Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Honeypot, Botnet, Security Measurement, Email Spam Cliff C. Zou CDA6938 02/01/07.

Published byAnissa Walsh Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Honeypot, Botnet, Security Measurement, Email Spam Cliff C. Zou CDA6938 02/01/07."— Presentation transcript:

1 1 Honeypot, Botnet, Security Measurement, Email Spam Cliff C. Zou CDA6938 02/01/07

2 2 What Is a Honeypot? “A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.”

3 3 Example of a Simple Honeypot Install vulnerable OS and software on a machine Install monitor or IDS software Connect to the Internet (with global IP) Wait & monitor being scanned, attacked, compromised Finish analysis, clean the machine

4 4 Benefit of Deploying Honeypots Risk mitigation:  A deployed honeypot may lure an attacker away from the real production systems (“easy target“). IDS-like functionality:  Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions. Attack analysis:  Binary code analysis of captured attack codes  Spying attacker’s ongoing actions  Find out reasons, and strategies why and how you are attacked.

5 5 Honeypot Classification High-interaction honeypots  A full and working OS is provided for being attacked  VMware virtual environment  Several VMware virtual hosts in one physical machine Low-interaction honeypots  Only emulate specific network services  No real interaction or OS  Honeyd Honeynet/honeyfarm  A network of honeypots

6 6 Low-Interaction Honeypots Pros:  Easy to install (simple program)  No risk (no vulnerable software to be attacked)  One machine supports hundreds of honeypots Cons:  No real interaction to be captured  Limited logging/monitor function  Easily detectable by attackers

7 7 High-Interaction Honeypots Pros:  Real OS, capture all attack traffic/actions  Can discover unknown attacks/vulnerabilities Cons:  Time-consuming to build/maintain/analysis  Risk of being used as stepping stone  Must have a firewall blocking all outgoing traffic  High computer resource requirement

8 8 Honeynet A network of honeypots High-interaction honeynet  A distributed network composing many honeypots Low-interaction honeynet  Emulate a virtual network in one physical machine  Example: honeyd Mixed honeynet  “Scalability, Fidelity and Containment in the Potemkin Virtual Honeyfarm”, presented next week Reference: http://www.ccc.de/congress/2004/fahrplan/files/135- honeypot-forensics-slides.ppthttp://www.ccc.de/congress/2004/fahrplan/files/135- honeypot-forensics-slides.ppt

9 9 What Is a Botnet? A network of compromised computers controlled by their attacker  Users on zombie machines do not know  Most home computers with broadband The main source for many attacks now  Distributed Denial-of-Service (DDoS)  Extortion  Email spam, phishing  Ad-fraud  User information: document, keylogger, …

10 10 How to Build a Botnet? Infect machines via:  Internet worms, viruses  Email virus  Backdoor left by previous malware  Trojan programs hidden in free download software, games …… Bots phone back to receive command

11 11 Botnet Architecture Bot controller  Usually using IRC server (Internet relay chat)  Dozen of controllers for robustness bot controller attacker bot controller

12 12 Botnet Monitoring Hijack one of the bot controller  DNS provider redirects domain name to the monitor  Still cannot cut off a botnet (dozen of controller)  Can obtain most/all bots IP addresses Let honeypots join in a botnet  Can monitor all communications  No complete picture of a botnet

13 13 Security Measurement Monitor network traffic to understand/track Internet attack activities Monitor incoming traffic to unused IP space  TCP connection requests  UDP packets Unused IP space Monitored traffic Internet Local network

14 14 Refining Monitoring TCP/SYN not enough (IP, port only) Distinguish different attacks  Low-interaction honeypots (honeyd)  Obtain the first attack payload by replying SYN/ACK  Used by the “Internet Motion Sensor” in U. Michigan Paper presented next…  High-interaction honeypots

15 15 Remote fingerprinting Actively probe remote hosts to identify remote hosts’ OS, physical devices, etc  OSes service responses are different  Hardware responses are different Purposes:  Understand Internet computers  Remove DHCP issue in monitored data  Paper presented later

16 16 Data Sharing: Traffic Anonymization Sharing monitored network traffic is important  Collaborative attack detection  Academic research Privacy and security exposure in data sharing  Packet header: IP address, service port exposure  Packet content: more serious Data anonymization  Change packet header: preserve IP prefix, and …  Change packet content

17 17 Why So Many Email Spam? No authentication/authorization in email Receive unsolicited email by design Sending fake email is so easy  Shown in next slide Profit:  Takes a dime to send out millions email spam  A few effective spam give back good profit  No penalty in spam (law, out-of-country spam)

18 18 Sample fake email sending Telnet longwood.cs.ucf.edu 25 S: 220 longwood.cs.ucf.edu ESMTP Sendmail 8.13.8/8.13.8; … C: HELO fake.domain S: 250 Hello crepes.fr, pleased to meet you C: MAIL FROM: alice@mit.edu S: 250 alice@mit.edu... Sender ok C: RCPT TO: czou@cs.ucf.edu S: 250 czou@cs.ucf.edu... Recipient ok C: DATA S: 354 Enter mail, end with "." on a line by itself C: subject: who am I? C: Do you like ketchup? C:. S: 250 Message accepted for delivery C: QUIT S: 221 longwood.cs.ucf.edu closing connection

19 19 Current Major Spam Defense Signature-based filtering  Spamassasin, etc: based on keywords, rules on header… Blacklisting-based filtering  DNS black list, dynamically updated (Spamhaus) Sender authentication  Caller ID (Microsoft) http://en.wikipedia.org/wiki/Caller_ID http://en.wikipedia.org/wiki/Caller_ID  Sender Policy Framework (SPF) http://www.openspf.org/ http://www.openspf.org/

Download ppt "1 Honeypot, Botnet, Security Measurement, Email Spam Cliff C. Zou CDA6938 02/01/07."

Similar presentations

Zhiyun Qian, Z. Morley Mao (University of Michigan)

Zhiyun Qian, Z. Morley Mao (University of Michigan)
HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.

HONEYPOTS Mathew Benwell, Sunee Holland, Grant Pannell.
1 Introduction to Honeypot, Denial-of- Service, and Rootkit Cliff C. Zou CAP6135 Spring, 2010.

1 Introduction to Honeypot, Denial-of- Service, and Rootkit Cliff C. Zou CAP6135 Spring, 2010.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
Phishing (pronounced “fishing”) is the process of sending e-mail messages to lure Internet users into revealing personal information such as credit card.

Phishing (pronounced “fishing”) is the process of sending messages to lure Internet users into revealing personal information such as credit card.
How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.

How do Networks work – Really The purposes of set of slides is to show networks really work. Most people (including technical people) don’t know Many people.
 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 

 What is a botnet?  How are botnets created?  How are they controlled?  How are bots acquired?  What type of attacks are they responsible for? 
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.

BOTNETS/Cyber Criminals  How do we stop Cyber Criminals.
1 Understanding Botnet Phenomenon MITP 458 - Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.

1 Understanding Botnet Phenomenon MITP Kevin Lynch, Will Fiedler, Navin Johri, Sam Annor, Alex Roussev.
Introduction 1 Lecture 7 Application Layer (FTP, e-mail) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering.

Introduction 1 Lecture 7 Application Layer (FTP, ) slides are modified from J. Kurose & K. Ross University of Nevada – Reno Computer Science & Engineering.
563.8.2 Spam Sonia Jahid University of Illinois Fall 2007.

Spam Sonia Jahid University of Illinois Fall 2007.
Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.

Internet Relay Chat Security Issues By Kelvin Lau and Ming Li.
CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Examples of Term Projects Cliff Zou Spring 2012.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.

BOTNETS & TARGETED MALWARE Fernando Uribe. INTRODUCTION  Fernando Uribe   IT trainer and Consultant for over 15 years specializing.
Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.

Botnets Uses, Prevention, and Examples. Background Robot Network Programs communicating over a network to complete a task Adapted new meaning in the security.
Internet Safety CSA 105 1.0 September 21, 2010. Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.

Internet Safety CSA September 21, Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.
Introduction to Honeypot, Botnet, and Security Measurement

Introduction to Honeypot, Botnet, and Security Measurement
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.

Similar presentations

Ads by Google