Presentation is loading. Please wait.

Presentation is loading. Please wait.

Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while."— Presentation transcript:

1 Honeypots Margaret Asami

2 What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while their moves are being monitored without them knowing 2 types: production research

3 How do honeypots address security ? prevention can’t prevent bad guys ! detection leverages traditional IDS - no false positives nor false negatives reaction provides incident response team un- polluted data & stoppable system

4 Values & Risks + simple to build + high signal/noise ratio - playing with fire

5 How to build a honeypot ? how do we attract intruders ? choose enticing names (e.g., mail.sjsu.edu) how do we know we’re probed ? put honeypot on isolated net behind a firewall set firewall to log all traffic how do we protect our peers ? set firewall to allow all in-coming traffic, but limit out-going traffic ICMP, FTP, DNS are common protocols intruders need

6 How to build a honeypot (cont…) how do we track intruder’s moves ? layer 1: firewall logs layer 2: syslogd hack layer 3: sniffer layer 4: tripwire layer 5: kernel/shell hack  each layer lets us learn different things  multiple layers spread the risk of compromised data

7 How to build a honeypot ? (cont…) how do we kick them out ? shut-down, take honeypot off-line, remove backdoors, fix vulnerabilities, then put it back on-line how do we make them not know ? by avoiding frequent & substantial changes to honeypot

8 Popular honeypots Backofficer Friendly (BOF) low level of interaction emulates basic services fakes replies Honeyd mid-high level of interaction emulates >400 OSs & services use ARP spoofing to assume victim IP addr

9 Popular honeypots (cont…) Honeynets high level of interaction network of real systems, zero emulation used mostly in research

10 Win98 honeypot 524 unique NetBIOS scans UDP port 137 (NetBIOS Naming Service) UDP port 139 (NetBIOS Session Service) we are not advertized, so why ? default Win98 installation enbale sharing of C:\ drive connect to internet & wait

11 Win98 honeypot (cont…) intruder copies distributed.net client config file to our honeypot

12 Win98 honeypot (cont…) actual config file transfer reveals intruder’s identity

13 Win98 honeypot (cont…) transfer the distributed.net client file transfer the worm itself

14 Win98 honeypot (cont…) next, a crafted c:\windows\win.ini file is uploaded [windows] load=c:\windows\system\msi216.exe infection completes !! next time honeypot reboots: distributed.net client will be run worm will scan and replicate itself worm will add “bymer.scanner” to registry

15 Conclusion a tool, not a solution level of interaction vs risk

Download ppt "Honeypots Margaret Asami. What are honeypots ? an intrusion detection mechanism entices intruders to attack and eventually take over the system, while."

Similar presentations

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.

Guide to Computer Forensics and Investigations1 Network Forensics Overview Network forensics –Systematic tracking of incoming and outgoing traffic To ascertain.
Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.

Honey Pots: Natures Dessert or Cyber Defense Tool? Eric Richardson.
Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.

Honeypots and Honeynets Source: The HoneyNet Project Book: Know Your Enemy (2 nd ed) Presented by: Mohammad.
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.

How (not) to use your firewall Jurjen N.E. Bos Information Security Consultant.
Raw Sockets CS-480b Dick Steflik Raw Sockets Raw Sockets let you program at just above the network (IP) layer You could program at the IP level using.

Raw Sockets CS-480b Dick Steflik Raw Sockets Raw Sockets let you program at just above the network (IP) layer You could program at the IP level using.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.

N ETWORK S ECURITY Presented by: Brent Vignola. M ATERIAL OVERVIEW … Basic security components that exist in all networks Authentication Firewall Intrusion.
1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.

1.  To analyze and explain the IDS placement in network topology  To explain the relationship between honey pots and IDS  To explain, analyze and evaluate.
Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Sponsored by.

Intruder Trends Tom Longstaff CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by.
Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004

Use of Honey-pots to Detect Exploited Systems Across Large Enterprise Networks Ashish Gupta Network Security May 2004
Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.

Review for Exam 4 School of Business Eastern Illinois University © Abdou Illia, Fall 2006.
Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.

Intrusion Detection using Honeypots Patrick Brannan Honeyd with virtual machines.
Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.

Privacy - not readable Permanent - not alterable (can't edit, delete) Reliable - (changes detectable) But the data must be accessible to persons authorized.
Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.

Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
Internet Relay Chat Chandrea Dungy Derek Garrett #29.

Internet Relay Chat Chandrea Dungy Derek Garrett #29.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Similar presentations

Ads by Google