Presentation is loading. Please wait.

Presentation is loading. Please wait.

NoAH Spiros Antonatos Distributed Computing Systems Lab (DCS) Institute of Computer Science.

Published byPhebe Beasley Modified over 9 years ago

Similar presentations

Presentation on theme: "NoAH Spiros Antonatos Distributed Computing Systems Lab (DCS) Institute of Computer Science."— Presentation transcript:

1 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Spiros Antonatos Distributed Computing Systems Lab (DCS) Institute of Computer Science (ICS) Foundation for Research and Technology Hellas (FORTH) antonat@ics.forth.gr Honey@home: The “eyes and ears” of the NoAH project

2 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Outline Motivation Honey@home Architecture Challenges and how to face them Conclusions

3 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos A few words about NoAH Network of Affined Honeypots EU-funded 3 year project (2005-2008) Develop an infrastructure to detect and provide early warning of cyberattacks Gather and analyse information about the nature of these attacks More info at http://www.fp6-noah.orghttp://www.fp6-noah.org

4 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Motivation Monitoring of unused IP address space yields interesting results Honeypots is a useful tool to improve network security…..but are hard to install, configure and maintain The more address space the more effective honeypots are Monitored space should not be static, thus vulnerable to blacklisting

5 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos What are honeypots? Computer systems that do not provide production services Listening to unused IP address space Intentionally made vulnerable Closely monitored to analyse attacks directed to them Usually run inside a containment environment –Virtual machines

6 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Facts There is unused IP address space –Large universities and research centers UCSD, allocated a /8, only few thousands used FORTH UoC –Organizations and private companies –Public domain bodies –Upscale home users –NAT-based home networks 192.168.*.* } Allocated a /16 each utilization under 40%

7 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Our approach Social aspect –Empower the people to setup honeypots –With minimal installation overhead –Minimal runtime overhead Appropriate for organizations –Who want to contribute –But do not have the technical knowledge To install/maintain a full-fledged honeypot

8 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Honey@home Enables willing users and organizations to effortlessly participate in a distributed honeypot infrastructure –No configuration needed, install and run –Both Windows and Linux platforms Runs in the background, sends all traffic from the dark space to NoAH core for processing Attacker think they communicate with a home computer but actually talks with honeypots

9 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Install…

10 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos …and run Running at the background Creating a new virtual interface Getting an IP address from DHCP server 1 2 3

11 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Features Can obtain address from DHCP or statically BPF filters can be used –Useful to get traffic from the whole unused subnet NAT detection and automatic port forwarding –Mostly for DSL users and small enterprises that are behind NAT Graphic overview of traffic statistics captured by the client Automatic updates

12 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Screenshots

13 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Screenshots

14 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Screenshots

15 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos But I only have one IP address… Dial-up/cable users do not have extra IP addresses Monitoring of unused port space for such cases Users are unlikely to run servers Select a set of ports and monitor those which are not bound Stop monitoring a port when it gets bound

16 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Handoff Backend architecture Honey@home clients connect to a honeypot core Communication is done over port 80 Honeyd as front-end to filter out scans –Filters out scans and unfinished connections Honeyd hands off connection to Argos Argos is an instrumented virtual machine able to catch zero-day exploits without the danger of getting infected –http://www.few.vu.nl/argos/http://www.few.vu.nl/argos/ Honeyd Honey@home Forward Honeypot core Attacker Attack

17 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Challenges We cannot trust clients –Anyone will be able to set up honey@home Addresses of clients must remain hidden Addresses of servers must also remain hidden –Honeypots may become victims of direct attacks –Attacker can blacklist them to blind the honeypot core Computer-based mass installation of Honey@home mockup clients should be prevented

18 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Hiding honeypots and clients Use of anonymous communication system Onion routing is an attractive solution –Prevents eavesdropping attacks –Based on a set of centralized nodes (onion routers) –Even when a router is compromised, privacy is preserved Tor, an implementation of second generation onion routing –Provides both client- and server-side anonymity

19 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Preventing automatic installation Goal: prevent mass installation of maliciously controlled clients CAPTCHAs as a proposed solution –Instruct human to solve a visual puzzle –Puzzle cannot be identified by a computer –Puzzle can also be an audio clip

20 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Enhancing CAPTCHAs Attacker may post the image to their site and use visitors to solve it Adding animation to avoid “CAPTCHA” laundering User clicks on the correct (animated) answer to continue with the registration –Animation prevents users to provide static responses, like “I clicked the upper left corner” We use the Java applet technology

21 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Enhancing CAPTCHAs

22 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos www.honeyathome.org

23 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos MyHoney@home

24 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Summary Honey@home is an easy way to setup a virtual honeypot at every home PC Just install and run, no maintenance cost Two main challenges: protect identity of users and honeypots and prevent massive installations Available at www.honeyathome.orgwww.honeyathome.org

25 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ backup slides

26 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos First and last OR in path compromised

27 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Creating a Location Hidden Server Server creates onion routes to “introduction points” Server gives intro points’ descriptors and addresses to service lookup directory Client obtains service descriptor and intro point address from directory

28 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Using a Location Hidden Server Client creates onion route to a “rendezvous point” Client sends address of the rendezvous point and any authorization, if needed, to server through intro point If server chooses to talk to client, connect to rendezvous point Rendezvous point mates the circuits from client & server

29 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos How onion routing works (1/1) R R4R4 R1R1 R2R2 R R R3R3 Bob R R R Sender chooses a random sequence of routers –Some routers are honest, some controlled by attacker –Sender controls the length of the path Alice

30 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Shielding Tor against attacks Onion routing is subjective to timing attacks –If attacker has compromised the first and last routers of the path then she can perform correlation Solution: client sets itself as first router –Tor clients can also act like routers Honeypot can also setup a trusted first router Both ends of the path are not controlled by attacker

31 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos How onion routing works R4R4 R1R1 R2R2 R3R3 Bob Alice {R 2,k 1 } pk(R 1 ),{ } k 1 {R 3,k 2 } pk(R 2 ),{ } k 2 {R 4,k 3 } pk(R 3 ),{ } k 3 {B,k 4 } pk(R 4 ),{ } k 4 {M} Sender chooses a random sequence of routers Some routers are honest, some controlled by attacker Sender controls the length of the path Routing info for each link encrypted with router’s public key Each router learns only the identity of the next router

32 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Hidden services In previous examples, Alice needed to know the address of Bob –That is client needs to know the address of honeypots –We need to hide our honeypots Tor offers hidden services –Clients only need to know an identifier for the hidden service –This identifier is a DNS name in the form of “xyz.onion” –“.onion” is routable only through Tor

33 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Hidden services in action A hidden service that actually forwards to Google.com

34 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Detectability issues Delay introduced by Tor is an indication for the presence of Honey@home client

35 NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/ Terena Networking Conference 2008 20 May 2008 Spiros Antonatos Scanning home subnets Scan for port 80 at 10 diverse subnets 7% of the hosts responding to port consistently

Download ppt "NoAH Spiros Antonatos Distributed Computing Systems Lab (DCS) Institute of Computer Science."

Similar presentations

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.

Caltech Proprietary Videoconferencing Security in VRVS 3.0 and Future Videoconferencing Security in VRVS 3.0 and Future Kun Wei California Institute of.
Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.

Code-Red : a case study on the spread and victims of an Internet worm David Moore, Colleen Shannon, Jeffery Brown Jonghyun Kim.
Configuring and Troubleshooting Network Connections

Configuring and Troubleshooting Network Connections
Addressing spam email and enforcing a Do Not Email Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.

Addressing spam and enforcing a Do Not Registry using a Certified Electronic Mail System Information Technology Advisory Group, Inc.
Honeypots Presented by Javier Garcia April 21, 2010.

Honeypots Presented by Javier Garcia April 21, 2010.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
Operating Systems Concepts 1/e Ruth Watson Chapter 11 Chapter 11 Network Maintenance Ruth Watson.

Operating Systems Concepts 1/e Ruth Watson Chapter 11 Chapter 11 Network Maintenance Ruth Watson.
236349 Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.

Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.
IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.

IP Spoofing Defense On the State of IP Spoofing Defense TOBY EHRENKRANZ and JUN LI University of Oregon 1 IP Spoofing Defense.
1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.

1 Week #1 Objectives Review clients, servers, and Windows network models Differentiate among the editions of Server 2008 Discuss the new Windows Server.
Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,

Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.

Firewall Security Chapter 8. Perimeter Security Devices Network devices that form the core of perimeter security include –Routers –Proxy servers –Firewalls.
Internet Indirection Infrastructure Ion Stoica UC Berkeley.

Internet Indirection Infrastructure Ion Stoica UC Berkeley.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March.

The Case for Network-Layer, Peer-to-Peer Anonymization Michael J. Freedman Emil Sit, Josh Cates, Robert Morris MIT Lab for Computer Science IPTPS’02March.
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.
UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.
Security Risks for Ad Hoc Networks and how they can be alleviated By: Jones Olaiya Ogunduyilemi Supervisor: Jens Christian Godskesen © Dec. 2006.

Security Risks for Ad Hoc Networks and how they can be alleviated By: Jones Olaiya Ogunduyilemi Supervisor: Jens Christian Godskesen © Dec
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.

Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.

Similar presentations

Ads by Google