Seguretat en xarxes informàtiques Autor: Lluís Pérez Vidal Curs Xarxes Linux.ICE-UPC Honeypots Honeypots “A un panal de rica miel...”

Seguretat en xarxes informàtiques Autor: Lluís Pérez Vidal Curs Xarxes Linux.ICE-UPC El honeypot Aquest capítol és una part de Aquest capítol és una part de events/workshop_tnc06/noah_worksho p_markatos_v1.ppt Podeu referir-vos-hi per tenir més informació..

What is a honeypot? An “undercover” computer – which has no ordinary users – which provides no regular service Or a few selected services if needed – Just waits to be attacked… Its value lies on being compromised – Or in being exploited, scanned, etc. Honeypots are an “easy” target – But heavily monitored ones If attacked, they log as much information as possible

When was a honeypot first used? First widely publicized use: The cuckoo’s egg – By Cliff Stoll Cliff Stoll noticed a 75-cent accounting error in the computer he managed – This led Cliff to discover an intruder named “Hunter” – Instead of shutting “Hunter” out, Cliff started to study him – He connected the modem lines to a printer – He created dummy “top-secret” directories to “lure” “Hunter” into coming back – He was paged every time “Hunter” was in – He traced “Hunter” to a network of hackers Paid in cash and drugs and Reporting directly to KGB

How do we receive attacks? Three types of sensors: – Traditional honeypots who wait to be attacked – Collaborating organizations who install low-interaction honeypots and forward “interesting” attacks to NoAH core – A “screensaver” who forwards all unwanted traffic to NoAH Unwanted traffic received at – unused IP addresses – unused TCP/UDP ports

The NoAH architecture

Traditional Honeypots Low Interaction Honeypot listening to a single IP address of the dark space – Filters out unwanted traffic Which is not part of an attack High Interaction honeypots for providing responses

How about limited address space? Number of “traditional” honeypots is usually limited, They cover a small percentage of the IP address space Problem: they may see attack too late Solution: Monitor dark space What is Dark IP Address Space? – Unused IP addresses – IP addresses not associated with any computer – Some organizations (i.e. Universities) have lots of Dark IP address space Assign portions of dark space to this limited number of honeypots Funnel: map the dark space to a single or a few IP addresses

Funneling

Monitoring Dark Space of Cooperating Organizations So, where are we going to find the Dark Space? Collaborating Organizations Organizations may participate in NoAH but lack the ability to maintain a honeypot Packets targeting organization’s black space are tunneled to the honeypots of NoAH core

The NoAH architecture

a honeypot daemon – Run in at home (or at small office) – Run in the background, send all the traffic from the dark space to NoAH core for processing – Dark Space: Unused IP addresses Internal IP addresses Unused ports (or a selected subset of them) – Attackers think they communicate with a home computer but actually talk with honeypots at NoAH core

Empower the people – To help us fight cyberattacks With minimal installation overhead Minimal runtime overhead Appropriate for small organizations – Who want to contribute – But do not have the technical knowledge To install/maintain a full-fledged honeypot

illustrated