honeypot an instrument for attracting and detecting attackers adapted from r. baumann
Post on 22-Dec-2015
218 views
TRANSCRIPT
HoneypotHoneypotAn instrument for attractingAn instrument for attractingand detecting attackersand detecting attackers
Adapted from R. Baumann
Honeypot - R. Baumann – April 2002
AgendaAgenda
Theory Implementation Administrations Toolkit Attacks Conclusion
Honeypot - R. Baumann – April 2002
TheoryTheory
HoneypotHoneypot Term originally from the military Fake target or ambush In this presentation, the term „honeypot“ is used
in network security environment
Honeypot - R. Baumann – April 2002
TheoryTheory
DefinitionDefinition
A honeypot is a resource which pretends to be a real target. A
honeypot is expected to be attacked or compromised. The main goals are the distraction of an attacker
and the gain of information about an attacker, his methods and tools.
Honeypot - R. Baumann – April 2002
TheoryTheory
BenefitBenefit Productive environment:
distraction from the real targets Research environment:
information gathering
but: No direct protection gained In difference to IDS: no false alerts
Honeypot - R. Baumann – April 2002
TheoryTheory
Types of implementationTypes of implementation Level of Involvement
– Low Involvement: Port Listeners
– Mid Involvement: Fake Daemons
– High Involvement: Real Services
Risk increases with level of involvement
Honeypot - R. Baumann – April 2002
TheoryTheory
HoneynetHoneynet Network of honeypots Supplemented by firewalls and intrusion
detection systems
Advantages: “More realistic” environment Improved possibilities to collect data
Honeypot - R. Baumann – April 2002
ImplementationImplementation
Projekt HoneybreadProjekt Honeybread Honeynet implementation Administration Toolkit Ethernet Tunneling Software
Honeypot - R. Baumann – April 2002
ImplementationImplementation
Schematic illustrationSchematic illustration
HoneypotsDetectionInternet
Honeypot - R. Baumann – April 2002
ImplementationImplementation
TopologyTopology
Honeypot - R. Baumann – April 2002
ImplementationImplementation
HoneypotsHoneypots Multiple honeypots
Virtual machines
Different, independent systems
Honeypot - R. Baumann – April 2002
ImplementationImplementation
Detection unitDetection unit Information logging
Connection control
Administration
Honeypot - R. Baumann – April 2002
Administration InterfaceAdministration Interface
FeaturesFeatures Web-based Event visualization Connections from and to the honeynet Intrusion detection system alerts Session logs Statistics and reports
Honeypot - R. Baumann – April 2002
Administration InterfaceAdministration Interface
ScreenshotScreenshot
Honeypot - R. Baumann – April 2002
AttacksAttacks
FactsFacts Huge amount of IDS alerts (>40‘000) Mostly automated attacks Code Red Virus
In less than 24 hours successfully attacked Well known security vulnerabilities used
Honeypot - R. Baumann – April 2002
AttacksAttacks
IDS alertsIDS alerts
Honeypot - R. Baumann – April 2002
AttacksAttacks
Distribution over timeDistribution over time
Honeypot - R. Baumann – April 2002
AttacksAttacks
OriginOrigin
Honeypot - R. Baumann – April 2002
AttacksAttacks
SummarySummary Amount of attacks surprised Origin of attacks mostly from local systems
– Attacks on own subnet
– Most tools use own subnet as default setting
Conclusion: Protection required and possible
Honeypot - R. Baumann – April 2002
SummarySummary
TechnologyTechnology Honeypot as a safety solution not very attractive
– Very time expensive
– No out-of-the-box solutions
– Risk quite high when used inappropriately
– Deep knowledge needed
– Legal situation uncertain
Honeypot as a service very attractive
Honeypot - R. Baumann – April 2002
SummarySummary
ImplementationImplementation Data analysis very complex and time consuming Very good learning results Very interesting research area Exciting and suprising moments
