Wormholes and a Honeyfarm: Automatically Detecting New Worms 1 Wormholes and a Honeyfarm:...
12
1 holes and a Honeyfarm: Automatically Detecting New Worms Wormholes and a Honeyfarm: Automatically Detecting Novel Worms (and other random stuff) Nicholas Weaver Vern Paxson Stuart Stanifor d UC Berkeley ICIR ICIR Silicon Defense
-
Upload
derrick-rawle -
Category
Documents
-
view
221 -
download
1
Transcript of Wormholes and a Honeyfarm: Automatically Detecting New Worms 1 Wormholes and a Honeyfarm:...
1
Wormholes and a Honeyfarm: Automatically Detecting New Worms
Wormholes and a Honeyfarm:Automatically Detecting Novel Worms
(and other random stuff)
NicholasWeaver
VernPaxson
StuartStaniford
UC Berkeley
ICIR
ICIR Silicon Defense
2
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
Problem: Automatically Detecting New Worms
• Detect a new worm on the Internet before many machines are infected– Use this information to guide defenses– 30-60 seconds to detect (and stop)
Slammer
• Honeypots are accurate detectors– Monitor egress to detect worms– k vulnerable honeypots will detect a
worm when ~1/k of the vulnerable machines are infected
– But impractical• Cost: time, not machines• Trust: must trust all honeypots!
3
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
Idea: Split the Network Endpoints from the Honeypots
• Wormholes are traffic tunnels– Routes connections to
a remote system– Untrusted endpoints
• Honeyfarm consists of Virtual Machine honeypots– Create virtual honeypots
on demand• See honeynet.org
– Route internally generated traffic to other images
• Classify based on what can be infected
4
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
How Wormholes Work
• Low cost “appliance”:– Plugs into network, obtains
address through DHCP– Contacts the Honeyfarm– Reconfigures local network stack
• fool nmap style detection
– Forwards all traffic to/from the Honeyfarm
• Clear Box:– Deployers have source code
• Restrictions built into the wormhole code so it doesn't trust the honeyfarm, can't contact the local network!
• Instead/addition to wormholes, one can...– Route small telescopes to the honeyfarm– Route ALL unused addresses in an institution...
5
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
How a Honeyfarm Works
• Creates Virtual Machine images to implement Honeypots– Using VMware or similar– Images exist "in potential" until traffic received
• Niels Provos suggested: Use honeyd as a first pass filter
– Completes the illusion that a honeypot exists at every wormhole location
• Any traffic received from wormhole– Activate and configure a VM image– Forward traffic to VM image
• Honeypot image generated traffic is monitored and redirected
WormholeIP: aa.bb.cc.dd
Honeyfarm
VM ImageIP: xx.xx.xx.xx
VM ImageIP: xx.xx.xx.xx
VM ImageIP: aa.bb.cc.dd
VM ImageIP: aa.bb.cc.ee
6
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
What Could We Automatically Learn From a Honeyfarm?
• A new worm is in the Internet– Triggered based on ability to infect VMs
• What the worm is capable of– Types of vulnerable configurations
• Including patch level• Creates a “Vulnerability Signature”
– Some overt, immediate malicious behavior• Immediate file erasers etc
– Possible attack signatures
• Works best for tracking:– Human attackers– Scanning worms
• Slow enough to react effectively• Randomness hits wormholes
7
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
What Trust is Needed?
• Wormhole deployers:– Need to trust wormhole devices,
not the honeyfarm operator
• Honeyfarm operator:– Attackers know of some wormholes,
but most are generally unknown• Wormhole locations are “open secrets”
– Does not trust wormhole deployers• Detection is based on infected honeypots, not traffic from a wormhole• Dishonest wormholes are filtered out
• Responding systems receiving an alert:– Either the honeyfarm and operator are honest and uncompromised– OR rely on multiple, independent honeyfarms all raising an alarm
• "If CERT and DOD-CERT say..."
8
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
Status and Acknowledgements
• Status: Paper design– Idea, attacks, costs, development time
• Lots of attacks on the honeyfarm system and possible defenses
• Plan to build honeyfarm first, attached to a small telescope
• Wormholes can be built for <$350, no moving parts, 50 Watts power, quantity 1
• Acknowledgements:– Honeypot technology: Honeynet project, honeyd, DTK
– Feedback from many people: Stefan Savage, David Moore, David Wagner, Niels Provos, etc etc etc.
9
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
Random Slide: 1 Gb (ASAP), 10 Gb (+2-3 years)
• Need wiring-closet defenses:– As close to the endpoint as possible, need to be reprogrammable– <$1000 for GigE today (build for $500)
• Optical ideal, +$100 for 1000-base-T
– <$2000 for 10GigE in 2-3 years (build for $1000)– New FPGAs with SERDESes, embedded processors, massive
parallelism and pipelining
FPGA
DIMM
DIMM
SX TransceiverSX TransceiverSX Transceiver
1000-BaseTPHY
1000-BaseTPHY
10
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
Random Slide: Colonel John R. Boyd’s OODA “Loop”
Note how orientation shapes observation, shapes decision, shapes action, and in turn is shaped by the feedback and other phenomena coming into our sensing or observing window.
Also note how the entire “loop” (not just orientation) is an ongoing many-sided implicit cross-referencing process of projection, empathy, correlation, and rejection.
From “The Essence of Winning and Losing,” John R. Boyd, January 1996.
Note how orientation shapes observation, shapes decision, shapes action, and in turn is shaped by the feedback and other phenomena coming into our sensing or observing window.
Also note how the entire “loop” (not just orientation) is an ongoing many-sided implicit cross-referencing process of projection, empathy, correlation, and rejection.
From “The Essence of Winning and Losing,” John R. Boyd, January 1996.
FeedForward
Observations Decision(Hypothesis)
Action(Test)
CulturalTraditions
GeneticHeritage
NewInformation Previous
Experience
Analyses &Synthesis
FeedForward
FeedForward
ImplicitGuidance& Control
ImplicitGuidance& Control
UnfoldingInteraction
WithEnvironmentUnfolding
InteractionWith
Environment Feedback
Feedback
OutsideInformation
UnfoldingCircumstances
Observe Orient Decide Act
From Defense and the National Interest, http://www.d-n-i.net, copyright 2001 the estate of John Boyd Used with permission
11
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
Ranom Slide:What is the OODA loop?
• The OODA (Observe, Orient, Decide, Act) cycle was designed as a semi-formal model of adversarial decision making– Really a complex nest of feedback loops– Originally designed to represent strategic and tactical decision-making
• Implicit shortcuts are critical in human-based systems
– Every participant or group has its own OODA loop
• Attack the opponent’s decision making process– Avoid/confuse/manipulate the opponent’s observation/detection
• Stealthy worms
– Take advantage of errors in orientation/analysis• Not yet but will begin to happen!
– Move faster than the opponent’s reaction time• Why autonomous worms outrace “human-in-the-loop” systems• Reactive worm defenses need fully-automated OODA loops
• The fastest, accurate OODA loop usually wins
12
Wormholes and a Honeyfarm: Automatically Detecting Novel Worms
Random Slide:Automated OODA Loops
• Since both the worms and worm-defense routines are automatic while a fast worm is spreading, the OODA loops are much simpler
– No implicit paths, everything is now explicit• Orientation and decision making are combined
– Communication is also made explicit– The OODA loops are shaped by the designer’s goals, objectives, and skills
• Observation is often critical for both sides
PassiveLocalActive
AutomaticDecisionMaking
Actions
Observe Orient/Decide Act
Control
Information Control
Feedback
Interaction withEnvironmentCommunication
