Presentation of A Virtual Honeypot Frameworkpeople.cs.aau.dk/.../2111-honeypot_framework.pdf ·...

Presentation ofA Virtual Honeypot Framework

Jesper Kristensen

21st November 2005

written by

Niels Provos

for 13th USENIX Security Symposium

(San Diego, CA, USA August 9-13, 2004)

Honeyd a Virtual Honeypot FrameworkEvaluation of Honeyd

PerformanceSimulated Worm Propagation

Conclusion

Introduction to Honeypot(s)

What is a honeypot?

PhysicalVirtual

Usage of honeypots?

AttacksWormsSpam mails

Jesper Kristensen Presentation of A Virtual Honeypot Framework



Conclusion

Outline

1 Honeyd a Virtual Honeypot Framework

2 Evaluation of Honeyd

3 Performance

4 Simulated Worm Propagation

5 Conclusion




Conclusion

What is HoneydThe Architecture of HoneydPersonality Engine

What is Honeyd

Lightweight virtual honeypot framework.

Routing virtual networks.

Emulation of network stack not entire OS.




Conclusion


Architecture




Conclusion


Routing




Conclusion


Dispatcher




Conclusion


Protocol




Conclusion


Services




Conclusion


ICMP Routing




Conclusion


Service Routing




Conclusion


Personality




Conclusion


Fingerprints

Nmap and XProbe.Initial Sequence Number (ISN)Receive window size

TCP and UDP using Nmaps fingerprint database.

ICMP using XProbes database.




Conclusion

Fingerprint

Outline



3 Performance


5 Conclusion




Conclusion

Fingerprint

Ability to deceive

600 distinct fingerprints.

One open port with a web-server.

Fingerprints close to those in nmap database.

Trace-route find network path.

Detect performance between honeypot virtual domains.

Uniquely List Failed

555 37 8




Conclusion

Bandwidth in a Virtual Honeyd HostPerformance in Relation to the Number of HoneypotsHandling of TCP Request

Outline



3 Performance


5 Conclusion




Conclusion


Network Throughput

1 GHz Pentium III, with one 100 MBit/s network.

ICMP echo responds rate (30 Mbit/s).




Conclusion


Configured Honeypots

Random destination sending a TCP SYN segment on a closedport(80.000 times).

Processing time to generate a TCP RST segment.

From 45.000 to 31.000 packets per second.




Conclusion


Requests per second

End-to-End performance with echo service.Measure TCP request per second.Over 2.000 transactions per second.




Conclusion

Using honeyd to Capture Worms

Outline



3 Performance


5 Conclusion




Conclusion


Worm Propagation in a Honeyd Network

360.000 vulnerable machines.

150 infected machines, which makes 50 probes per second.

No honeypots.

4.000 honeypots.

65.000 honeypots.

262.000 honeypots.




Conclusion


Worm Propagation - 1 Hour




Conclusion


Worm Propagation - 20 Minutes




Conclusion

HoneydQuestions

Outline



3 Performance


5 Conclusion




Conclusion

HoneydQuestions

Honeyd, a Virtual honeypot framework

Easy to use framework.

Scalable 262.000 virtual honeypots.

Is appliable to real life systems.




Conclusion

HoneydQuestions

The Paper

Number of configurated honeypots and the number of handlerequest, what is the normal number for a computer.

More information about their test machines (RAM amount).

Well written and almost self contained




Conclusion

HoneydQuestions

???

Questions


Presentation of A Virtual Honeypot Frameworkpeople.cs.aau.dk/.../2111-honeypot_framework.pdf ·...

Documents

Transcript of Presentation of A Virtual Honeypot Frameworkpeople.cs.aau.dk/.../2111-honeypot_framework.pdf ·...