1

Honeypot, Botnet, Security Measurement, Email Spam

Cliff C. ZouCDA693802/01/07

2

What Is a Honeypot?

“A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.”

3

Example of a Simple Honeypot

Install vulnerable OS and software on a machine

Install monitor or IDS software Connect to the Internet (with global IP) Wait & monitor being scanned,

attacked, compromised Finish analysis, clean the machine

4

Benefit of Deploying Honeypots

Risk mitigation: A deployed honeypot may lure an attacker away

from the real production systems (“easy target“). IDS-like functionality:

Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions.

Attack analysis: Binary code analysis of captured attack codes Spying attacker’s ongoing actions Find out reasons, and strategies why and how you

are attacked.

5

Honeypot Classification

High-interaction honeypots A full and working OS is provided for being

attacked VMware virtual environment

Several VMware virtual hosts in one physical machine

Low-interaction honeypots Only emulate specific network services No real interaction or OS

Honeyd

Honeynet/honeyfarm A network of honeypots

6

Low-Interaction Honeypots

Pros: Easy to install (simple program) No risk (no vulnerable software to be

attacked) One machine supports hundreds of honeypots

Cons: No real interaction to be captured

Limited logging/monitor function Easily detectable by attackers

7

High-Interaction Honeypots

Pros: Real OS, capture all attack traffic/actions Can discover unknown

attacks/vulnerabilities

Cons: Time-consuming to build/maintain/analysis Risk of being used as stepping stone

Must have a firewall blocking all outgoing traffic High computer resource requirement

8

Honeynet A network of honeypots High-interaction honeynet

A distributed network composing many honeypots Low-interaction honeynet

Emulate a virtual network in one physical machine

Example: honeyd Mixed honeynet

“Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm”, presented next week

Reference: http://www.ccc.de/congress/2004/fahrplan/files/135-honeypot-forensics-slides.ppt

9

What Is a Botnet?

A network of compromised computers controlled by their attacker Users on zombie machines do not know Most home computers with broadband

The main source for many attacks now Distributed Denial-of-Service (DDoS)

Extortion Email spam, phishing Ad-fraud User information: document, keylogger, …

10

How to Build a Botnet?

Infect machines via: Internet worms, viruses Email virus Backdoor left by previous malware Trojan programs hidden in free download

software, games …

Bots phone back to receive command

11

Botnet Architecture Bot controller

Usually using IRC server (Internet relay chat) Dozen of controllers for robustness

bot bot

botcontroller

attacker

bot

botcontroller

12

Botnet Monitoring

Hijack one of the bot controller DNS provider redirects domain name to

the monitor Still cannot cut off a botnet (dozen of

controller) Can obtain most/all bots IP addresses

Let honeypots join in a botnet Can monitor all communications No complete picture of a botnet

13

Security Measurement

Monitor network traffic to understand/track Internet attack activities

Monitor incoming traffic to unused IP space

TCP connection requests UDP packets

Unused IP space

Monitoredtraffic

Internet

Local network

14

Refining Monitoring

TCP/SYN not enough (IP, port only) Distinguish different attacks

Low-interaction honeypots (honeyd) Obtain the first attack payload by replying

SYN/ACK Used by the “Internet Motion Sensor” in U.

Michigan Paper presented next…

High-interaction honeypots

15

Remote fingerprinting

Actively probe remote hosts to identify remote hosts’ OS, physical devices, etc OSes service responses are different Hardware responses are different

Purposes: Understand Internet computers Remove DHCP issue in monitored data Paper presented later

16

Data Sharing: Traffic Anonymization

Sharing monitored network traffic is important Collaborative attack detection Academic research

Privacy and security exposure in data sharing Packet header: IP address, service port exposure Packet content: more serious

Data anonymization Change packet header: preserve IP prefix, and … Change packet content

17

Why So Many Email Spam?

No authentication/authorization in email Receive unsolicited email by design Sending fake email is so easy

Shown in next slide Profit:

Takes a dime to send out millions email spam A few effective spam give back good profit No penalty in spam (law, out-of-country spam)

18

Sample fake email sending Telnet longwood.cs.ucf.edu 25 S: 220 longwood.cs.ucf.edu ESMTP Sendmail 8.13.8/8.13.8; … C: HELO fake.domain S: 250 Hello crepes.fr, pleased to meet you C: MAIL FROM: alice@mit.edu S: 250 alice@mit.edu... Sender ok C: RCPT TO: czou@cs.ucf.edu S: 250 czou@cs.ucf.edu ... Recipient ok C: DATA S: 354 Enter mail, end with "." on a line by itself C: subject: who am I? C: Do you like ketchup? C: . S: 250 Message accepted for delivery C: QUIT S: 221 longwood.cs.ucf.edu closing connection

19

Current Major Spam Defense

Signature-based filtering Spamassasin, etc: based on keywords, rules on

header…

Blacklisting-based filtering DNS black list, dynamically updated (Spamhaus)

Sender authentication Caller ID (Microsoft) http://en.wikipedia.org/wiki/Caller_ID

Sender Policy Framework (SPF) http://www.openspf.org/