Evangelos Markatos, FORTH [email protected] NoAH: A Network of Affined Honeypots : Current State...
-
Upload
kerry-walters -
Category
Documents
-
view
212 -
download
0
Transcript of Evangelos Markatos, FORTH [email protected] NoAH: A Network of Affined Honeypots : Current State...
Evangelos Markatos, FORTH
http://www.fp6-noah.org
NoAH: A Network of Affined Honeypots:
Current State and Collaboration Opportunities
Evangelos MarkatosInstitute of Computer Science (ICS)
Foundation for Research and Technology – Hellas (FORTH)Crete, Greece
The NoAH project
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Roadmap
• The problem:– The trust that we used to place on our network is slowly
eroding away• We are being attacked
– Viruses, Worms, Trojans, keyboard loggers continue to plague our computers
• What do people say about this?– Europe – ENISA – USA – PITAC
• What can be done? The NoAH approach– Understand
• mechanisms and causes of cyberattacks – Automate
• Detection of, fingerprinting of, and reaction to cyberattacks • Summary and Conclusions
Evangelos Markatos, FORTH
http://www.fp6-noah.org
The erosion of trust on the Internet
• We used to trust computers we interacted with on the Internet– Not any more…
• Address bar spoofing: – Do you know that the web server http://www.paypal.com is the real
one?
• We used to trust our network – Not any more…
• Our network is the largest source of all attacks
• We used to trust our own computer– Not any more… (keyboard loggers can easily get all our
personal information)
Evangelos Markatos, FORTH
http://www.fp6-noah.org
The erosion of trust on the Internet
• We used to trust our own eyes with respect to the content we were viewing on the Internet– Not any more…– Phishing: sophisticated social engineering
• Attackers send users email • On behalf of a legitimate sender (e.g. a bank) • Inviting them to sign-up for a service • When users click they are requested to give their password • Users think they give their password to a bank• But it ends up in the attacker’s database
Evangelos Markatos, FORTH
http://www.fp6-noah.org
A sophisticated phising attack: Setting the stage
• Attackers send email inviting Bank of America customers to change their address on-line
Evangelos Markatos, FORTH
http://www.fp6-noah.org
A phishing attack: hiding the tracks
• Bank of America web site opens in the background• Pop-up window (from www.bofalert.com!) requests user name and
password
Legitimate Web site
Pop-up Window
Evangelos Markatos, FORTH
http://www.fp6-noah.org
The boiling cauldron of Security
• Security on the Internet is getting increasingly important– Worms, Viruses, and trojians, continue to
disrupt our everyday activities – Spyware and backdoors continue to steal our
credit card numbers, our passwords, and snoop into our private lives
– Keyboard loggers can empty our bank accounts if they choose to do so
Evangelos Markatos, FORTH
http://www.fp6-noah.org
It used to be a problem of PCs
• Not any more…
• PocketPC virus: – Duts
• Mobile phone virus:– Cabir – Infects the Symbian
operating system
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Mobile phone viruses: The Mosquitos virus
• Mosquitos Virus:– Attaches itself to an illegal copy of “Mosquitos” game– Once installed it starts sending potentially expensive
SMS messages to premium numbers – “free to download” but “expensive to play”
Evangelos Markatos, FORTH
http://www.fp6-noah.org
The CommWarrior Worm
• Two ways to replicate: – Searches for nearby
phones• Via Bluetooth
– Finds the owner’s tel. # list
• Sends MMS messages with copies of itself
• Using random names – Difficult to filter out
Evangelos Markatos, FORTH
http://www.fp6-noah.org
How much does it cost?
• Financial Cost: worms cost billions of euros to lost productivity– CodeRED Worm: $2.6 billion – Slammer: $1.2 billion– LoveLetter virus: $8.8 billion
• Could cyberattacks lead to loss of life? – What if a medical equipment gets infected by a worm?
• Wrong diagnosis? Wrong treatment? – What if a car gets infected by a worm?
• Could this lead to fatal car crash?
• How about Critical Infrastructures?• What if a Nuclear power plant gets infected?
– Would this lead to failure of safety systems? – Is this possible?
Evangelos Markatos, FORTH
http://www.fp6-noah.org
How much does it cost?
• Worms have penetrated Nuclear Power plants. • “The Slammer worm penetrated a private computer network at
Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours”
Security Focus News
• Luckily no harm was made– The reactor was not operating at that time – There was a fall-back analog monitoring system
• Will we be so lucky next time?
Evangelos Markatos, FORTH
http://www.fp6-noah.org
What do people say about this? ENISA
• ENISA: European Network and Information Security Agency
• PSG: Permanent Stakeholders Group• Vision Document
Evangelos Markatos, FORTH
http://www.fp6-noah.org
ENISA Vision
• “The longer-term impact of … worm compromised hosts is likely to be greater in total than at present”
• “… Organized Crime and terrorists … introduce a level of sophistication and funding of (cyber)attacks that is far beyond what we have commonly seen in the previous 20 years of cyber security”
ENISA PSG i.e. things are bad and are going to get worse!
Evangelos Markatos, FORTH
http://www.fp6-noah.org
What does the community say about this?What should we do?
• Feb. 2005
• President’s Information Technology Advisory Committee (in U.S.)
• Cyber-Security Sub-committee – David Patterson, UC Berkeley– Tom Leighton, MIT, – and several others
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Cyber-security Report
• Provide expert advice– In IT security
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Research Priorities Identified
• They identified 10 Research Priorities• We should do Research in:
– Global Scale Monitoring (for cyber-attacks)– Real-time Data collection storage and analysis (for
cyberattacks)– Automated (cyberattack) discovery from monitoring
data – Develop forensic-friendly architectures
To summarize:
Monitor for cyber-attacks and detect them early
Evangelos Markatos, FORTH
http://www.fp6-noah.org
NoAH
• In NoAH we do just that: – We design and prototype an infrastructure to
• monitor for cyber threats • detect them as early as possible • Fingerprint them
• We do that based on honeypot technology
Evangelos Markatos, FORTH
http://www.fp6-noah.org
What is a honeypot?
• An “undercover” computer– which has no ordinary users – which provides no regular service
• Or a few selected services if needed
– Just waits to be attacked…
• Its value lies on being compromised – Or in being exploited, scanned, etc.
• Honeypots are an “easy” target– But heavily monitored ones
• If attacked, they log as much information as possible
Evangelos Markatos, FORTH
http://www.fp6-noah.org
When was a honeypot first used?
• First widely publicized use: The cuckoo’s egg– By Cliff Stoll
• Cliff Stoll noticed a 75-cent accounting error in the computer he managed – This led Cliff to discover an intruder named “Hunter” – Instead of shutting “Hunter” out, Cliff started to study him – He connected the modem lines to a printer – He created dummy “top-secret” directories to “lure”
“Hunter” into coming back – He was paged every time “Hunter” was in– He traced “Hunter” to a network of hackers
• Paid in cash and drugs and • Reporting directly to KGB
Evangelos Markatos, FORTH
http://www.fp6-noah.org
How do we receive attacks?
• Three types of sensors:– Traditional honeypots who wait to be attacked– Collaborating organizations who install low-
interaction honeypots and forward “interesting” attacks to NoAH core
– Honey@Home: A “screensaver” who forwards all unwanted traffic to NoAH
• Unwanted traffic received at – unused IP addresses – unused TCP/UDP ports
Evangelos Markatos, FORTH
http://www.fp6-noah.org
The NoAH architecture
`
Low-interaction Honeypot`
`
Honey@home
NoAH core
Funnel`
Low-interaction Honeypot
Funnel
`
Low-interaction Honeypot
`
Low-interaction Honeypot
Participating Organization
InternetInternet
High-interactionHoneypot
High-interactionHoneypot
Anonym
ous
path
Tunnel
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Traditional Honeypots
• Low Interaction Honeypot listening to a single IP address of the dark space– Filters out unwanted traffic
• Which is not part of an attack
• High Interaction honeypots for providing responses
`
NoAH core
`
Low-interaction Honeypot
Internet
High-interactionHoneypot
Evangelos Markatos, FORTH
http://www.fp6-noah.org
How about limited address space?
• Number of “traditional” honeypots is usually limited,• They cover a small percentage of the IP address space • Problem: they may see attack too late
• Solution: Monitor dark space • What is Dark IP Address Space?
– Unused IP addresses– IP addresses not associated with any computer – Some organizations (i.e. Universities) have lots of Dark IP address
space
• Assign portions of dark space to this limited number of honeypots• Funnel: map the dark space to a single or a few IP addresses
Evangelos Markatos, FORTH
http://www.fp6-noah.org
NoAH core
`
Low-interaction Honeypot
Internet
High-interactionHoneypot
Funnel
11.12.1.1
11.12.0.0/16
11.12.1.1
Funneling
11.12.15.111.12.15.2
11.12.15.311.12.15.4
11.12.15.5
Evangelos Markatos, FORTH
http://www.fp6-noah.org
``
Low-interaction Honeypot
Participating Organization
Internet
Tunnel
Funnel
NoAH core
High-interactionHoneypot
Monitoring Dark Space of Cooperating Organizations
•So, where are we going to find the Dark Space? •Collaborating Organizations• Organizations may participate in NoAH but lack the ability to maintain a honeypot• Packets targeting organization’s black space are tunneled to the honeypots of NoAH core
Evangelos Markatos, FORTH
http://www.fp6-noah.org
The NoAH architecture
`
Low-interaction Honeypot`
`
Honey@home
NoAH core
Funnel`
Low-interaction Honeypot
Funnel
`
Low-interaction Honeypot
`
Low-interaction Honeypot
Participating Organization
InternetInternet
High-interactionHoneypot
High-interactionHoneypot
Anonym
ous
path
Tunnel
http://www.honeyathome.org
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Honey@Home
• Honey@Home: a honeypot daemon– Run in at home (or at small office) – Run in the background, send all the traffic from the
dark space to NoAH core for processing – Dark Space:
• Unused IP addresses • Internal IP addresses • Unused ports (or a selected subset of them)
– Attackers think they communicate with a home computer but actually talk with honeypots at NoAH core
http://www.honeyathome.org
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Honey@Home
• Empower the people – To help us fight cyberattacks
• With minimal installation overhead• Minimal runtime overhead
• Appropriate for small organizations– Who want to contribute – But do not have the technical knowledge
• To install/maintain a full-fledged honeypot
http://www.honeyathome.org
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Honey@Home illustrated
`
NoAH core
`
Low-interaction Honeypot High-interaction
Honeypot
Honey@home
Internet
Anonymous
path
http://www.honeyathome.org
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Screenshots
Select network interface
Create a virtual interface
Get a static IP Get an IP through DHCP
http://www.honeyathome.org
Evangelos Markatos, FORTH
http://www.fp6-noah.org
In Closing…
• Today May 17th is the – World Telecommunication Day 2006 (WTD)
• Commemorates the founding of ITU
– WTD 2006 is Dedicated to • “Promoting Global Cybersecurity”
Evangelos Markatos, FORTH
http://www.fp6-noah.org
WTD 2006: Promoting Global Cybersecurity
Evangelos Markatos, FORTH
http://www.fp6-noah.org
In Closing…
• Let us take this opportunity – Of the World Telecommunication Day– Dedicated to promoting Global Cybersecurity – And promote cybersecurity
• By promoting awareness • By empowering people to contribute and make a difference • By empowering small organizations
• Let me take this opportunity – To promote cybersecurity
• By giving the podium to the distinguished Security researchers who honor us with their presence
– My Deepest Thanks to all of you• who came to talk, and • who came to attend
– My Deepest thanks to • FP6 DG-Research who invested the resources and co-funded this project
Evangelos Markatos, FORTH
http://www.fp6-noah.org
NoAH: A Network of Affined Honeypots:
Current State and Collaboration Opportunities
Evangelos MarkatosInstitute of Computer Science (ICS)
Foundation for Research and Technology – Hellas (FORTH)Crete, Greece
The NoAH project
Evangelos Markatos, FORTH
http://www.fp6-noah.org
The boiling cauldron of Security
• Viruses– programs that attach themselves to legitimate applications. Once
the legitimate applications start running, the virus start running as well.
– They also attach themselves to email messages– “Slow-spreading”: need user intervention (i.e. “click”) to run
• Worms– Self-replicating programs– They do not need our help to replicate– How do they do it?
• They find a vulnerable server• Trigger a bug in its code, hijack its execution thread and • They compromise the server
– They can infect 10s of thousands of computers in minutes• Humans have no time to react – they just clean up after the attack is
over
Evangelos Markatos, FORTH
http://www.fp6-noah.org
The boiling cauldron of Security
• Backdoors– Worms install “backdoors” in the compromised computers– e.g. create a new account with login “smith” and password “me”– The attacker can now enter the compromised computer as
“smith” • Keyboard loggers
– They log every key typed on the keyboard • Credit card numbers, bank accounts, • Passwords, • Personal email• Confidential information• They can
– Empty bank accounts – Read and Forward email messages – Change victim’s personal data – Reveal financial and personal secrets– Destroy a person both socially and financially
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Honey@Home
• There exist unused IP address space– Large universities and research centers– Organizations and private companies– Public domain bodies– Upscale home users– NAT-based home networks
• 192.168.*.*
• There exist unused IP port address space – Not all computers use all 64K ports– Several of them do not even use port 80
http://www.honeyathome.org
Evangelos Markatos, FORTH
http://www.fp6-noah.org
NoAH partners
• Research Organizations– ICS-FORTH, Greece– Vrije University, The Netherlands– ETHZ, Switzerland
• ISPs, CERTs, Associations – DFN-CERT, Germany– FORTHnet, Greece– TERENA, The Netherlands
• Industrial Partners – ALCATEL, France – Virtual Trip, Greece
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Challenges
• We cannot trust clients– Anyone will be able to set up honey@home
• Clients must not know the address of honeypots– Honeypots may become victims of flooding
• Addresses of clients must also remain hidden– Attacker can use their black space for flooding – Or blacklist them to make NoAH core blind
• Computer-based mass installation of honey@home mockup clients should be prevented
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Hiding honeypots and clients
• Use of anonymous communication system• Onion routing is an attractive solution
– Prevents eavesdropping attacks– Based on a set of centralized nodes (onion
routers)– Even when a router is compromised, privacy
is preserved
• Tor, an implementation of second generation onion routing– Installs only a SOCKS proxy on client side
Evangelos Markatos, FORTH
http://www.fp6-noah.org
How onion routing works (1/2)
R R4
R1
R2
R
RR3
Bob
R
R
R
• Sender chooses a random sequence of routers – Some routers are honest, some controlled by
attacker– Sender controls the length of the path
Alice
Evangelos Markatos, FORTH
http://www.fp6-noah.org
How onion routing works (2/2)
R4
R1
R2R3
BobAlice
{R2,k1}pk(R1),{ }k1
{R3,k2}pk(R2),{ }k2
{R4,k3}pk(R3),{ }k3
{B,k4}pk(R4),{ }k4
{M}
• Routing info for each link encrypted with router’s public key• Each router learns only the identity of the next router
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Hidden services
• In previous examples, Alice needed to know the address of Bob– That is client needs to know the address of
honeypots
• Tor offers hidden services– Clients only need to know an identifier for the
hidden service– This identifier is a DNS name in the form of
“xyz.onion”– “.onion” is routable only through Tor
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Creating a Location Hidden Server
Server creates onion routesto “introduction points”
Server gives intro points’descriptors and addresses to service lookup directory
Client obtains servicedescriptor and intro pointaddress from directory
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Using a Location Hidden Server
Client creates onion routeto a “rendezvous point”
Client sends address of therendezvous point and anyauthorization, if needed, toserver through intro point
If server chooses to talk to client,connect to rendezvous point
Rendezvous pointmates the circuitsfrom client & server
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Hidden services in action
• We created a hidden service that actually forwards to Google.com
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Shielding Tor against attacks
• Onion routing is subjective to timing attacks– If attacker has compromised the first and last
routers of the path then she can perform correlation
• Solution: client sets itself as first router – Tor clients can also act like routers
• Honeypot can also setup a trusted first router
• Both ends of the path are not controlled by attacker
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Preventing automatic installation
• Goal: prevent attacker from deploying clients to its subnet
• CAPTCHAs as a proposed solution– Instruct human to solve a visual puzzle– Puzzle cannot be identified by a computer– Puzzle can also be an audio clip
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Enhancing CAPTCHAs
• Attacker may post the image to his site and use visitors to solve it
• Adding animation to avoid “CAPTCHA” laundry
• User clicks on the correct (animated) answer and her IP address is bound to the registration– Animation prevents users to provide
static responses, like “I clicked the upper left corner”
• Flash is a possible technology we can use– Obfuscation as an extra security step
Click the apple!
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Funneling (3/3)
• farpd to collect IP addresses– Does not work well with some old routers (limit of
ARP entries per interface), solved in all modern routers
• Router configuration to forward black space to honeypots– No need for ARP
• Funneling has no overhead– Honeyd organizes addresses in a splay tree– We tested emulating /24, /16 and /8 subnets without
any noticeable difference in performance
Evangelos Markatos, FORTH
http://www.fp6-noah.org
Tunneling
• OpenVPN 2.0 as tunnel software• Encrypted channel, supports packet
compression• Easy configuration• We measured tunneling overhead in our
local testbed– Around 20% for two machines in a 100Mbits
LAN
• In progress: documentation for setting up tunnel and configuration options