A virtual honeypot framework
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


A virtual honeypot framework






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

A virtual honeypot framework Presentation Transcript

  • 1. A VIRTUAL HONEYPOTFRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium 2004. Presenter: Hiral Chhaya for CAP6103
  • 2. SECURITY SITUATION  We’reunable to make secure computer systems or even measure their security.  New vulnerabilities kept being exploited  Exploit automation and massive global scanning for vulnerabilities to compromise computer systems  Weuse “Honeypot” as one way to get early warnings of new vulnerabilities
  • 3. INTRODUCTION What Is Honeypot ????Defunation--A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.  Has no production value;  Used for monitoring, detecting and analyzing attacks  Does not solve a specific problem  Honeypots have a low false positive rate
  • 4. CLASSIFICATION By level of interaction  High  Low By Implementation  Virtual  Physical
  • 5. WHAT IS HONEYD Honeyd: Honeyd A virtual honeypot application, which allows us to create thousands of IP addresses with virtual machines and corresponding network services.
  • 6. WHAT CAN HONEYD DO ??? Simulate TCP and UDP services Support ICMP Handle multiple IP addresses simultaneously Simulate arbitrary network topologies Support topologically dispersed address spaces Support network tunneling for load sharing
  • 7. HONEYD DESIGN  Receiving Network Data  Architecture  Personality Engine  Routing Topology  Logging
  • 8. RECEIVING NETWORK DATA Ways for Honeyd to receives traffic for its virtual honeypots Special route lead data to honeyd host Proxy ARP for honeypots
  • 9. ARCHITECTURE •Configuration database •Central packet dispatcher •Protocol handles •Personality engine •Option routing component
  • 10. PERSONALITY ENGIN To fool fingerprinting tools Uses fingerprint databases by  Nmap, for TCP, UDP  Xprobe, for ICMP Introduces changes to the headers of every outgoing packet before sent to the network
  • 11. ROUTING TOPOLOGY Simulates virtual network topologies;  Some honeypots are also configured as routers  Latency and loss rate for each edge is configured; Support network tunneling and traffic redirection;
  • 12. HOW TO CONFIGURE Each virtual honeypot is configured with a template. Commands:  Create: Creates a new template  Set:  Assign personality (fingerprint database) to a template  Specify default behavior of network protocols  Block: All packets dropped  Reset: All ports closed by default  Open: All ports open by default  Add: Specify available services  Proxy: Used for connection forwarding  Bind: Assign template to specific IP address
  • 13. LOGGING Honeyd supports several ways of logging network activity.  Honeyd creat connection logs to report attempted and completed connections for all protocols.  Honeyd can be runs in conjunction with a NIDS.
  • 14. APPLICATIONS Network decoys Spam Prevention
  • 15. CONCLUSION Honeyd has many advantages over NIDS  Collects more useful information  Detects vulnerabilities not yet understood  Less likely leads to high false positives Cheats the fingerprint tools Effective network decoys Detecting and immunizing new worms Spam prevention
  • 16. WEAKNESSES Limit interaction only at network level Not simulate the whole OS Adversaries never gain full access to systems Limited number of simulated services and protocols What if the warm is smart to cheat us? Honeyd will become attackers.
  • 17. HOW TO IMPROVE Combine Honeyd with high-interaction virtual honeypots using User Mode Linux or VMware to have a better forensic analysis of the attacker; Cheat more fingerprint tools, eg. P0f—passive analyze the network traffic; Simulate more services and protocols, eg. has a better TCP state machine.
  • 18.  THANK YOU !!!!!