A Virtual Honeypot Framework Niels Provos Google, Inc. The 13th USENIX Security Symposium, August 9–13, 2004 San Diego, CA Presented by: Sean Mondesire
2 Honeyd’s Contributions Provides an alternative technique for detecting attacks Extremely low-cost option for honeypots A model framework for low-interaction honeypots.
3 Agenda 1. Introduction of Honeypots 2. Honeyd 3. Critique of Honeyd 4. Recent Work 5. Honeyd’s Contributions
4 What are Honeypots? Monitored computer system with the hopes of being probed, attacked, and compromised. Monitors all incoming and outgoing data. –Any contact is considered suspicious. Can support any OS with any amount of functionality.
5 Honeypots’ Goals Capture information about attacks –System vulnerabilities –System responses Capture information about attackers –Attack methods –Scan patterns –Identities Be attacked!
6 Etymology of Honeypots Winnie-the-Pooh –His desire for pots of honey lead him to various predicaments Cold War terminology –Female communist agent vs. Male Westerner Outhouses –“Honey” : euphemism for waste –Attackers are flies attracted to honey’s stench
7 Physical vs. Virtual Honeypots Physical Honeypot: –Real machine –Runs one OS to be attacked –Has its own IP address Virtual Honeypot: –Virtual machine on top of a real machine –Can run a different OS than the real machine –Real machine responds to network traffic sent to the virtual machine
8 Physical vs. Virtual Honeypots Interne t Physical Honeypots Interne t Virtual Honeypots
9 Virtual Honeypot Types High-Interaction: –Simulates all aspects of an OS –Can be compromised completely Low-Interaction –Simulates some parts of an OS Example: Network Stack –Simulates only services that cannot lead to complete system compromise
10 Honeyd A virtual honeypot framework Can simulate different OS’s at once –Each honeypot allocated its own IP address Low-Interaction –Only the network stack is simulated –Attackers only interact with honeypots at the network level Supports TCP and UDP services –Handles ICMP message as well.
11 Honeyd: The Architecture Configuration Database Central Packet Dispatch Protocol handlers Personality Engine Routing Component (optional)
12 Personality Engine Virtual Honeypots Personality: –The network stack behavior of a given operating system Personality Engine alters outgoing packets to mimic that VH’s OS –Changes protocol headers Used to thwart fingerprinting tools: –Example: Xprobe and Nmap
13 Routing Options Proxy ARP Configured Routing –Routing Tables –Routing Trees Generic Routing Encapsulation –Network Tunneling –Load balancing
14 Experiments Virtual Honeypots for every detectable fingerprint in Nmap were used. –600 distinct fingerprints Each VH had one port open to run a web server. Nmap was tested against the address space allocated for all the VH’s –555 fingerprints were correctly identified –37 fingerprints list possible OS’s –8 were failed to be identified
15 Applications Network Decoys –Lure attackers to virtual honeypots, not real machines Detecting and Countering Worms –Capture packets sent by worms –Use large amounts of VH’s across large address space Spam Prevention –Monitor open proxy servers and open mail relays –Forward suspicious data to spam filters
16 Conclusions Honeyd is a framework for supporting multiple virtual honeypots Mimics OS network stack behaviors to trick attackers Provides a tool for network security research –Network decoy –Spam –Worm detection
17 Honeyd’s Strengths Supports an array of different OS network stacks –Fool attackers Can support a large number of VH’s for large address spaces Easily configurable to test various security issues –Routing configuration –OS options
18 Honeyd’s Weaknesses Low-Interaction –Only network stacks were implemented –Not all OS services available –Not all system vulnerabilities cannot be tested Personality Engine is not 100% –The 37 failed identifications –Could leave clues to attackers of which sections are honeypots.
19 Future Work Implement Middle-Interaction –Increase the number of OS services per VH Experiment with honeyd’s and physical honeypots on same network Increase stability of personality engine
20 Related Current Work Middle-Interaction –mwcollect –nepenthes The Honeynet Project –Raise Awareness –Teach and Inform –Research
21 Honeyd’s Contributions Provides an alternative technique for detecting attacks –Detecting worms, attackers, and spam Extremely low-cost option for honeypots –Cost of physical honeypots vs. virtual A model framework for low-interaction honeypots. –Simulates only an OS’s network stack –Can cover large amounts of IP addresses