Leurr.com com: : Leurr. a worldwide distributed platform a - - PowerPoint PPT Presentation

Leurré. Leurré.com com: :

a worldwide distributed platform a worldwide distributed platform to study Internet threats to study Internet threats

Deployed Deployed and and Managed Managed by by The The Eurecom Eurecom Institute Institute

( (teaching teaching and and research research institute institute located located on

• n the

the French Riviera) French Riviera)

Contact Point: Contact Point: dacier@eurecom.fr dacier@eurecom.fr

02/24/2005 – APRICOT Security Track – Dacier M. 2/31

Overview Overview

• Leurré.

Leurré.com com: : why why and and how how

• Web interface: a

Web interface: a few few examples examples

• Some

Some ‘non trivial’ ‘non trivial’ results results. .

• Conclusions

Conclusions

02/24/2005 – APRICOT Security Track – Dacier M. 3/31

Motivations Motivations

• We

We do do not not precisely precisely know know the the threats threats we we are are facing facing and and we we do do not not know know if/ if/ how how they they evolve evolve … …

• …

… because of the lack of model to characterize because of the lack of model to characterize them them … …

• … because

… because of

• f the

the lack lack of

• f unbiased, quantitative

unbiased, quantitative data available to build such model data available to build such model … …

• … because

… because of

• f the

the lack lack of

• f environment

environment to to collect collect such such data! data!

02/24/2005 – APRICOT Security Track – Dacier M. 4/31

Leurré. Leurré.com com

• This

This project project aims aims at at deploying deploying the the very very same same honeypots in a large honeypots in a large number number of

• f diverse

diverse locations. locations.

• Early

Early results results demonstrate demonstrate the the complementarity complementarity

• f
• f this

this approach approach to to so so-

• called

called Internet Internet telescopes telescopes and and Darknets Darknets. .

• You

You can can see see this this as a simple, as a simple, widely widely distributed distributed, , fine fine grained grained network monitoring network monitoring system system

02/24/2005 – APRICOT Security Track – Dacier M. 5/31

Mach0 Windows 98 Workstation Mach1 Windows NT (f tp + web server) Mach2 Redhat 7. 3 (f tp server)

V i r t u a l S W I T C H

Experimental Experimental Set Set Up Up

I nternet

Observer (tcpdump)

R e v e r s e F i r e w a l l

02/24/2005 – APRICOT Security Track – Dacier M. 6/31

30 30 platforms platforms, 20 countries, 5 continents , 20 countries, 5 continents

02/24/2005 – APRICOT Security Track – Dacier M. 7/31

In Europe … In Europe …

02/24/2005 – APRICOT Security Track – Dacier M. 8/31

Win Win-

• Win

Win Partnership Partnership

• The interested partner provides …
• One old PC (pentiumII, 128M RAM, 233

MHz…),

• 4 routable IP addresses,
• EURECOM offers …
• Installation CD Rom
• Remote logs collection and integrity check.
• Access to the whole SQL database by

means of a secure web access.

02/24/2005 – APRICOT Security Track – Dacier M. 9/31

Overview Overview

• Leurré.

Leurré.com com: : why why and and how how

• Web interface: a

Web interface: a few few examples examples

• Some

Some ‘non trivial’ ‘non trivial’ results results. .

• Conclusions

Conclusions

02/24/2005 – APRICOT Security Track – Dacier M. 10/31

6 6 months months of

• f data, by country

data, by country

• Count

Count all all IP sources IP sources that that have have contacted contacted all all our

• ur platforms

platforms during during the the last last six six months months. .

• Identify

Identify the the country country of

• f the

the attacking attacking IP IP

• Plot

Plot one

• ne curve

curve per per country country

02/24/2005 – APRICOT Security Track – Dacier M. 11/31

02/24/2005 – APRICOT Security Track – Dacier M. 12/31

? ? ? ?

02/24/2005 – APRICOT Security Track – Dacier M. 13/31

YU: YU: Serbia Serbia and and Montenegro Montenegro

• YU

YU has has contacted contacted only

• nly one
• ne platform

platform

• Identify

Identify the the sequence sequence of

• f ports

ports probed probed by by each each attacking attacking IP IP

• Plot

Plot one

• ne curve

curve per per sequence sequence of

• f ports

ports

02/24/2005 – APRICOT Security Track – Dacier M. 14/31

High similarity between two different attack tools!? High similarity between two different attack tools!?

But … ?

02/24/2005 – APRICOT Security Track – Dacier M. 15/31

W32.Welchia.D.Worm ??? W32.Welchia.D.Worm ???

• Exploits multiple vulnerabilities, including:

Exploits multiple vulnerabilities, including:

– – The DCOM RPC vulnerability using TCP port 135. The DCOM RPC vulnerability using TCP port 135. – – The Workstation service buffer overrun vulnerability The Workstation service buffer overrun vulnerability using TCP port 445. using TCP port 445. – – The Locator service vulnerability using TCP port 445 The Locator service vulnerability using TCP port 445

• Targets

Targets Windows XP Windows XP and and Windows 2000 Windows 2000

(Windows NT (Windows NT also also vulnerable vulnerable to to the the first first 2 2 attacks attacks) )

02/24/2005 – APRICOT Security Track – Dacier M. 16/31

One more One more viewpoint viewpoint

• Use passive OS

Use passive OS fingerprinting fingerprinting tools tools (p0f, (p0f, disco, ettercap) disco, ettercap) against against each each attacking attacking IP. IP.

• Plot

Plot one

• ne curve

curve for for each each OS type. OS type.

02/24/2005 – APRICOT Security Track – Dacier M. 17/31

02/24/2005 – APRICOT Security Track – Dacier M. 18/31

02/24/2005 – APRICOT Security Track – Dacier M. 19/31

Discussion Discussion

• Welchia

Welchia does does not not seem seem to to be be the the only

• nly cause

cause of

• f

these these attacks attacks because because of

• f:

:

– – The The bizarre bizarre peak peak of

• f attacks

attacks coming coming from from NT boxes NT boxes – – The The fact fact that that only

• nly one
• ne platform

platform is is targeted targeted by by this this country country

• Are

Are there there attackers attackers ‘ ‘surfing surfing’ on ’ on the the traces traces of

• f
• ther
• ther attacks

attacks in in order

• rder to

to hide themselves hide themselves? ?

• More

More research research is is required required. .

02/24/2005 – APRICOT Security Track – Dacier M. 20/31

Overview Overview

• Leurré.

Leurré.com com: : why why and and how how

• Web interface: a

Web interface: a few few examples examples

• Some

Some ‘non trivial’ ‘non trivial’ results results. .

• Conclusions

Conclusions

02/24/2005 – APRICOT Security Track – Dacier M. 21/31

ISC (Dshield) Limitations

Source: Internet Storm Center

50 100 150 200 250 300 350 400 2004-09-19 2004-09-22 2004-09-25 2004-09-28

Source: Leurré.com

?

02/24/2005 – APRICOT Security Track – Dacier M. 22/31

During the last 6 months During the last 6 months

• 345718

345718 IPs IPs have have probed only 1 host probed only 1 host per platform per platform

• 36287 have probed

36287 have probed

• nly 2 hosts per
• nly 2 hosts per

platform platform

• 136331

136331 IPs IPs have have probed all hosts of a probed all hosts of a given platform given platform

1 host 67% 2 hosts 7% all hosts 26%

02/24/2005 – APRICOT Security Track – Dacier M. 23/31

P( P(sending sending a a packet packet to an open port) to an open port) for an for an attacker attacker who who sends sends packets packets to to all all machines machines of

• f a

a given given environment environment

20 40 60 80 100

Mach1 Mach2 Mach3

Envi1 Envi2 Envi4 Envi5 Envi6 Envi8 Envi9 Envi13 Envi14 Envi20 Envi21 Envi22 Envi23 Envi25 Envi26 Envi27 Envi28 Envi30 Envi31 ALL

02/24/2005 – APRICOT Security Track – Dacier M. 24/31

P( P(sending sending a a packet packet to an open port) to an open port) for an for an attacker attacker who who sends sends packets packets to to only

• nly
• ne
• ne machine

machine of

• f a

a given given environment environment

20 40 60 80 100 mach1 mach2 mach3 Envi1 Envi2 Envi4 Envi5 Envi6 Envi8 Envi9 Envi13 Envi14 Envi20 Envi21 Envi22 Envi23 Envi25 Envi26 Envi27 Envi28 Envi30 Envi31 ALL

02/24/2005 – APRICOT Security Track – Dacier M. 25/31

Targeted Targeted attacks attacks: Port 1433 : Port 1433 example example

2 4 6 8 10 12 14 18/10/2003 02/11/2003 17/11/2003 02/12/2003 17/12/2003 01/01/2004 16/01/2004 31/01/2004 15/02/2004

1 2 3 4 20/ 10/ 03 06/ 11/ 03 12/ 01/ 04 24/ 01/ 04

02/24/2005 – APRICOT Security Track – Dacier M. 26/31

Results: identification of the Results: identification of the scanner scanner

• 5

5 different types of scans have probed different types of scans have probed that port between point 1 and point 2 that port between point 1 and point 2

• Only 2 of these 5 have been observed

Only 2 of these 5 have been observed between point 3 and 4. between point 3 and 4.

• The scanning tool is quite likely one of

The scanning tool is quite likely one of these two. these two.

02/24/2005 – APRICOT Security Track – Dacier M. 27/31

Results: identification of the Results: identification of the scanner ( scanner (ctd ctd.) .)

02/24/2005 – APRICOT Security Track – Dacier M. 28/31

Overview Overview

• Leurré.

Leurré.com com: : why why and and how how

• Web interface: a

Web interface: a few few examples examples

• Some

Some ‘non trivial’ ‘non trivial’ results results. .

• Conclusions

Conclusions

02/24/2005 – APRICOT Security Track – Dacier M. 29/31

Conclusions Conclusions

• Experience

Experience shows shows that that this this data set data set is is a gold a gold mine for mine for researchers researchers. .

• It

It can can provide provide the the foundations foundations to to build build a new a new generation generation of

• f early

early warning information warning information systems systems

• We

We, , at at Eurecom, Eurecom, can can only

• nly take

take advantage advantage of

• f a

a fraction fraction of

• f it

it. .

02/24/2005 – APRICOT Security Track – Dacier M. 30/31

We We need need you you … …

• … to

… to deploy deploy more more platforms platforms in in Asia Asia Pacific Pacific. .

• … to

… to see see other

• ther teams

teams carrying carrying out

• ut their

their own

• wn

research research with with our

• ur data sets.

data sets.

• … to

… to build build a a truly truly international international cooperative cooperative environment environment to to fight fight Internet Internet threats threats. .

Contact: Contact: dacier dacier@ @eurecom eurecom. .fr fr

02/24/2005 – APRICOT Security Track – Dacier M. 31/31

References References

• F. Pouget, M. Dacier, “Honeypots-based Forensics”, Proc. Of the

AusCERT2004 Conference (refereed stream), May 23-27 2004, Brisbane, Australia.

• M. Dacier, F. Pouget, H. Debar, “Attack Processes found on the

Internet”, Proc. NATO Symposium on Adaptive Defense in Unclassified Networks, April 2004.

• M. Dacier, F. Pouget, H. Debar, “Honeypots: Practical Means to

Validate Malicious Fault Assumptions on the Internet”, Proc. 10th IEEE International symposium Pacific Rim Dependable Computing (PRDC10),March 2004, pages. 383-388. Exhaustive and up to date list of publications available at http://www.eurecom.fr/~ pouget/papers.htm