Presentation of A Virtual Honeypot Frameworkpeople.cs.aau.dk/.../2111-honeypot_framework.pdf ·...
Transcript of Presentation of A Virtual Honeypot Frameworkpeople.cs.aau.dk/.../2111-honeypot_framework.pdf ·...
Presentation ofA Virtual Honeypot Framework
Jesper Kristensen
21st November 2005
written by
Niels Provos
for 13th USENIX Security Symposium
(San Diego, CA, USA August 9-13, 2004)
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
Introduction to Honeypot(s)
What is a honeypot?
PhysicalVirtual
Usage of honeypots?
AttacksWormsSpam mails
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
Outline
1 Honeyd a Virtual Honeypot Framework
2 Evaluation of Honeyd
3 Performance
4 Simulated Worm Propagation
5 Conclusion
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
What is HoneydThe Architecture of HoneydPersonality Engine
What is Honeyd
Lightweight virtual honeypot framework.
Routing virtual networks.
Emulation of network stack not entire OS.
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
What is HoneydThe Architecture of HoneydPersonality Engine
Architecture
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
What is HoneydThe Architecture of HoneydPersonality Engine
Routing
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
What is HoneydThe Architecture of HoneydPersonality Engine
Dispatcher
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
What is HoneydThe Architecture of HoneydPersonality Engine
Protocol
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
What is HoneydThe Architecture of HoneydPersonality Engine
Services
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
What is HoneydThe Architecture of HoneydPersonality Engine
ICMP Routing
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
What is HoneydThe Architecture of HoneydPersonality Engine
Service Routing
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
What is HoneydThe Architecture of HoneydPersonality Engine
Personality
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
What is HoneydThe Architecture of HoneydPersonality Engine
Fingerprints
Nmap and XProbe.Initial Sequence Number (ISN)Receive window size
TCP and UDP using Nmaps fingerprint database.
ICMP using XProbes database.
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
Fingerprint
Outline
1 Honeyd a Virtual Honeypot Framework
2 Evaluation of Honeyd
3 Performance
4 Simulated Worm Propagation
5 Conclusion
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
Fingerprint
Ability to deceive
600 distinct fingerprints.
One open port with a web-server.
Fingerprints close to those in nmap database.
Trace-route find network path.
Detect performance between honeypot virtual domains.
Uniquely List Failed
555 37 8
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
Bandwidth in a Virtual Honeyd HostPerformance in Relation to the Number of HoneypotsHandling of TCP Request
Outline
1 Honeyd a Virtual Honeypot Framework
2 Evaluation of Honeyd
3 Performance
4 Simulated Worm Propagation
5 Conclusion
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
Bandwidth in a Virtual Honeyd HostPerformance in Relation to the Number of HoneypotsHandling of TCP Request
Network Throughput
1 GHz Pentium III, with one 100 MBit/s network.
ICMP echo responds rate (30 Mbit/s).
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
Bandwidth in a Virtual Honeyd HostPerformance in Relation to the Number of HoneypotsHandling of TCP Request
Configured Honeypots
Random destination sending a TCP SYN segment on a closedport(80.000 times).
Processing time to generate a TCP RST segment.
From 45.000 to 31.000 packets per second.
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
Bandwidth in a Virtual Honeyd HostPerformance in Relation to the Number of HoneypotsHandling of TCP Request
Requests per second
End-to-End performance with echo service.Measure TCP request per second.Over 2.000 transactions per second.
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
Using honeyd to Capture Worms
Outline
1 Honeyd a Virtual Honeypot Framework
2 Evaluation of Honeyd
3 Performance
4 Simulated Worm Propagation
5 Conclusion
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
Using honeyd to Capture Worms
Worm Propagation in a Honeyd Network
360.000 vulnerable machines.
150 infected machines, which makes 50 probes per second.
No honeypots.
4.000 honeypots.
65.000 honeypots.
262.000 honeypots.
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
Using honeyd to Capture Worms
Worm Propagation - 1 Hour
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
Using honeyd to Capture Worms
Worm Propagation - 20 Minutes
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
HoneydQuestions
Outline
1 Honeyd a Virtual Honeypot Framework
2 Evaluation of Honeyd
3 Performance
4 Simulated Worm Propagation
5 Conclusion
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
HoneydQuestions
Honeyd, a Virtual honeypot framework
Easy to use framework.
Scalable 262.000 virtual honeypots.
Is appliable to real life systems.
Jesper Kristensen Presentation of A Virtual Honeypot Framework
Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd
PerformanceSimulated Worm Propagation
Conclusion
HoneydQuestions
The Paper
Number of configurated honeypots and the number of handlerequest, what is the normal number for a computer.
More information about their test machines (RAM amount).
Well written and almost self contained
Jesper Kristensen Presentation of A Virtual Honeypot Framework