Evangelos Markatos, FORTH NoAH: A Network of Affined Honeypots : Current State and Collaboration Opportunities Evangelos Markatos Institute of Computer Science (ICS) Foundation for Research and Technology – Hellas (FORTH) Crete, Greece The NoAH project

Evangelos Markatos, FORTH Roadmap The problem: –The trust that we used to place on our network is slowly eroding away We are being attacked –Viruses, Worms, Trojans, keyboard loggers continue to plague our computers What do people say about this? –Europe – ENISA –USA – PITAC What can be done? The NoAH approach –Understand mechanisms and causes of cyberattacks –Automate Detection of, fingerprinting of, and reaction to cyberattacks Summary and Conclusions

Evangelos Markatos, FORTH The erosion of trust on the Internet We used to trust computers we interacted with on the Internet –Not any more… Address bar spoofing: –Do you know that the web server is the real one? We used to trust our network –Not any more… Our network is the largest source of all attacks We used to trust our own computer –Not any more… (keyboard loggers can easily get all our personal information)

Evangelos Markatos, FORTH The erosion of trust on the Internet We used to trust our own eyes with respect to the content we were viewing on the Internet –Not any more… –Phishing: sophisticated social engineering Attackers send users On behalf of a legitimate sender (e.g. a bank) Inviting them to sign-up for a service When users click they are requested to give their password Users think they give their password to a bank But it ends up in the attacker’s database

Evangelos Markatos, FORTH A sophisticated phising attack: Setting the stage Attackers send inviting Bank of America customers to change their address on-line

Evangelos Markatos, FORTH A phishing attack: hiding the tracks Bank of America web site opens in the background Pop-up window (from requests user name and passwordwww.bofalert.com Legitimate Web site Pop-up Window

Evangelos Markatos, FORTH The boiling cauldron of Security Security on the Internet is getting increasingly important –Worms, Viruses, and trojians, continue to disrupt our everyday activities –Spyware and backdoors continue to steal our credit card numbers, our passwords, and snoop into our private lives –Keyboard loggers can empty our bank accounts if they choose to do so

Evangelos Markatos, FORTH It used to be a problem of PCs Not any more… PocketPC virus: –Duts Mobile phone virus: –Cabir –Infects the Symbian operating system

Evangelos Markatos, FORTH Mobile phone viruses: The Mosquitos virus Mosquitos Virus: –Attaches itself to an illegal copy of “Mosquitos” game –Once installed it starts sending potentially expensive SMS messages to premium numbers –“free to download” but “expensive to play”

Evangelos Markatos, FORTH The CommWarrior Worm Two ways to replicate: –Searches for nearby phones Via Bluetooth –Finds the owner’s tel. # list Sends MMS messages with copies of itself Using random names –Difficult to filter out

Evangelos Markatos, FORTH How much does it cost? Financial Cost: worms cost billions of euros to lost productivity –CodeRED Worm: $2.6 billion –Slammer: $1.2 billion –LoveLetter virus: $8.8 billion Could cyberattacks lead to loss of life? –What if a medical equipment gets infected by a worm? Wrong diagnosis? Wrong treatment? –What if a car gets infected by a worm? Could this lead to fatal car crash? How about Critical Infrastructures? What if a Nuclear power plant gets infected? –Would this lead to failure of safety systems? –Is this possible?

Evangelos Markatos, FORTH How much does it cost? Worms have penetrated Nuclear Power plants. “The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours” Security Focus News Luckily no harm was made –The reactor was not operating at that time –There was a fall-back analog monitoring system Will we be so lucky next time?

Evangelos Markatos, FORTH What do people say about this? ENISA ENISA: European Network and Information Security Agency PSG: Permanent Stakeholders Group Vision Document

Evangelos Markatos, FORTH ENISA Vision “The longer-term impact of … worm compromised hosts is likely to be greater in total than at present” “… Organized Crime and terrorists … introduce a level of sophistication and funding of (cyber)attacks that is far beyond what we have commonly seen in the previous 20 years of cyber security” ENISA PSG i.e. things are bad and are going to get worse!

Evangelos Markatos, FORTH What does the community say about this? What should we do? Feb President’s Information Technology Advisory Committee (in U.S.) Cyber-Security Sub-committee –David Patterson, UC Berkeley –Tom Leighton, MIT, –and several others

Evangelos Markatos, FORTH Cyber-security Report Provide expert advice –In IT security

Evangelos Markatos, FORTH Research Priorities Identified They identified 10 Research Priorities We should do Research in: –Global Scale Monitoring (for cyber-attacks) –Real-time Data collection storage and analysis (for cyberattacks) –Automated (cyberattack) discovery from monitoring data –Develop forensic-friendly architectures To summarize: Monitor for cyber-attacks and detect them early

Evangelos Markatos, FORTH NoAH In NoAH we do just that: –We design and prototype an infrastructure to monitor for cyber threats detect them as early as possible Fingerprint them We do that based on honeypot technology

Evangelos Markatos, FORTH What is a honeypot? An “undercover” computer –which has no ordinary users –which provides no regular service Or a few selected services if needed –Just waits to be attacked… Its value lies on being compromised –Or in being exploited, scanned, etc. Honeypots are an “easy” target –But heavily monitored ones If attacked, they log as much information as possible

Evangelos Markatos, FORTH When was a honeypot first used? First widely publicized use: The cuckoo’s egg –By Cliff Stoll Cliff Stoll noticed a 75-cent accounting error in the computer he managed –This led Cliff to discover an intruder named “Hunter” –Instead of shutting “Hunter” out, Cliff started to study him –He connected the modem lines to a printer –He created dummy “top-secret” directories to “lure” “Hunter” into coming back –He was paged every time “Hunter” was in –He traced “Hunter” to a network of hackers Paid in cash and drugs and Reporting directly to KGB

Evangelos Markatos, FORTH How do we receive attacks? Three types of sensors: –Traditional honeypots who wait to be attacked –Collaborating organizations who install low- interaction honeypots and forward “interesting” attacks to NoAH core A “screensaver” who forwards all unwanted traffic to NoAH Unwanted traffic received at –unused IP addresses –unused TCP/UDP ports

Evangelos Markatos, FORTH The NoAH architecture

Evangelos Markatos, FORTH Traditional Honeypots Low Interaction Honeypot listening to a single IP address of the dark space –Filters out unwanted traffic Which is not part of an attack High Interaction honeypots for providing responses

Evangelos Markatos, FORTH How about limited address space? Number of “traditional” honeypots is usually limited, They cover a small percentage of the IP address space Problem: they may see attack too late Solution: Monitor dark space What is Dark IP Address Space? –Unused IP addresses –IP addresses not associated with any computer –Some organizations (i.e. Universities) have lots of Dark IP address space Assign portions of dark space to this limited number of honeypots Funnel: map the dark space to a single or a few IP addresses

Evangelos Markatos, FORTH Funneling

Evangelos Markatos, FORTH Monitoring Dark Space of Cooperating Organizations So, where are we going to find the Dark Space? Collaborating Organizations Organizations may participate in NoAH but lack the ability to maintain a honeypot Packets targeting organization’s black space are tunneled to the honeypots of NoAH core

Evangelos Markatos, FORTH The NoAH architecture

Evangelos Markatos, FORTH a honeypot daemon –Run in at home (or at small office) –Run in the background, send all the traffic from the dark space to NoAH core for processing –Dark Space: Unused IP addresses Internal IP addresses Unused ports (or a selected subset of them) –Attackers think they communicate with a home computer but actually talk with honeypots at NoAH core

Evangelos Markatos, FORTH Empower the people –To help us fight cyberattacks With minimal installation overhead Minimal runtime overhead Appropriate for small organizations –Who want to contribute –But do not have the technical knowledge To install/maintain a full-fledged honeypot

Evangelos Markatos, FORTH illustrated

Evangelos Markatos, FORTH Screenshots Select network interface Create a virtual interface Get a static IP Get an IP through DHCP

Evangelos Markatos, FORTH In Closing… Today May 17 th is the –World Telecommunication Day 2006 (WTD) Commemorates the founding of ITU –WTD 2006 is Dedicated to “Promoting Global Cybersecurity”

Evangelos Markatos, FORTH WTD 2006: Promoting Global Cybersecurity

Evangelos Markatos, FORTH In Closing… Let us take this opportunity –Of the World Telecommunication Day –Dedicated to promoting Global Cybersecurity –And promote cybersecurity By promoting awareness By empowering people to contribute and make a difference By empowering small organizations Let me take this opportunity –To promote cybersecurity By giving the podium to the distinguished Security researchers who honor us with their presence –My Deepest Thanks to all of you who came to talk, and who came to attend –My Deepest thanks to FP6 DG-Research who invested the resources and co-funded this project

Evangelos Markatos, FORTH NoAH: A Network of Affined Honeypots : Current State and Collaboration Opportunities Evangelos Markatos Institute of Computer Science (ICS) Foundation for Research and Technology – Hellas (FORTH) Crete, Greece The NoAH project

Evangelos Markatos, FORTH Back Up Slides

Evangelos Markatos, FORTH The boiling cauldron of Security Viruses –programs that attach themselves to legitimate applications. Once the legitimate applications start running, the virus start running as well. –They also attach themselves to messages –“Slow-spreading”: need user intervention (i.e. “click”) to run Worms –Self-replicating programs –They do not need our help to replicate –How do they do it? They find a vulnerable server Trigger a bug in its code, hijack its execution thread and They compromise the server –They can infect 10s of thousands of computers in minutes Humans have no time to react – they just clean up after the attack is over

Evangelos Markatos, FORTH The boiling cauldron of Security Backdoors –Worms install “backdoors” in the compromised computers –e.g. create a new account with login “smith” and password “me” –The attacker can now enter the compromised computer as “smith” Keyboard loggers –They log every key typed on the keyboard Credit card numbers, bank accounts, Passwords, Personal Confidential information They can –Empty bank accounts –Read and Forward messages –Change victim’s personal data –Reveal financial and personal secrets –Destroy a person both socially and financially

Evangelos Markatos, FORTH There exist unused IP address space –Large universities and research centers –Organizations and private companies –Public domain bodies –Upscale home users –NAT-based home networks *.* There exist unused IP port address space –Not all computers use all 64K ports –Several of them do not even use port 80

Evangelos Markatos, FORTH NoAH partners Research Organizations –ICS-FORTH, Greece –Vrije University, The Netherlands –ETHZ, Switzerland ISPs, CERTs, Associations –DFN-CERT, Germany –FORTHnet, Greece –TERENA, The Netherlands Industrial Partners –ALCATEL, France –Virtual Trip, Greece

Evangelos Markatos, FORTH Challenges We cannot trust clients –Anyone will be able to set up Clients must not know the address of honeypots –Honeypots may become victims of flooding Addresses of clients must also remain hidden –Attacker can use their black space for flooding –Or blacklist them to make NoAH core blind Computer-based mass installation of mockup clients should be prevented

Evangelos Markatos, FORTH Hiding honeypots and clients Use of anonymous communication system Onion routing is an attractive solution –Prevents eavesdropping attacks –Based on a set of centralized nodes (onion routers) –Even when a router is compromised, privacy is preserved Tor, an implementation of second generation onion routing –Installs only a SOCKS proxy on client side

Evangelos Markatos, FORTH How onion routing works (1/2) R R4R4 R1R1 R2R2 R R R3R3 Bob R R R Sender chooses a random sequence of routers –Some routers are honest, some controlled by attacker –Sender controls the length of the path Alice

Evangelos Markatos, FORTH How onion routing works (2/2) R4R4 R1R1 R2R2 R3R3 Bob Alice {R 2,k 1 } pk(R 1 ),{ } k 1 {R 3,k 2 } pk(R 2 ),{ } k 2 {R 4,k 3 } pk(R 3 ),{ } k 3 {B,k 4 } pk(R 4 ),{ } k 4 {M} Routing info for each link encrypted with router’s public key Each router learns only the identity of the next router

Evangelos Markatos, FORTH Hidden services In previous examples, Alice needed to know the address of Bob –That is client needs to know the address of honeypots Tor offers hidden services –Clients only need to know an identifier for the hidden service –This identifier is a DNS name in the form of “xyz.onion” –“.onion” is routable only through Tor

Evangelos Markatos, FORTH Creating a Location Hidden Server Server creates onion routes to “introduction points” Server gives intro points’ descriptors and addresses to service lookup directory Client obtains service descriptor and intro point address from directory

Evangelos Markatos, FORTH Using a Location Hidden Server Client creates onion route to a “rendezvous point” Client sends address of the rendezvous point and any authorization, if needed, to server through intro point If server chooses to talk to client, connect to rendezvous point Rendezvous point mates the circuits from client & server

Evangelos Markatos, FORTH Hidden services in action We created a hidden service that actually forwards to Google.com

Evangelos Markatos, FORTH Shielding Tor against attacks Onion routing is subjective to timing attacks –If attacker has compromised the first and last routers of the path then she can perform correlation Solution: client sets itself as first router –Tor clients can also act like routers Honeypot can also setup a trusted first router Both ends of the path are not controlled by attacker

Evangelos Markatos, FORTH Preventing automatic installation Goal: prevent attacker from deploying clients to its subnet CAPTCHAs as a proposed solution –Instruct human to solve a visual puzzle –Puzzle cannot be identified by a computer –Puzzle can also be an audio clip

Evangelos Markatos, FORTH Enhancing CAPTCHAs Attacker may post the image to his site and use visitors to solve it Adding animation to avoid “CAPTCHA” laundry User clicks on the correct (animated) answer and her IP address is bound to the registration –Animation prevents users to provide static responses, like “I clicked the upper left corner” Flash is a possible technology we can use –Obfuscation as an extra security step Click the apple!

Evangelos Markatos, FORTH Funneling (3/3) farpd to collect IP addresses –Does not work well with some old routers (limit of ARP entries per interface), solved in all modern routers Router configuration to forward black space to honeypots –No need for ARP Funneling has no overhead –Honeyd organizes addresses in a splay tree –We tested emulating /24, /16 and /8 subnets without any noticeable difference in performance

Evangelos Markatos, FORTH Tunneling OpenVPN 2.0 as tunnel software Encrypted channel, supports packet compression Easy configuration We measured tunneling overhead in our local testbed –Around 20% for two machines in a 100Mbits LAN In progress: documentation for setting up tunnel and configuration options