honeypot presentation - using honeyd

1. HoneyPotsfor Network Security Using Honeyd

One of the biggest threats in network security is botnets .

Botnets are a collection of infected computers or bots that have been taken over by Hackers (sometimes known as botherders) and are used to perform malicious tasks or functions.

This example illustrates how a botnetis created and used to sendemail spam .

A botnetoperator sends outvirusesorworms, infecting ordinary users' computers, whose payload is a malicious applicationthe bot .

The bot on the infected PC logs into a particular C&C server (often an IRC server, but, in some cases a web server).

A spammer purchases the services of the botnetfrom the operator.

The spammer provides the spam messages to the operator, who instructs the compromised machines via the IRC server, causing them to send out spam messages.

Spyware

software which sends information to its creators about a user's activities typically passwords, credit card numbers and other information that can be sold on the black market

Adware

advertise some commercial entity actively and without the user's permission or awareness

Denial of Service

multiple systems autonomously access a single Internet system or service in a way that appears legitimate, but much more frequently than normal use and cause the system to become busy

Fast Flux

DNS technique used by botnetsto hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies

Click Fraud

user's computer visiting websites without the user's awareness to create false web traffic for the purpose of personal or commercial gain

E-mail spam

e-mail messages disguised as messages from people, but are either advertising, annoying, or malicious in nature

Aserverthat is configured to detect an intruder by mirroring a real production system.

It appears as an ordinary server doing work, but all the data and transactions are phony.

Located either in or outside the firewall, the honeypot is used to learn about an intruder's techniques as well as determine vulnerabilities in the real system .

Set to detect , deflect, or in some manner counteract attempts at unauthorized use of information systems.

Generally speaking there are two different types of Honeypots : Production Honeypotsand Research Honeypots

Production Honeypotsare used primarily by companies or corporations to improvetheir overall state of security.

Research Honeypotsare used primarily by non-profit research organizations or educational institutions to research the threats organizations face and learn how to better protect against those threats.

Honeydis a type ofdaemonhoneypot licensed by GPL that has the ability to simulate a big network while using only a single host. To outsiders, the Honeydlooks like a computer network on a network's unused address space.

Distraction

Using the software's ability to mimic many different network hosts at once, Honeyd can act as a distraction to potentialhackers.

If a network only has 3 real servers, but one server is running Honeyd , the network will appear running hundreds of servers to a hacker.

The hacker will then have to do more research in order to determine which servers are real, or the hacker may get caught in ahoneypot. Either way, the hacker will be slowed down or possibly caught.

Honeypot

On a network, all normal traffic should be to and from valid servers only.

Thus , a network administrator running Honeydcan monitor his/herlogsto see if there is any traffic going to the virtual hosts set up by Honeyd .

Any traffic going to these virtual servers can be considered highly suspicious.

The network administrator can then take preventative action, perhaps by blocking the suspiciousIP addressor by further monitoring the network for suspicious traffic.

/etc/honeypot/

Contains honeyd.conf , nmap.assoc , nmap.prints , pf.os , and xprobe2.conf

/etc/honeypot/

Honeyd.confis the main configuration file for setting the personalities of the virtual hosts.

Honeyd.conf

Creates the default actions for the machines

creates a personality template called honeypot-template

Sets the macaddress, OS, uptime, available protocols and open ports

Binds the templates to 2 unused IP addresses on the network

$ iptables-A INPUT -d 192.168.1.201 -j ACCEPT

$ iptables -A INPUT -d 192.168.1.202 -j ACCEPT

$ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Modifies the rules of your firewall to accept packets for the IP Addresses defined in the honeyd'sconfiguration file

/etc/default/ honeyd

Sets the default run behavior of honeyd

Another daemon that runs alongside of honeydis farpdwhich is the daemon that is forwarding the traffic from the virtual hosts to the main honeydserver.

farpd replies to any ARP request for an IP address matching the specified destination net with the hardware MAC address of the specified interface , but only after determining if another host already claims it.

Any IP address claimed by farpd is eventually forgotten after a period of inactivity or after a hard timeout, and is relinquished if the real owner shows up.

This enables a single host to claim all unassigned addresses on a LAN for network monitoring or simulation.

The network scanner To test if the virtual hosts are responding with the right information

honeypot presentation - using honeyd

Documents