1. presented by Spiros Antonatos antonat@ics.forth.gr Distributed Computing Systems Lab Institute of Computer Science FORTH

2.  A little about the project  What are honeypots?  The NoAH approach  Architecture overview  Argos  Honey@home  Conclusions/discussion http://www.fp6-noah.org Spiros Antonatos Terena Networking Conference 2007

3.  Three years project  April 2005 until March 2008  Funded from the Research Infrastructures Programme of the European Union  4 Work Packages  FORTH is coordinator http://www.fp6-noah.org Spiros Antonatos Terena Networking Conference 2007

4.  Malware: worms, viruses, keyloggers, spyware…  Malware spreads fast  Faster than we can react  Thousands of hosts can be infected in a few minutes  We need information about the cyberattacks so as to build effective defenses http://www.fp6-noah.orgTerena Networking Conference 2007 Spiros Antonatos

5.  Gather and analyse information about the nature of Internet cyberattacks  Develop an infrastructure to detect and provide early warning of such attacks  Security monitoring based on honeypot technology http://www.fp6-noah.org Spiros Antonatos Terena Networking Conference 2007

6.  Computer systems that do not run production services  Listen to unused IP addresses  Intentionally made vulnerable  Closely monitored to analyse attacks directed at them  We can identify two types of honeypots: low-interaction and high-interaction http://www.fp6-noah.org Spiros Antonatos Terena Networking Conference 2007

7.  Low-interaction honeypots emulate services using scripts + Lightweight processes, able to cover large network space - Emulation cannot provide a high level of interaction with attackers  High-interaction honeypots do not perform emulation, they run real services - Heavyweight processes, able to cover small network space + Provide the highest level of interaction with attackers  NoAH uses the advantages of both types http://www.fp6-noah.org Spiros Antonatos Terena Networking Conference 2007

8. http://www.fp6-noah.org Spiros Antonatos Terena Networking Conference 2007

9.  Most popular and widely-used low- interaction honeypot  Emulates thousands of IP addresses  Performs network stack emulation  Highly configurable and lightweight  An efficient mechanism to filter out unestablished and uninteresting connections  Port scans, SSH brute-force attacks, etc  Interesting connections are forwarded to high-interaction honeypots http://www.fp6-noah.org Spiros Antonatos Terena Networking Conference 2007

10.  Emulates entire PC systems  OS agnostic, run on commodity hardware  Based on the Qemu emulator  Key idea: data coming from the network should never be executed  Tracks network data throughout execution  Memory tainting technique  Detect illegal uses of network data  Jump targets, function pointers, instructions, system call arguments  Argos is able to detect all exploit attempts, including 0-days! http://www.fp6-noah.org Spiros Antonatos Terena Networking Conference 2007

11. Argos emulator Guest OS Applications NIC Forensics Detect attack and log state Host OS Log Correlate data Signature post-processing http://www.fp6-noah.org11 Terena Networking Conference 2007

12. http://www.fp6-noah.org Spiros Antonatos Terena Networking Conference 2007

13.  Honeypots listen to unused IP space of the organization they are hosted to  This space is limiting to provide results fast and accurately  NoAH tries to empower people to participate  Bring NoAH to home users with Honey@home http://www.fp6-noah.org Spiros Antonatos Terena Networking Conference 2007

14.  Lightweight tool that runs in the background  Monitors an unused IP address  Usually taken by DHCP  All traffic to that unused address is forwarded to our central honeypots  No configuration, install and run!  Both Windows and Linux platforms http://www.fp6-noah.org Spiros Antonatos Terena Networking Conference 2007

15. Running at the background Creating a new virtual interface Getting an IP address from DHCP server 1 2 3 http://www.fp6-noah.org Spiros Antonatos Terena Networking Conference 2007

16. Handoff  Honey@home clients connect to NoAH honeypots  Honeyd acts as front-end to filter out scans  Honeyd hands off connection to Argos  Attacker thinks she communicates with honey@home user but in reality Argos is providing the answers Honeyd Honey@home Forward NoAH core Attacker Attack

17.  Identity of clients and honeypots must remain hidden  Attackers can flood black space with junk traffic once identity is revealed  TOR is a network that can provide the desired anonymization  Automatic installation of clients must be prevented  Else attacker would massively deploy mockup clients  Registration with CAPTCHA techniques is used http://www.fp6-noah.org Spiros Antonatos Terena Networking Conference 2007

18. http://www.fp6-noah.org Spiros Antonatos Terena Networking Conference 2007

19.  We view an organization as a regular user that possesses large unused space  A specialized version of honey@home is implemented  No TOR involved, organization is a trusted entity (unlike home users)  Only configuration needed is to declare the unused address space  Honey@home will forward all traffic to that space (funneling) http://www.fp6-noah.orgTerena Networking Conference 2007 Spiros Antonatos

20.  Deliverables can be found at http://www.fp6- noah.org/publications/http://www.fp6- noah.org/publications/  5 conference papers  Usenix Security 05, SIGOPS 2006, DIMVA ’06, RAID’06  Various articles and presentations  ERCIM news, local press http://www.fp6-noah.org Spiros Antonatos Terena Networking Conference 2007

21.  NoAH is a distributed architecture based on low- and high-interaction honeypots  Argos is able to detect all exploits, including zero-days  NoAH empowers non-experts to the battlefield of cyberattacks  Honey@home enables unfamiliar users to effortlessly participate to NoAH http://www.fp6-noah.orgTerena Networking Conference 2007 Spiros Antonatos

22. http://www.fp6-noah.org Spiros Antonatos Terena Networking Conference 2007