Evangelos Markatos, FORTH [email protected] NoAH: A Network of Affined Honeypots : Current State...

Evangelos Markatos, FORTH

http://www.fp6-noah.org

[email protected] 1

NoAH: A Network of Affined Honeypots:

Current State and Collaboration Opportunities

Evangelos MarkatosInstitute of Computer Science (ICS)

Foundation for Research and Technology – Hellas (FORTH)Crete, Greece

The NoAH project



[email protected] 2

Roadmap

• The problem:– The trust that we used to place on our network is slowly

eroding away• We are being attacked

– Viruses, Worms, Trojans, keyboard loggers continue to plague our computers

• What do people say about this?– Europe – ENISA – USA – PITAC

• What can be done? The NoAH approach– Understand

• mechanisms and causes of cyberattacks – Automate

• Detection of, fingerprinting of, and reaction to cyberattacks • Summary and Conclusions



[email protected] 3

The erosion of trust on the Internet

• We used to trust computers we interacted with on the Internet– Not any more…

• Address bar spoofing: – Do you know that the web server http://www.paypal.com is the real

one?

• We used to trust our network – Not any more…

• Our network is the largest source of all attacks

• We used to trust our own computer– Not any more… (keyboard loggers can easily get all our

personal information)



[email protected] 4

The erosion of trust on the Internet

• We used to trust our own eyes with respect to the content we were viewing on the Internet– Not any more…– Phishing: sophisticated social engineering

• Attackers send users email • On behalf of a legitimate sender (e.g. a bank) • Inviting them to sign-up for a service • When users click they are requested to give their password • Users think they give their password to a bank• But it ends up in the attacker’s database



[email protected] 5

A sophisticated phising attack: Setting the stage

• Attackers send email inviting Bank of America customers to change their address on-line



[email protected] 6

A phishing attack: hiding the tracks

• Bank of America web site opens in the background• Pop-up window (from www.bofalert.com!) requests user name and

password

Legitimate Web site

Pop-up Window



[email protected] 7

The boiling cauldron of Security

• Security on the Internet is getting increasingly important– Worms, Viruses, and trojians, continue to

disrupt our everyday activities – Spyware and backdoors continue to steal our

credit card numbers, our passwords, and snoop into our private lives

– Keyboard loggers can empty our bank accounts if they choose to do so



[email protected] 8

It used to be a problem of PCs

• Not any more…

• PocketPC virus: – Duts

• Mobile phone virus:– Cabir – Infects the Symbian

operating system



[email protected] 9

Mobile phone viruses: The Mosquitos virus

• Mosquitos Virus:– Attaches itself to an illegal copy of “Mosquitos” game– Once installed it starts sending potentially expensive

SMS messages to premium numbers – “free to download” but “expensive to play”



[email protected] 10

The CommWarrior Worm

• Two ways to replicate: – Searches for nearby

phones• Via Bluetooth

– Finds the owner’s tel. # list

• Sends MMS messages with copies of itself

• Using random names – Difficult to filter out




How much does it cost?

• Financial Cost: worms cost billions of euros to lost productivity– CodeRED Worm: $2.6 billion – Slammer: $1.2 billion– LoveLetter virus: $8.8 billion

• Could cyberattacks lead to loss of life? – What if a medical equipment gets infected by a worm?

• Wrong diagnosis? Wrong treatment? – What if a car gets infected by a worm?

• Could this lead to fatal car crash?

• How about Critical Infrastructures?• What if a Nuclear power plant gets infected?

– Would this lead to failure of safety systems? – Is this possible?




How much does it cost?

• Worms have penetrated Nuclear Power plants. • “The Slammer worm penetrated a private computer network at

Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours”

Security Focus News

• Luckily no harm was made– The reactor was not operating at that time – There was a fall-back analog monitoring system

• Will we be so lucky next time?




What do people say about this? ENISA

• ENISA: European Network and Information Security Agency

• PSG: Permanent Stakeholders Group• Vision Document




ENISA Vision

• “The longer-term impact of … worm compromised hosts is likely to be greater in total than at present”

• “… Organized Crime and terrorists … introduce a level of sophistication and funding of (cyber)attacks that is far beyond what we have commonly seen in the previous 20 years of cyber security”

ENISA PSG i.e. things are bad and are going to get worse!




What does the community say about this?What should we do?

• Feb. 2005

• President’s Information Technology Advisory Committee (in U.S.)

• Cyber-Security Sub-committee – David Patterson, UC Berkeley– Tom Leighton, MIT, – and several others




Cyber-security Report

• Provide expert advice– In IT security




Research Priorities Identified

• They identified 10 Research Priorities• We should do Research in:

– Global Scale Monitoring (for cyber-attacks)– Real-time Data collection storage and analysis (for

cyberattacks)– Automated (cyberattack) discovery from monitoring

data – Develop forensic-friendly architectures

To summarize:

Monitor for cyber-attacks and detect them early




NoAH

• In NoAH we do just that: – We design and prototype an infrastructure to

• monitor for cyber threats • detect them as early as possible • Fingerprint them

• We do that based on honeypot technology




What is a honeypot?

• An “undercover” computer– which has no ordinary users – which provides no regular service

• Or a few selected services if needed

– Just waits to be attacked…

• Its value lies on being compromised – Or in being exploited, scanned, etc.

• Honeypots are an “easy” target– But heavily monitored ones

• If attacked, they log as much information as possible




When was a honeypot first used?

• First widely publicized use: The cuckoo’s egg– By Cliff Stoll

• Cliff Stoll noticed a 75-cent accounting error in the computer he managed – This led Cliff to discover an intruder named “Hunter” – Instead of shutting “Hunter” out, Cliff started to study him – He connected the modem lines to a printer – He created dummy “top-secret” directories to “lure”

“Hunter” into coming back – He was paged every time “Hunter” was in– He traced “Hunter” to a network of hackers

• Paid in cash and drugs and • Reporting directly to KGB




How do we receive attacks?

• Three types of sensors:– Traditional honeypots who wait to be attacked– Collaborating organizations who install low-

interaction honeypots and forward “interesting” attacks to NoAH core

– Honey@Home: A “screensaver” who forwards all unwanted traffic to NoAH

• Unwanted traffic received at – unused IP addresses – unused TCP/UDP ports




The NoAH architecture

`

Low-interaction Honeypot`

`

Honey@home

NoAH core

Funnel`

Low-interaction Honeypot

Funnel

`


`


Participating Organization

InternetInternet

High-interactionHoneypot


Anonym

ous

path

Tunnel




Traditional Honeypots

• Low Interaction Honeypot listening to a single IP address of the dark space– Filters out unwanted traffic

• Which is not part of an attack

• High Interaction honeypots for providing responses

`

NoAH core

`


Internet





How about limited address space?

• Number of “traditional” honeypots is usually limited,• They cover a small percentage of the IP address space • Problem: they may see attack too late

• Solution: Monitor dark space • What is Dark IP Address Space?

– Unused IP addresses– IP addresses not associated with any computer – Some organizations (i.e. Universities) have lots of Dark IP address

space

• Assign portions of dark space to this limited number of honeypots• Funnel: map the dark space to a single or a few IP addresses



[email protected] 25`

NoAH core

`


Internet


Funnel

11.12.1.1

11.12.0.0/16

11.12.1.1

Funneling

11.12.15.111.12.15.2

11.12.15.311.12.15.4

11.12.15.5




``



Internet

Tunnel

Funnel

NoAH core


Monitoring Dark Space of Cooperating Organizations

•So, where are we going to find the Dark Space? •Collaborating Organizations• Organizations may participate in NoAH but lack the ability to maintain a honeypot• Packets targeting organization’s black space are tunneled to the honeypots of NoAH core




The NoAH architecture

`

Low-interaction Honeypot`

`

Honey@home

NoAH core

Funnel`


Funnel

`


`



InternetInternet



Anonym

ous

path

Tunnel

http://www.honeyathome.org




Honey@Home

• Honey@Home: a honeypot daemon– Run in at home (or at small office) – Run in the background, send all the traffic from the

dark space to NoAH core for processing – Dark Space:

• Unused IP addresses • Internal IP addresses • Unused ports (or a selected subset of them)

– Attackers think they communicate with a home computer but actually talk with honeypots at NoAH core





Honey@Home

• Empower the people – To help us fight cyberattacks

• With minimal installation overhead• Minimal runtime overhead

• Appropriate for small organizations– Who want to contribute – But do not have the technical knowledge

• To install/maintain a full-fledged honeypot





Honey@Home illustrated

`

NoAH core

`

Low-interaction Honeypot High-interaction

Honeypot

Honey@home

Internet

Anonymous

path





Screenshots

Select network interface

Create a virtual interface

Get a static IP Get an IP through DHCP





In Closing…

• Today May 17th is the – World Telecommunication Day 2006 (WTD)

• Commemorates the founding of ITU

– WTD 2006 is Dedicated to • “Promoting Global Cybersecurity”




WTD 2006: Promoting Global Cybersecurity




In Closing…

• Let us take this opportunity – Of the World Telecommunication Day– Dedicated to promoting Global Cybersecurity – And promote cybersecurity

• By promoting awareness • By empowering people to contribute and make a difference • By empowering small organizations

• Let me take this opportunity – To promote cybersecurity

• By giving the podium to the distinguished Security researchers who honor us with their presence

– My Deepest Thanks to all of you• who came to talk, and • who came to attend

– My Deepest thanks to • FP6 DG-Research who invested the resources and co-funded this project




NoAH: A Network of Affined Honeypots:

Current State and Collaboration Opportunities

Evangelos MarkatosInstitute of Computer Science (ICS)

Foundation for Research and Technology – Hellas (FORTH)Crete, Greece

The NoAH project




Back Up Slides





• Viruses– programs that attach themselves to legitimate applications. Once

the legitimate applications start running, the virus start running as well.

– They also attach themselves to email messages– “Slow-spreading”: need user intervention (i.e. “click”) to run

• Worms– Self-replicating programs– They do not need our help to replicate– How do they do it?

• They find a vulnerable server• Trigger a bug in its code, hijack its execution thread and • They compromise the server

– They can infect 10s of thousands of computers in minutes• Humans have no time to react – they just clean up after the attack is

over





• Backdoors– Worms install “backdoors” in the compromised computers– e.g. create a new account with login “smith” and password “me”– The attacker can now enter the compromised computer as

“smith” • Keyboard loggers

– They log every key typed on the keyboard • Credit card numbers, bank accounts, • Passwords, • Personal email• Confidential information• They can

– Empty bank accounts – Read and Forward email messages – Change victim’s personal data – Reveal financial and personal secrets– Destroy a person both socially and financially




Honey@Home

• There exist unused IP address space– Large universities and research centers– Organizations and private companies– Public domain bodies– Upscale home users– NAT-based home networks

• 192.168.*.*

• There exist unused IP port address space – Not all computers use all 64K ports– Several of them do not even use port 80





NoAH partners

• Research Organizations– ICS-FORTH, Greece– Vrije University, The Netherlands– ETHZ, Switzerland

• ISPs, CERTs, Associations – DFN-CERT, Germany– FORTHnet, Greece– TERENA, The Netherlands

• Industrial Partners – ALCATEL, France – Virtual Trip, Greece




Challenges

• We cannot trust clients– Anyone will be able to set up honey@home

• Clients must not know the address of honeypots– Honeypots may become victims of flooding

• Addresses of clients must also remain hidden– Attacker can use their black space for flooding – Or blacklist them to make NoAH core blind

• Computer-based mass installation of honey@home mockup clients should be prevented




Hiding honeypots and clients

• Use of anonymous communication system• Onion routing is an attractive solution

– Prevents eavesdropping attacks– Based on a set of centralized nodes (onion

routers)– Even when a router is compromised, privacy

is preserved

• Tor, an implementation of second generation onion routing– Installs only a SOCKS proxy on client side




How onion routing works (1/2)

R R4

R1

R2

R

RR3

Bob

R

R

R

• Sender chooses a random sequence of routers – Some routers are honest, some controlled by

attacker– Sender controls the length of the path

Alice




How onion routing works (2/2)

R4

R1

R2R3

BobAlice

{R2,k1}pk(R1),{ }k1

{R3,k2}pk(R2),{ }k2

{R4,k3}pk(R3),{ }k3

{B,k4}pk(R4),{ }k4

{M}

• Routing info for each link encrypted with router’s public key• Each router learns only the identity of the next router




Hidden services

• In previous examples, Alice needed to know the address of Bob– That is client needs to know the address of

honeypots

• Tor offers hidden services– Clients only need to know an identifier for the

hidden service– This identifier is a DNS name in the form of

“xyz.onion”– “.onion” is routable only through Tor




Creating a Location Hidden Server

Server creates onion routesto “introduction points”

Server gives intro points’descriptors and addresses to service lookup directory

Client obtains servicedescriptor and intro pointaddress from directory




Using a Location Hidden Server

Client creates onion routeto a “rendezvous point”

Client sends address of therendezvous point and anyauthorization, if needed, toserver through intro point

If server chooses to talk to client,connect to rendezvous point

Rendezvous pointmates the circuitsfrom client & server




Hidden services in action

• We created a hidden service that actually forwards to Google.com




Shielding Tor against attacks

• Onion routing is subjective to timing attacks– If attacker has compromised the first and last

routers of the path then she can perform correlation

• Solution: client sets itself as first router – Tor clients can also act like routers

• Honeypot can also setup a trusted first router

• Both ends of the path are not controlled by attacker




Preventing automatic installation

• Goal: prevent attacker from deploying clients to its subnet

• CAPTCHAs as a proposed solution– Instruct human to solve a visual puzzle– Puzzle cannot be identified by a computer– Puzzle can also be an audio clip




Enhancing CAPTCHAs

• Attacker may post the image to his site and use visitors to solve it

• Adding animation to avoid “CAPTCHA” laundry

• User clicks on the correct (animated) answer and her IP address is bound to the registration– Animation prevents users to provide

static responses, like “I clicked the upper left corner”

• Flash is a possible technology we can use– Obfuscation as an extra security step

Click the apple!




Funneling (3/3)

• farpd to collect IP addresses– Does not work well with some old routers (limit of

ARP entries per interface), solved in all modern routers

• Router configuration to forward black space to honeypots– No need for ARP

• Funneling has no overhead– Honeyd organizes addresses in a splay tree– We tested emulating /24, /16 and /8 subnets without

any noticeable difference in performance




Tunneling

• OpenVPN 2.0 as tunnel software• Encrypted channel, supports packet

compression• Easy configuration• We measured tunneling overhead in our

local testbed– Around 20% for two machines in a 100Mbits

LAN

• In progress: documentation for setting up tunnel and configuration options

Evangelos Markatos, FORTH [email protected] NoAH: A Network of Affined Honeypots : Current State...

Documents

Transcript of Evangelos Markatos, FORTH [email protected] NoAH: A Network of Affined Honeypots : Current State...