presented by Spiros Antonatos Distributed Computing Systems Lab Institute of Computer Science FORTH
A little about the project What are honeypots? The NoAH approach Architecture overview Argos Conclusions/discussion Spiros Antonatos Terena Networking Conference 2007
Three years project April 2005 until March 2008 Funded from the Research Infrastructures Programme of the European Union 4 Work Packages FORTH is coordinator Spiros Antonatos Terena Networking Conference 2007
Malware: worms, viruses, keyloggers, spyware… Malware spreads fast Faster than we can react Thousands of hosts can be infected in a few minutes We need information about the cyberattacks so as to build effective defenses Networking Conference 2007 Spiros Antonatos
Gather and analyse information about the nature of Internet cyberattacks Develop an infrastructure to detect and provide early warning of such attacks Security monitoring based on honeypot technology Spiros Antonatos Terena Networking Conference 2007
Computer systems that do not run production services Listen to unused IP addresses Intentionally made vulnerable Closely monitored to analyse attacks directed at them We can identify two types of honeypots: low-interaction and high-interaction Spiros Antonatos Terena Networking Conference 2007
Low-interaction honeypots emulate services using scripts + Lightweight processes, able to cover large network space - Emulation cannot provide a high level of interaction with attackers High-interaction honeypots do not perform emulation, they run real services - Heavyweight processes, able to cover small network space + Provide the highest level of interaction with attackers NoAH uses the advantages of both types Spiros Antonatos Terena Networking Conference 2007
Spiros Antonatos Terena Networking Conference 2007
Most popular and widely-used low- interaction honeypot Emulates thousands of IP addresses Performs network stack emulation Highly configurable and lightweight An efficient mechanism to filter out unestablished and uninteresting connections Port scans, SSH brute-force attacks, etc Interesting connections are forwarded to high-interaction honeypots Spiros Antonatos Terena Networking Conference 2007
Emulates entire PC systems OS agnostic, run on commodity hardware Based on the Qemu emulator Key idea: data coming from the network should never be executed Tracks network data throughout execution Memory tainting technique Detect illegal uses of network data Jump targets, function pointers, instructions, system call arguments Argos is able to detect all exploit attempts, including 0-days! Spiros Antonatos Terena Networking Conference 2007
Argos emulator Guest OS Applications NIC Forensics Detect attack and log state Host OS Log Correlate data Signature post-processing Terena Networking Conference 2007
Spiros Antonatos Terena Networking Conference 2007
Honeypots listen to unused IP space of the organization they are hosted to This space is limiting to provide results fast and accurately NoAH tries to empower people to participate Bring NoAH to home users with Spiros Antonatos Terena Networking Conference 2007
Lightweight tool that runs in the background Monitors an unused IP address Usually taken by DHCP All traffic to that unused address is forwarded to our central honeypots No configuration, install and run! Both Windows and Linux platforms Spiros Antonatos Terena Networking Conference 2007
Running at the background Creating a new virtual interface Getting an IP address from DHCP server Spiros Antonatos Terena Networking Conference 2007
Handoff clients connect to NoAH honeypots Honeyd acts as front-end to filter out scans Honeyd hands off connection to Argos Attacker thinks she communicates with user but in reality Argos is providing the answers Honeyd Forward NoAH core Attacker Attack
Identity of clients and honeypots must remain hidden Attackers can flood black space with junk traffic once identity is revealed TOR is a network that can provide the desired anonymization Automatic installation of clients must be prevented Else attacker would massively deploy mockup clients Registration with CAPTCHA techniques is used Spiros Antonatos Terena Networking Conference 2007
Spiros Antonatos Terena Networking Conference 2007
We view an organization as a regular user that possesses large unused space A specialized version of is implemented No TOR involved, organization is a trusted entity (unlike home users) Only configuration needed is to declare the unused address space will forward all traffic to that space (funneling) Networking Conference 2007 Spiros Antonatos
Deliverables can be found at noah.org/publications/ noah.org/publications/ 5 conference papers Usenix Security 05, SIGOPS 2006, DIMVA ’06, RAID’06 Various articles and presentations ERCIM news, local press Spiros Antonatos Terena Networking Conference 2007
NoAH is a distributed architecture based on low- and high-interaction honeypots Argos is able to detect all exploits, including zero-days NoAH empowers non-experts to the battlefield of cyberattacks enables unfamiliar users to effortlessly participate to NoAH Networking Conference 2007 Spiros Antonatos
Spiros Antonatos Terena Networking Conference 2007