Presentation is loading. Please wait.

Presentation is loading. Please wait.

Evangelos Markatos, FORTH NoAH: A Network of Affined Honeypots : Current State and Collaboration Opportunities.

Published byKerry Walters Modified over 9 years ago

Similar presentations

Presentation on theme: "Evangelos Markatos, FORTH NoAH: A Network of Affined Honeypots : Current State and Collaboration Opportunities."— Presentation transcript:

1 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org1 NoAH: A Network of Affined Honeypots : Current State and Collaboration Opportunities Evangelos Markatos Institute of Computer Science (ICS) Foundation for Research and Technology – Hellas (FORTH) Crete, Greece The NoAH project

2 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org2 Roadmap The problem: –The trust that we used to place on our network is slowly eroding away We are being attacked –Viruses, Worms, Trojans, keyboard loggers continue to plague our computers What do people say about this? –Europe – ENISA –USA – PITAC What can be done? The NoAH approach –Understand mechanisms and causes of cyberattacks –Automate Detection of, fingerprinting of, and reaction to cyberattacks Summary and Conclusions

3 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org3 The erosion of trust on the Internet We used to trust computers we interacted with on the Internet –Not any more… Address bar spoofing: –Do you know that the web server http://www.paypal.com is the real one?http://www.paypal.com We used to trust our network –Not any more… Our network is the largest source of all attacks We used to trust our own computer –Not any more… (keyboard loggers can easily get all our personal information)

4 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org4 The erosion of trust on the Internet We used to trust our own eyes with respect to the content we were viewing on the Internet –Not any more… –Phishing: sophisticated social engineering Attackers send users email On behalf of a legitimate sender (e.g. a bank) Inviting them to sign-up for a service When users click they are requested to give their password Users think they give their password to a bank But it ends up in the attacker’s database

5 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org5 A sophisticated phising attack: Setting the stage Attackers send email inviting Bank of America customers to change their address on-line

6 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org6 A phishing attack: hiding the tracks Bank of America web site opens in the background Pop-up window (from www.bofalert.com!) requests user name and passwordwww.bofalert.com Legitimate Web site Pop-up Window

7 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org7 The boiling cauldron of Security Security on the Internet is getting increasingly important –Worms, Viruses, and trojians, continue to disrupt our everyday activities –Spyware and backdoors continue to steal our credit card numbers, our passwords, and snoop into our private lives –Keyboard loggers can empty our bank accounts if they choose to do so

8 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org8 It used to be a problem of PCs Not any more… PocketPC virus: –Duts Mobile phone virus: –Cabir –Infects the Symbian operating system

9 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org9 Mobile phone viruses: The Mosquitos virus Mosquitos Virus: –Attaches itself to an illegal copy of “Mosquitos” game –Once installed it starts sending potentially expensive SMS messages to premium numbers –“free to download” but “expensive to play”

10 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org10 The CommWarrior Worm Two ways to replicate: –Searches for nearby phones Via Bluetooth –Finds the owner’s tel. # list Sends MMS messages with copies of itself Using random names –Difficult to filter out

11 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org11 How much does it cost? Financial Cost: worms cost billions of euros to lost productivity –CodeRED Worm: $2.6 billion –Slammer: $1.2 billion –LoveLetter virus: $8.8 billion Could cyberattacks lead to loss of life? –What if a medical equipment gets infected by a worm? Wrong diagnosis? Wrong treatment? –What if a car gets infected by a worm? Could this lead to fatal car crash? How about Critical Infrastructures? What if a Nuclear power plant gets infected? –Would this lead to failure of safety systems? –Is this possible?

12 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org12 How much does it cost? Worms have penetrated Nuclear Power plants. “The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours” Security Focus News Luckily no harm was made –The reactor was not operating at that time –There was a fall-back analog monitoring system Will we be so lucky next time?

13 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org13 What do people say about this? ENISA ENISA: European Network and Information Security Agency PSG: Permanent Stakeholders Group Vision Document

14 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org14 ENISA Vision “The longer-term impact of … worm compromised hosts is likely to be greater in total than at present” “… Organized Crime and terrorists … introduce a level of sophistication and funding of (cyber)attacks that is far beyond what we have commonly seen in the previous 20 years of cyber security” ENISA PSG i.e. things are bad and are going to get worse!

15 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org15 What does the community say about this? What should we do? Feb. 2005 President’s Information Technology Advisory Committee (in U.S.) Cyber-Security Sub-committee –David Patterson, UC Berkeley –Tom Leighton, MIT, –and several others

16 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org16 Cyber-security Report Provide expert advice –In IT security

17 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org17 Research Priorities Identified They identified 10 Research Priorities We should do Research in: –Global Scale Monitoring (for cyber-attacks) –Real-time Data collection storage and analysis (for cyberattacks) –Automated (cyberattack) discovery from monitoring data –Develop forensic-friendly architectures To summarize: Monitor for cyber-attacks and detect them early

18 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org18 NoAH In NoAH we do just that: –We design and prototype an infrastructure to monitor for cyber threats detect them as early as possible Fingerprint them We do that based on honeypot technology

19 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org19 What is a honeypot? An “undercover” computer –which has no ordinary users –which provides no regular service Or a few selected services if needed –Just waits to be attacked… Its value lies on being compromised –Or in being exploited, scanned, etc. Honeypots are an “easy” target –But heavily monitored ones If attacked, they log as much information as possible

20 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org20 When was a honeypot first used? First widely publicized use: The cuckoo’s egg –By Cliff Stoll Cliff Stoll noticed a 75-cent accounting error in the computer he managed –This led Cliff to discover an intruder named “Hunter” –Instead of shutting “Hunter” out, Cliff started to study him –He connected the modem lines to a printer –He created dummy “top-secret” directories to “lure” “Hunter” into coming back –He was paged every time “Hunter” was in –He traced “Hunter” to a network of hackers Paid in cash and drugs and Reporting directly to KGB

21 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org21 How do we receive attacks? Three types of sensors: –Traditional honeypots who wait to be attacked –Collaborating organizations who install low- interaction honeypots and forward “interesting” attacks to NoAH core –Honey@Home: A “screensaver” who forwards all unwanted traffic to NoAH Unwanted traffic received at –unused IP addresses –unused TCP/UDP ports

22 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org22 The NoAH architecture

23 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org23 Traditional Honeypots Low Interaction Honeypot listening to a single IP address of the dark space –Filters out unwanted traffic Which is not part of an attack High Interaction honeypots for providing responses

24 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org24 How about limited address space? Number of “traditional” honeypots is usually limited, They cover a small percentage of the IP address space Problem: they may see attack too late Solution: Monitor dark space What is Dark IP Address Space? –Unused IP addresses –IP addresses not associated with any computer –Some organizations (i.e. Universities) have lots of Dark IP address space Assign portions of dark space to this limited number of honeypots Funnel: map the dark space to a single or a few IP addresses

25 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org25 Funneling 11.12.15.1 11.12.15.2 11.12.15.3 11.12.15.4 11.12.15.5

26 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org26 Monitoring Dark Space of Cooperating Organizations So, where are we going to find the Dark Space? Collaborating Organizations Organizations may participate in NoAH but lack the ability to maintain a honeypot Packets targeting organization’s black space are tunneled to the honeypots of NoAH core

27 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org27 The NoAH architecture http://www.honeyathome.org

28 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org28 Honey@Home Honey@Home: a honeypot daemon –Run in at home (or at small office) –Run in the background, send all the traffic from the dark space to NoAH core for processing –Dark Space: Unused IP addresses Internal IP addresses Unused ports (or a selected subset of them) –Attackers think they communicate with a home computer but actually talk with honeypots at NoAH core http://www.honeyathome.org

29 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org29 Honey@Home Empower the people –To help us fight cyberattacks With minimal installation overhead Minimal runtime overhead Appropriate for small organizations –Who want to contribute –But do not have the technical knowledge To install/maintain a full-fledged honeypot http://www.honeyathome.org

30 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org30 Honey@Home illustrated http://www.honeyathome.org

31 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org31 Screenshots Select network interface Create a virtual interface Get a static IP Get an IP through DHCP http://www.honeyathome.org

32 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org32 In Closing… Today May 17 th is the –World Telecommunication Day 2006 (WTD) Commemorates the founding of ITU –WTD 2006 is Dedicated to “Promoting Global Cybersecurity”

33 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org33 WTD 2006: Promoting Global Cybersecurity

34 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org34 In Closing… Let us take this opportunity –Of the World Telecommunication Day –Dedicated to promoting Global Cybersecurity –And promote cybersecurity By promoting awareness By empowering people to contribute and make a difference By empowering small organizations Let me take this opportunity –To promote cybersecurity By giving the podium to the distinguished Security researchers who honor us with their presence –My Deepest Thanks to all of you who came to talk, and who came to attend –My Deepest thanks to FP6 DG-Research who invested the resources and co-funded this project

35 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org35 NoAH: A Network of Affined Honeypots : Current State and Collaboration Opportunities Evangelos Markatos Institute of Computer Science (ICS) Foundation for Research and Technology – Hellas (FORTH) Crete, Greece The NoAH project

36 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org36 Back Up Slides

37 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org37 The boiling cauldron of Security Viruses –programs that attach themselves to legitimate applications. Once the legitimate applications start running, the virus start running as well. –They also attach themselves to email messages –“Slow-spreading”: need user intervention (i.e. “click”) to run Worms –Self-replicating programs –They do not need our help to replicate –How do they do it? They find a vulnerable server Trigger a bug in its code, hijack its execution thread and They compromise the server –They can infect 10s of thousands of computers in minutes Humans have no time to react – they just clean up after the attack is over

38 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org38 The boiling cauldron of Security Backdoors –Worms install “backdoors” in the compromised computers –e.g. create a new account with login “smith” and password “me” –The attacker can now enter the compromised computer as “smith” Keyboard loggers –They log every key typed on the keyboard Credit card numbers, bank accounts, Passwords, Personal email Confidential information They can –Empty bank accounts –Read and Forward email messages –Change victim’s personal data –Reveal financial and personal secrets –Destroy a person both socially and financially

39 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org39 Honey@Home There exist unused IP address space –Large universities and research centers –Organizations and private companies –Public domain bodies –Upscale home users –NAT-based home networks 192.168.*.* There exist unused IP port address space –Not all computers use all 64K ports –Several of them do not even use port 80 http://www.honeyathome.org

40 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org40 NoAH partners Research Organizations –ICS-FORTH, Greece –Vrije University, The Netherlands –ETHZ, Switzerland ISPs, CERTs, Associations –DFN-CERT, Germany –FORTHnet, Greece –TERENA, The Netherlands Industrial Partners –ALCATEL, France –Virtual Trip, Greece

41 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org41 Challenges We cannot trust clients –Anyone will be able to set up honey@home Clients must not know the address of honeypots –Honeypots may become victims of flooding Addresses of clients must also remain hidden –Attacker can use their black space for flooding –Or blacklist them to make NoAH core blind Computer-based mass installation of honey@home mockup clients should be prevented

42 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org42 Hiding honeypots and clients Use of anonymous communication system Onion routing is an attractive solution –Prevents eavesdropping attacks –Based on a set of centralized nodes (onion routers) –Even when a router is compromised, privacy is preserved Tor, an implementation of second generation onion routing –Installs only a SOCKS proxy on client side

43 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org43 How onion routing works (1/2) R R4R4 R1R1 R2R2 R R R3R3 Bob R R R Sender chooses a random sequence of routers –Some routers are honest, some controlled by attacker –Sender controls the length of the path Alice

44 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org44 How onion routing works (2/2) R4R4 R1R1 R2R2 R3R3 Bob Alice {R 2,k 1 } pk(R 1 ),{ } k 1 {R 3,k 2 } pk(R 2 ),{ } k 2 {R 4,k 3 } pk(R 3 ),{ } k 3 {B,k 4 } pk(R 4 ),{ } k 4 {M} Routing info for each link encrypted with router’s public key Each router learns only the identity of the next router

45 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org45 Hidden services In previous examples, Alice needed to know the address of Bob –That is client needs to know the address of honeypots Tor offers hidden services –Clients only need to know an identifier for the hidden service –This identifier is a DNS name in the form of “xyz.onion” –“.onion” is routable only through Tor

46 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org46 Creating a Location Hidden Server Server creates onion routes to “introduction points” Server gives intro points’ descriptors and addresses to service lookup directory Client obtains service descriptor and intro point address from directory

47 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org47 Using a Location Hidden Server Client creates onion route to a “rendezvous point” Client sends address of the rendezvous point and any authorization, if needed, to server through intro point If server chooses to talk to client, connect to rendezvous point Rendezvous point mates the circuits from client & server

48 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org48 Hidden services in action We created a hidden service that actually forwards to Google.com

49 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org49 Shielding Tor against attacks Onion routing is subjective to timing attacks –If attacker has compromised the first and last routers of the path then she can perform correlation Solution: client sets itself as first router –Tor clients can also act like routers Honeypot can also setup a trusted first router Both ends of the path are not controlled by attacker

50 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org50 Preventing automatic installation Goal: prevent attacker from deploying clients to its subnet CAPTCHAs as a proposed solution –Instruct human to solve a visual puzzle –Puzzle cannot be identified by a computer –Puzzle can also be an audio clip

51 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org51 Enhancing CAPTCHAs Attacker may post the image to his site and use visitors to solve it Adding animation to avoid “CAPTCHA” laundry User clicks on the correct (animated) answer and her IP address is bound to the registration –Animation prevents users to provide static responses, like “I clicked the upper left corner” Flash is a possible technology we can use –Obfuscation as an extra security step Click the apple!

52 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org52 Funneling (3/3) farpd to collect IP addresses –Does not work well with some old routers (limit of ARP entries per interface), solved in all modern routers Router configuration to forward black space to honeypots –No need for ARP Funneling has no overhead –Honeyd organizes addresses in a splay tree –We tested emulating /24, /16 and /8 subnets without any noticeable difference in performance

53 Evangelos Markatos, FORTH http://www.fp6-noah.org info@fp6-noah.org53 Tunneling OpenVPN 2.0 as tunnel software Encrypted channel, supports packet compression Easy configuration We measured tunneling overhead in our local testbed –Around 20% for two machines in a 100Mbits LAN In progress: documentation for setting up tunnel and configuration options

Download ppt "Evangelos Markatos, FORTH NoAH: A Network of Affined Honeypots : Current State and Collaboration Opportunities."

Similar presentations

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.

Providing protection from potential security threats that exist for any internet-connected computer is termed e- security. It is important to be able to.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.
ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.

ARP Cache Poisoning How the outdated Address Resolution Protocol can be easily abused to carry out a Man In The Middle attack across an entire network.
Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.

Tips and tools to keep you and your information safe on-line. We will go over a lot of information today, so it is important to pay attention and follow.
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,

Online Safety. Introduction The Internet is a very public place Need to be cautious Minimize your personal risk while online Exposure to: viruses, worms,
1 MIS 2000 Class 22 System Security Update: Winter 2015.

1 MIS 2000 Class 22 System Security Update: Winter 2015.
Software programs that enable you to view world wide web documents. Internet Explorer and Firefox are examples. Browser.

Software programs that enable you to view world wide web documents. Internet Explorer and Firefox are examples. Browser.
236349 Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.

Project in Computer Security Integrating TOR’s attacks into the I2P darknet Chen Avnery Amihay Vinter.
Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.

Telnet and FTP. Telnet Lets you use the resources of some other computer on the Internet to access files, run programs, etc. Creates interactive connection.
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
Security Issues and Challenges in Cloud Computing

Security Issues and Challenges in Cloud Computing
What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.

What are Trojan horses?  A Trojan horse is full of as much trickery as the mythological Trojan horse it was named after. The Trojan horse, at first glance.
Cyber X-Force-SMS alert system for E-mail threats.

Cyber X-Force-SMS alert system for threats.
Evangelos Markatos, FORTH CyberSecurity Research in Crete Evangelos Markatos Institute of Computer Science.

Evangelos Markatos, FORTH CyberSecurity Research in Crete Evangelos Markatos Institute of Computer Science.
Introduction to Security Computer Networks Computer Networks Term B10.

Introduction to Security Computer Networks Computer Networks Term B10.
Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.

Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.
Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,

Building a Peer-to-Peer Anonymizing Network Layer Michael J. Freedman NYU Dept of Computer Science Public Design Workshop September 13,
By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

By: Bryan Carey Randy Cook Richard Jost TOR: ANONYMOUS BROWSING.

Similar presentations

Ads by Google