/11/2003 02/12/2003 17/12/2003 01/01/2004 16/01/2004 31/01/2004 15/02/2004

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

KDE@School (using FreeNX) aKademy 2007 3 rd of July Mario Fux The Overview The Demo The Me

KDE@School (using FreeNX) aKademy 2007 3 rd of July Mario Fux The Overview The Demo The Me

KDE@School (using FreeNX) aKademy 2007 3 rd of July Mario Fux The Overview The Demo The Me The School The Problem The Proposal The Present The Future The Evaluation The Statistics The End KDE@School -

652 views • 18 slides
TCP spoofing Alice trusts Bob (e.g., logins on Alice are allowed with no password if TCP

TCP spoofing Alice trusts Bob (e.g., logins on Alice are allowed with no password if TCP

TCP spoofing Alice trusts Bob (e.g., logins on Alice are allowed with no password if TCP connection comes from host Bob) Mallory wants to impersonate Bob when opening a TCP/IP: TCP TCP connection to Alice Steps M kills B (e.g.,

349 views • 3 slides
Introduction Bugs CL1 23: Definition Examples Getting it right and Algorithms

Introduction Bugs CL1 23: Definition Examples Getting it right and Algorithms

Introduction Bugs CL1 23: Definition Examples Getting it right and Algorithms getting it wrnog Foundation of computer programs All applications are programs Monday 13/11/2006 Software design Minimising the

419 views • 5 slides
Chapter 5: Threads I Overview I Multithreading Models I Threading Issues I Pthreads I Solaris 2

Chapter 5: Threads I Overview I Multithreading Models I Threading Issues I Pthreads I Solaris 2

Chapter 5: Threads I Overview I Multithreading Models I Threading Issues I Pthreads I Solaris 2 Threads I Windows 2000 Threads I Linux Threads I Java Threads Silberschatz, Galvin and Gagne 2002 Operating System Concepts 5.1 Single and

120 views • 10 slides
SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering

SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering

SELinux Protected Paths Revisited Trent Jaeger Department of Computer Science and Engineering Pennsylvania State University March 1, 2006 Department of Computer Science & Engineering 1 Talk Topics Mechanism for MAC enforcement between

629 views • 24 slides
Lecture 18 Java Graphics and GUIs Zach Tatlock / Spring 2018 The plan Today: introduction to

Lecture 18 Java Graphics and GUIs Zach Tatlock / Spring 2018 The plan Today: introduction to

CSE 331 Software Design and Implementation Lecture 18 Java Graphics and GUIs Zach Tatlock / Spring 2018 The plan Today: introduction to Java graphics and Swing/AWT libraries Then: event-driven programming and user interaction None of this is

310 views • 30 slides
19 Final thoughts CS 2043: Unix Tools and Scripting, Spring 2019 [1] Matthew Milano March 8,

19 Final thoughts CS 2043: Unix Tools and Scripting, Spring 2019 [1] Matthew Milano March 8,

19 Final thoughts CS 2043: Unix Tools and Scripting, Spring 2019 [1] Matthew Milano March 8, 2019 Cornell University 1 Table of Contents 1. Back to desktop environments 2. Linux everywhere 3. Linux everywhere 2 Back to desktop

190 views • 16 slides
The Window Manager Construction Toolkit KWin goes Scripting Martin Gr alin

The Window Manager Construction Toolkit KWin goes Scripting Martin Gr alin

The Window Manager Construction Toolkit KWin goes Scripting Martin Gr alin mgraesslin@kde.org Akademy 2012 01.07.2012 Agenda 1 History of KWin Scripting 2 Scriptable Types of KWin 3 Influence on Codebase 4 Example of 3rd Party Usage 5

603 views • 49 slides
Vim on Your Own System OS X Included; open a terminal and enter vim Linux Included or in package

Vim on Your Own System OS X Included; open a terminal and enter vim Linux Included or in package

Session 4: tmux P . S. Langeslag 8 November 2018 Vim on Your Own System OS X Included; open a terminal and enter vim Linux Included or in package repositories; install the gvim package for full clipboard functionality Windows Download fsom

805 views • 32 slides
about:me Rich Dudley Technical Evangelist richd@componentone.com @rj_dudley c1.ms/richd 1

about:me Rich Dudley Technical Evangelist richd@componentone.com @rj_dudley c1.ms/richd 1

5/2/2012 Windows 8 Metro Apps with HTML & jQuery about:me Rich Dudley Technical Evangelist richd@componentone.com @rj_dudley c1.ms/richd 1 5/2/2012 $(this).baked(not); Its the first beta Many, many months from RTM

582 views • 10 slides
Exploit Development 101 ATTACK & DEFENSE HISTORY OF WINDOWS BUFFER OVERFLOW Peter Chi

Exploit Development 101 ATTACK & DEFENSE HISTORY OF WINDOWS BUFFER OVERFLOW Peter Chi

Exploit Development 101 ATTACK & DEFENSE HISTORY OF WINDOWS BUFFER OVERFLOW Peter Chi chiwp@tw.ibm.com 2020/08/11 About Me IBM CDL Software Engineer Columbia Univ. Master of Science Computer Security Track OSCP / OSCE / eWPT /

1.11k views • 22 slides
When Abstraction Fails Andreas Zeller Saarland University http://www.st.cs.uni-sb.de/ Mining 2

When Abstraction Fails Andreas Zeller Saarland University http://www.st.cs.uni-sb.de/ Mining 2

When Abstraction Fails Andreas Zeller Saarland University http://www.st.cs.uni-sb.de/ Mining 2 The First Bug (September 9, 1947) 3 4 How to Debug (Sommerville 2004) Design Repair Re-test Locate error error repair error program 5

967 views • 77 slides
Example Multiprocessor OSes Almost all new OSes! Unix Designed from start AT&T

Example Multiprocessor OSes Almost all new OSes! Unix Designed from start AT&T

Operating Systems Parallel Systems (Now basic OS knowledge) Parallelism Multiple processes concurrently Parallelism CPU1 CPU1 CPU1 Pseudo- Process 1 CPU1 CPU1 CPU1 Process 2 Parallelism CPU1 Process 1 True CPU2 Process 2 1

521 views • 9 slides
Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt

Labeled IPsec draft-jml-ipsec-ikev1-security-context-00.txt draft-jml-ipsec-ikev2-security-context-00.txt Presented by: Joy Latten Document authors: Serge Hallyn, Trent Jaeger, Joy Latten, and George Wilson Problem Description Mandatory

295 views • 6 slides
Power Management on Linux (aka Another Fine Mess) Sitsofe Wheeler In the beginning (the x86

Power Management on Linux (aka Another Fine Mess) Sitsofe Wheeler In the beginning (the x86

Power Management on Linux (aka Another Fine Mess) Sitsofe Wheeler In the beginning (the x86 perspective) ...there was APM BIOS did everything Not very configurable (what your BIOS didn't offer you couldn't do) Pushing the power

482 views • 20 slides
Go Goal: al: On One Bil e Billion Devic lion Devices. es. No Now Ove w Over 200 Mil r 200

Go Goal: al: On One Bil e Billion Devic lion Devices. es. No Now Ove w Over 200 Mil r 200

Any questions please contact winhectpe@microsoft.com Go Goal: al: On One Bil e Billion Devic lion Devices. es. No Now Ove w Over 200 Mil r 200 Milli lion Dev on Devic ices! es! The The Num Numbe ber Is Stil r Is Still Gr l Grow

430 views • 32 slides
Lab - UWP App Creation Paul Rambo PM, Windows Developer Platform Brian Rockwell PM, Microsoft

Lab - UWP App Creation Paul Rambo PM, Windows Developer Platform Brian Rockwell PM, Microsoft

Lab - UWP App Creation Paul Rambo PM, Windows Developer Platform Brian Rockwell PM, Microsoft Smart Connected Peripherals Braeden Petruk Software Engineer, Microsoft Smart Connected Peripherals 11 October 2015 AllSeen Alliance 1 Agenda

205 views • 18 slides
Mobile App Development Workshop Kiichi Takeuchi Senior Software Developer Adjunct Professor

Mobile App Development Workshop Kiichi Takeuchi Senior Software Developer Adjunct Professor

Invited Speaker Sessions Nov 12, 2013 3pm - 5pm (Broadway 3 & 4) Facilitator: Mickey Dietrich, Tug Hill Commission; Mobile App Development Workshop Kiichi Takeuchi Senior Software Developer Adjunct Professor

848 views • 46 slides
The Times They Are A-changin Sofia Svanteson, Founder & CEO About Ocean Founded in 2001,

The Times They Are A-changin Sofia Svanteson, Founder & CEO About Ocean Founded in 2001,

The Times They Are A-changin Sofia Svanteson, Founder & CEO About Ocean Founded in 2001, Stockholm, Sweden Consultancy focusing on Interaction Design, Graphic Design, Industrial Design & Sound Design for mobile products and

454 views • 34 slides
A Lap Around NativeScript TJ VanToll | @tjvantoll What is NativeScript? A runtime for

A Lap Around NativeScript TJ VanToll | @tjvantoll What is NativeScript? A runtime for

A Lap Around NativeScript TJ VanToll | @tjvantoll What is NativeScript? A runtime for building and running native iOS, Android, and Windows Phone apps with a single, JavaScript code base != No DOM != No cross compilation !=

328 views • 30 slides
Does Distributed Development Affect Software Quality? An Empirical Case Study of Windows Vista

Does Distributed Development Affect Software Quality? An Empirical Case Study of Windows Vista

Does Distributed Development Affect Software Quality? An Empirical Case Study of Windows Vista By C. Bird, N. Nagappan, P. Devanbu, H. Gall, B. Murphy Presented by Tanja Werthmller 1 Overview 1.What is distributed development - What does

412 views • 12 slides
New printing protocols in Samba Gnther Deschner <gd@samba.org> Agenda MS16-087

New printing protocols in Samba Gnther Deschner <gd@samba.org> Agenda MS16-087

New printing protocols in Samba Gnther Deschner <gd@samba.org> Agenda MS16-087 RPRN and PAR PAR support detection Print Driver Packages Driver Signing Core Printer Drivers Current state of PAR in

579 views • 45 slides
Windows Search Protocol & Samba Noel Power noel.power@suse.com Agenda Overview

Windows Search Protocol & Samba Noel Power noel.power@suse.com Agenda Overview

Windows Search Protocol & Samba Noel Power noel.power@suse.com Agenda Overview History Some WSP protocol info Approach to a WIP Implementation Demo Questions 2 Windows Search (some background) Overview Windows

555 views • 40 slides
3/9/2020 The Virtual The Virtual The Virtual The Virtual Certification Certification

3/9/2020 The Virtual The Virtual The Virtual The Virtual Certification Certification

3/9/2020 The Virtual The Virtual The Virtual The Virtual Certification Certification Certification Certification Interview Interview Interview Interview NACC Initial Certification Webinar for a Zoom Conference Interview 1

359 views • 7 slides

More recommend