Honey Pots.doc.doc


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Honey Pots.doc.doc

  1. 1. Honey Pots, Honey Nets, and Padded Cell Systems Resources: http://www.honeypots.net/ Great resources on this Honey Pots, Intrusion Detection and Incident Handling. http://www.honeyblog.org/ Papers and conferences on various topics. http://www.honeynet.org/ Honeynet design Course Advanced Honeypot Tactics PacSec: Security Masters Dojo Tokyo Papers: Baby Steps with a Honeypot Mark Cooper, Apr 2002 Outline This document describes the build and running of my first honeypot. It was based heavily on the work done by Lance Spitzner and his colleagues of the HoneyNet project (http://project.honeynet.org). The aim of my first deployment was to start gaining some experience in the handling of honeypot technologies, rather than concentrate on actual hacker activity. http://www.rit.edu/~arl7969/whitepapers/manuzis-2-22-2003.html Basic Methods of Allowing Access to Your Honeynet Michael Anuzis, Feb 2003 Instruduction: One of the first things you have to decide before you can really do anything is what method of access will you be allowing hackers to use to reach your honeypot. This may seem like nothing important but in fact it plays a huge role in dictating what types of hackers will take the bait and what types of things they will be able to do after they've broken in. One of the difficulties of running a honeynet is you can't dictate ahead of time exactly who will hack you,
  2. 2. what their skill level will be, and what they will do once they get in (after all, the fun part is not knowing these things and then figuring them out as they happen). However, by choosing the correct method of honeypot access you want to provide (which is covered in this paper), you will be able to have some influence over who hacks you and what they will be able to do. Think of it as using the right bait for the right fish. http://www.honeynet.org.es/papers/honeywall/ Building a GenII Honeynet Gateway Diego González Gómez, Spanish Honeynet Project, Aug 2004 A GenII Honeynet Gateway is the most critical element in a GenII Honeynet. Basically, it is the gateway of the Honeynet, but it is also a firewall, an IPS (Intrusion Prevention System), and a network traffic/system logger. Building a Honeypot Lance Spitzner, Mar 2000 http://www.blackhat.com/presentations/bh-europe-04/bh-eu-04-fischbach-up.pdf Building an Early Warning System in a Service Provider Network Nicolas Fischbach, Black Hat Briefings Europe, 2004 http://www.zdnet.com.au/news/security/soa/Building_your_own_hone ypot/0,130061744,120106785-1,00.htm Building your own Honeypot ZDnet Article by David Raikow, Nov 2000 Detecting Targeted Attacks using Shadow Honeypots K. G. Anagnostakis, S. Sidiroglouz, P. Akritidis, K. Xinidis, E. Markatos, A. D. Keromytis, Aug 2005 We present Shadow Honeypots, a novel hybrid architecture
  3. 3. that combines the best features of honeypots and anomaly detection. At a high level, we use a variety of anomaly detectors to monitor all traffic to a protected network/ service. Traffic that is considered anomalous is processed by a “shadow honeypot” to determine the accuracy of the anomaly prediction. The shadow is an instance of the protected software that shares all internal state with a regular (“production”) instance of the application, and is instrumented to detect potential attacks. Attacks against the shadow are caught, and any incurred state changes are discarded. Legitimate traffic that was misclassified will be validated by the shadow and will be handled correctly by the system transparently to the end user. The outcome of processing a request by the shadow is used to filter future attack instances and could be used to update the anomaly detector. Dynamic Honeypots Lance Spitzner, SecurityFocus InFocus Article, Sep 2003 What I would like to see in the near future for honeypots is the dynamic honeypot, a plug-n-play solution. You simply plug it in and the honeypot does all the work for you. It automatically determines how many honeypots to deploy, how to deploy them, and what they should look like to blend in with your environment. Even better, the deployed honeypots change and adapt to your environment. You add Linux to your network, you suddenly have Linux honeypots. You remove Novell from your network, your Novell honeypots magically disappear. You replace your Juniper routers with Cisco IOS, and so your honeypot routers change. The goal is an appliance, a solution you simply plug into your network, it learns the environment, deploys the proper number and configuration of honeypots, and adapts to any changes in your networks. Sound like magic? It shouldn't, the technology is there. We just have to put it together. Lets see what would be involved in making our dynamic honeypot, and then see how it could work. In many ways, this is what I would consider the perfect honeypot. Design of a Honeynet Christopher J. Reining My goal with the honeynet is to strengthen and sharpen my forensic skills in post- compromise as well as to learn what current tools and methods attackers are using. Before I started I realized that running a honeynet is a serious matter as the compromised honeypot machine can be used to break into other machines, carry out D/DoS attacks, or used in other nefarious purposes. Defeating Honeypots: Network Issues, Part 1 Laurent Oudot, Thorsten Holz, SecurityFocus InFocus Article, Sep 2004 The purpose of this paper is to explain how attackers typically behave when they attempt to identify and defeat honeypots. This is not an exhaustive description of all the tools and methods that are publicly known (or unknown), but this article will help security teams who would like to setup or harden their own lines of deception-based
  4. 4. defense. After some theoretical considerations, we will discuss some technical examples to emphasize our explanations. This two-part paper will focus on network issues. Further papers will move to the system world and the application layer. Defeating Honeypots: Network Issues, Part 2 Laurent Oudot, Thorsten Holz, SecurityFocus InFocus Article, Oct 2004 Defeating Honeypots: System Issues, Part 1 Thorsten Holz, Frédéric Raynal, SecurityFocus InFocus Article, Mar 2005 This paper will explain how an attacker typically proceeds as he attacks a honeypot for fun and profit. We will introduce several publicly known (or perhaps unknown) techniques and present some diverse tools which help blackhats to discover and interact with honeypots. The article aims to show those security teams and practitioners who would like to setup or harden their own lines of deception-based defense what the limitation of honeypot-based research currently is. After a brief theoretical introduction, we present several technical examples of different methodologies. This two-part paper will focus on the system world and the application layer, as opposed to our first paper, "Defeating Honeypots: Network Issues," [ref 1] which concentrated purely on network issues. Defeating Honeypots: System Issues, Part 2 Thorsten Holz, Frédéric Raynal, SecurityFocus InFocus Article, Apr 2005 Fun Things To Do With Your Honeypot LinuxSecurity Article by Alberto Gonzalez and Jason Larson, Jul 2003 http://www.lucidic.net//whitepapers/alamb-4-2004.html Creating Virtual Honeynets with Connectix Virtual PC 5.2 Andrew Lamb, May 2004 Abstract As network and host-based security becomes more of an interest and concern for organizations, researchers and businesspeople alike are looking for effective network security solutions. One solution that has gained a substantial amount of attention in the last half-decade is the synthesis of virtual machine technology with the data collection and containment techniques seen in honeypots. This paper's aim is to continue the development of these two technologies by showcasing a specific software solution adapted to the use of honeypotting. Discussion in this paper is on the use and feasibility of Connectix's Virtual PC 5.2
  5. 5. virtual machine software for use as a network intrusion detection and analysis honeynet. Hacker Tracking - A Case Study Gideon J. Lenkey, 2002 Hackers Caught in Security 'Honeypot' ZDnet Article by Keith Johnson, Dec 2000 Fighting Internet Worms with Honeypots Laurent Oudot, SecurityFocus InFocus Article, Oct 2003 Fighting Spammers with Honeypots: Part 1 Laurent Oudot, SecurityFocus InFocus Article, Nov 2003 Fighting Spammers with Honeypots: Part 2 Laurent Oudot, SecurityFocus InFocus Article, Nov 2003 Fighting the New Electronic War C|Net Article by Robert Lemos, May 2001 http://www.ne-htcia.org/docs/burglar-alarms.pdf Burglar Alarms for Detecting Intrusions Marcus J. Ranum, 1999 A burglar alarm is a misuse detection system that is carefully targeted – You may not care about people portscanning your firewall from the outside – You may care profoundly about people port-scanning your mainframe from the inside – Set up a misuse detector to watch for misuses violating site policy http://infosecuritymag.techtarget.com/2003/feb/baitswitch.shtml Bait and Switch with Honeyd Marcus Ranum, Feb 2003 Spoofing, diversion and obfuscation are all part of honeyd's powerful arsenal.
  6. 6. A Virtual Honeypot Framework http://niels.xtdnet.nl/papers/honeyd.pdf Niels Provos, Aug 2004 Abstract: A honeypot is a closely monitored network decoy serving several purposes: it can distract adversaries from more valuable machines on a network, provide early warning about new attack and exploitation trends, or allow in-depth examination of adversaries during and after exploitation of a honeypot. Deploying a physical honeypot is often time intensive and expensive as different operating systems require specialized hardware and every honeypot requires its own physical system. This paper presents Honeyd, a framework for virtual honeypots that simulates virtual computer systems at the network level. The simulated computer systems appear to run on unallocated network addresses. To deceive network fingerprinting tools, Honeyd simulates the networking stack of different operating systems and can provide arbitrary routing topologies and services for an arbitrary number of virtual systems. This paper discusses Honeyd’s design and shows how the Honeyd framework helps in many areas of system security, e.g. detecting and disabling worms, distracting adversaries, or preventing the spread of spam email. A Virtual Honeypot Framework: Honeyd Zhiyin Liang, Oct 2004 http://www.icst.pku.edu.cn/honeynetweb/reports/A%20Virtual%20Honeypot %20Framework-honeyd.ppt#1 A Walk Through "Sombria" - A Network Surveillance System LAC Co Ltd., Computer Security Laboratory (Honeynet system in Japan), Sep 2003 http://www.lac.co.jp/business/sns/intelligence/sombria_e/smbr_1.pdf Intruduction: Sombria (“shadowy” in Portuguese) is a honeypot system set up in Tokyo, Japan, that is intended for network surveillance and research and not for production purposes. This honeypot system consists of a web server, a firewall and an intrusion detection system. It basically has the aim to observe different techniques used by the “bears” to get the “honey” from the “pot.” In other words, Sombria is a combination of surveillance technologies to watch intruders closely and in real time as they go about
  7. 7. their mission without them even noticing it. The intrusion detection system first triggers an alarm whenever an individual breaches security or breaks into the system. Meanwhile, all the commands executed (keystrokes) by the intruder are logged for post-attack analysis. And finally, the firewall drops all packets anytime the intruder attempts to use Sombria as a steppingstone to launch attacks against other systems. A Whirlwind Introduction to Honeypots Marcus J. Ranum, 2002 Adventures of an Open Proxy Server Joe Stewart, Nov 2002 http://www.infosecwriters.com/texts.php?op=display&id=54 Abstract This paper discusses the abuse of misconfigured HTTP proxy servers, taking a detailed look at the types of traffic that flow through this underground network. Also discussed is the use of a "honeyproxy", a server designed to look like a misconfigured HTTP proxy. Using such a tool we can spy on the Internet underground without the need for a full-blown honeypot. http://www.philippinehoneynet.org/dataarchive.php?date=2006-07-24 The Philippine Honeynet Project Honeynet Activity Monitor Report Archive 2006-07-24 http://conference.hitb.org/hitbsecconf2006kl/materials/DAY%201%20- %20Thorsten%20Holz%20-%20Tracking%20Botnets.pdf Tracking Botnet for Fun and Profit http://conference.hitb.org/hitbsecconf2006kl/materials/DAY%202%20-%20Nguyen %20Anh%20Quynh%20-%20Towards%20an%20Invisible%20Honeypot %20Monitoring%20Tool.pdf Towards an Invisible Honeypot Monitoring Tool HITB06
  8. 8. Nguyen Anh Quynh <aquynh –at- gmail com> Keio university, Japan http://scissec.scis.ecu.edu.au/publications/2003_VALLI_GUPTA_IWAR2003_honey d.pdf An initial investigation into the performance of the honeyd virtual honeypot system Craig Valli, Nirbhay Gupta, 2003 ABSTRACT There are various tools available on the Internet, which can help in determining the operating system of a host by examining details in the way the TCP/IP stack was implemented within that operating system. This method is called TCP/IP fingerprinting which has proven to be a reasonably reliable method of determining a victim hosts operating system. This paper will examine the efficiency and performance of a new network defence tool called honeyd which is a deceptive virtual honeypot system that uses deceptive OS fingerprinting. http://conference.hitb.org/hitbsecconf2006kl/materials/DAY%201%20-%20Michael %20Davis%20-%20Client%20Honeypots.pdf The Honeynet Project Client Honeypots is Not Only the Network Michael A. Davis Chief Executive Officer Savid Technologies, Inc. http://www.savidtech.com http://www.giac.org/certified_professionals/practicals/gcfa/0036.php Analysis of a Compromised Honeypot on a Cable Modem Matthew Schlereth, Jan 2003