NoAH Spiros Antonatos Distributed Computing Systems Lab (DCS) Institute of Computer Science (ICS) Foundation for Research and Technology Hellas (FORTH) The “eyes and ears” of the NoAH project

NoAH Terena Networking Conference May 2008 Spiros Antonatos Outline Motivation Architecture Challenges and how to face them Conclusions

NoAH Terena Networking Conference May 2008 Spiros Antonatos A few words about NoAH Network of Affined Honeypots EU-funded 3 year project ( ) Develop an infrastructure to detect and provide early warning of cyberattacks Gather and analyse information about the nature of these attacks More info at

NoAH Terena Networking Conference May 2008 Spiros Antonatos Motivation Monitoring of unused IP address space yields interesting results Honeypots is a useful tool to improve network security…..but are hard to install, configure and maintain The more address space the more effective honeypots are Monitored space should not be static, thus vulnerable to blacklisting

NoAH Terena Networking Conference May 2008 Spiros Antonatos What are honeypots? Computer systems that do not provide production services Listening to unused IP address space Intentionally made vulnerable Closely monitored to analyse attacks directed to them Usually run inside a containment environment –Virtual machines

NoAH Terena Networking Conference May 2008 Spiros Antonatos Facts There is unused IP address space –Large universities and research centers UCSD, allocated a /8, only few thousands used FORTH UoC –Organizations and private companies –Public domain bodies –Upscale home users –NAT-based home networks *.* } Allocated a /16 each utilization under 40%

NoAH Terena Networking Conference May 2008 Spiros Antonatos Our approach Social aspect –Empower the people to setup honeypots –With minimal installation overhead –Minimal runtime overhead Appropriate for organizations –Who want to contribute –But do not have the technical knowledge To install/maintain a full-fledged honeypot

NoAH Terena Networking Conference May 2008 Spiros Antonatos Enables willing users and organizations to effortlessly participate in a distributed honeypot infrastructure –No configuration needed, install and run –Both Windows and Linux platforms Runs in the background, sends all traffic from the dark space to NoAH core for processing Attacker think they communicate with a home computer but actually talks with honeypots

NoAH Terena Networking Conference May 2008 Spiros Antonatos Install…

NoAH Terena Networking Conference May 2008 Spiros Antonatos …and run Running at the background Creating a new virtual interface Getting an IP address from DHCP server 1 2 3

NoAH Terena Networking Conference May 2008 Spiros Antonatos Features Can obtain address from DHCP or statically BPF filters can be used –Useful to get traffic from the whole unused subnet NAT detection and automatic port forwarding –Mostly for DSL users and small enterprises that are behind NAT Graphic overview of traffic statistics captured by the client Automatic updates

NoAH Terena Networking Conference May 2008 Spiros Antonatos Screenshots

NoAH Terena Networking Conference May 2008 Spiros Antonatos Screenshots

NoAH Terena Networking Conference May 2008 Spiros Antonatos Screenshots

NoAH Terena Networking Conference May 2008 Spiros Antonatos But I only have one IP address… Dial-up/cable users do not have extra IP addresses Monitoring of unused port space for such cases Users are unlikely to run servers Select a set of ports and monitor those which are not bound Stop monitoring a port when it gets bound

NoAH Terena Networking Conference May 2008 Spiros Antonatos Handoff Backend architecture clients connect to a honeypot core Communication is done over port 80 Honeyd as front-end to filter out scans –Filters out scans and unfinished connections Honeyd hands off connection to Argos Argos is an instrumented virtual machine able to catch zero-day exploits without the danger of getting infected – Honeyd Forward Honeypot core Attacker Attack

NoAH Terena Networking Conference May 2008 Spiros Antonatos Challenges We cannot trust clients –Anyone will be able to set up Addresses of clients must remain hidden Addresses of servers must also remain hidden –Honeypots may become victims of direct attacks –Attacker can blacklist them to blind the honeypot core Computer-based mass installation of mockup clients should be prevented

NoAH Terena Networking Conference May 2008 Spiros Antonatos Hiding honeypots and clients Use of anonymous communication system Onion routing is an attractive solution –Prevents eavesdropping attacks –Based on a set of centralized nodes (onion routers) –Even when a router is compromised, privacy is preserved Tor, an implementation of second generation onion routing –Provides both client- and server-side anonymity

NoAH Terena Networking Conference May 2008 Spiros Antonatos Preventing automatic installation Goal: prevent mass installation of maliciously controlled clients CAPTCHAs as a proposed solution –Instruct human to solve a visual puzzle –Puzzle cannot be identified by a computer –Puzzle can also be an audio clip

NoAH Terena Networking Conference May 2008 Spiros Antonatos Enhancing CAPTCHAs Attacker may post the image to their site and use visitors to solve it Adding animation to avoid “CAPTCHA” laundering User clicks on the correct (animated) answer to continue with the registration –Animation prevents users to provide static responses, like “I clicked the upper left corner” We use the Java applet technology

NoAH Terena Networking Conference May 2008 Spiros Antonatos Enhancing CAPTCHAs

NoAH Terena Networking Conference May 2008 Spiros Antonatos

NoAH Terena Networking Conference May 2008 Spiros Antonatos

NoAH Terena Networking Conference May 2008 Spiros Antonatos Summary is an easy way to setup a virtual honeypot at every home PC Just install and run, no maintenance cost Two main challenges: protect identity of users and honeypots and prevent massive installations Available at

NoAH backup slides

NoAH Terena Networking Conference May 2008 Spiros Antonatos First and last OR in path compromised

NoAH Terena Networking Conference May 2008 Spiros Antonatos Creating a Location Hidden Server Server creates onion routes to “introduction points” Server gives intro points’ descriptors and addresses to service lookup directory Client obtains service descriptor and intro point address from directory

NoAH Terena Networking Conference May 2008 Spiros Antonatos Using a Location Hidden Server Client creates onion route to a “rendezvous point” Client sends address of the rendezvous point and any authorization, if needed, to server through intro point If server chooses to talk to client, connect to rendezvous point Rendezvous point mates the circuits from client & server

NoAH Terena Networking Conference May 2008 Spiros Antonatos How onion routing works (1/1) R R4R4 R1R1 R2R2 R R R3R3 Bob R R R Sender chooses a random sequence of routers –Some routers are honest, some controlled by attacker –Sender controls the length of the path Alice

NoAH Terena Networking Conference May 2008 Spiros Antonatos Shielding Tor against attacks Onion routing is subjective to timing attacks –If attacker has compromised the first and last routers of the path then she can perform correlation Solution: client sets itself as first router –Tor clients can also act like routers Honeypot can also setup a trusted first router Both ends of the path are not controlled by attacker

NoAH Terena Networking Conference May 2008 Spiros Antonatos How onion routing works R4R4 R1R1 R2R2 R3R3 Bob Alice {R 2,k 1 } pk(R 1 ),{ } k 1 {R 3,k 2 } pk(R 2 ),{ } k 2 {R 4,k 3 } pk(R 3 ),{ } k 3 {B,k 4 } pk(R 4 ),{ } k 4 {M} Sender chooses a random sequence of routers Some routers are honest, some controlled by attacker Sender controls the length of the path Routing info for each link encrypted with router’s public key Each router learns only the identity of the next router

NoAH Terena Networking Conference May 2008 Spiros Antonatos Hidden services In previous examples, Alice needed to know the address of Bob –That is client needs to know the address of honeypots –We need to hide our honeypots Tor offers hidden services –Clients only need to know an identifier for the hidden service –This identifier is a DNS name in the form of “xyz.onion” –“.onion” is routable only through Tor

NoAH Terena Networking Conference May 2008 Spiros Antonatos Hidden services in action A hidden service that actually forwards to Google.com

NoAH Terena Networking Conference May 2008 Spiros Antonatos Detectability issues Delay introduced by Tor is an indication for the presence of client

NoAH Terena Networking Conference May 2008 Spiros Antonatos Scanning home subnets Scan for port 80 at 10 diverse subnets 7% of the hosts responding to port consistently