Monitoring hacker activity with a Honeynet

Copyright © 2005 John Wiley & Sons, Ltd.

Monitoring hacker activity with a Honeynet‡

By Kevin Curran,*,† Colman Morrissey, Colm Fagan, Colm Murphy,Brian O’Donnell, Gerry Fitzpatrick and Stephen Condit

The Honeynet Project was founded by 30 US based security professionalswith the intention of researching the techniques, tools, tactics andmotives of hackers and the ‘blackhat’ community in general. A HoneynetProject is an all volunteer, non-profit organization committed to sharingand learning the motives, tools, and tactics of the hacking community. Itis comprised of a number of information security professionals dedicatedto honeynet research and information security. This paper outlines thetechnical configuration of a honeynet, presents some of the key attacks onthe honeynet to date and provides recommendations for securingnetworked systems. Copyright © 2005 John Wiley & Sons, Ltd.

Kevin Curran works at the Internet Technologies Research Group, University of Ulster, Magee Campus, Northland Road, Northern Ireland,U.K.

Colman Morrissey, Colm Fagan and Colm Murphy work at Espion Ltd, Dun Laoghaire, Co. Dublin, Ireland.

Brian O’Donnell, Gerry Fitzpatrick and Stephen Condit work at Deloitte & Touche, Earlsfort Terrace, Dublin 2, Ireland.

*Correspondence to: Kevin Curran, Internet Technologies Research Group, University of Ulster, Magee Campus, Northland Road, NorthernIreland, U.K.†E-mail: [email protected]‡The Irish Honeynet Project is a research initiative sponsored by professional services firm, Deloitte & Touche, operated by Espion Ltd, the Irish Security Software and Services Distribution Company, and hosted by Data Electronics. For more information on the Irish Honeynet, see theWebsites at http://www.espion.ie and www.deloitte.ie/honeynet

Introduction

The Irish Honeynet Project is a researchproject that was initiated by Espion Ltd inMarch 2002, in conjunction with Deloitte

& Touche who through their risk managementdivision audit the information produced by theHoneynet and jointly sponsor all costs associatedwith the project. The honeynet refers to a group ofcomputers that are designed from the start to becompromised and attacked. An off-the-shelf server(typically without any particular security patchesor other modifications) is placed out on the Inter-

net, and monitoring tools are set-up to record the activities of the hacking community in action,allowing us to keep abreast of their ever-changingtactics. The project has been highly successful todate and has recently been expanding at a rapidrate.

A honeypot is a system whose value comes frombeing probed, attacked, or compromised, usuallyfor the purpose of detection or alerting of ‘blackhat’ activity. Typically, honeypots have beensystems that emulate other systems or known vulnerabilities or create jailed environments. Ahoneynet is different from most honeypots as it is

INTERNATIONAL JOURNAL OF NETWORK MANAGEMENTInt. J. Network Mgmt 2005; 15: 123–134Published online 26 January 2005 in Wiley InterScience (www.interscience.wiley.com). DOI: 10.1002/nem.549

a tool for research. Its purpose is to gather infor-mation. Its two biggest design differences are:

• A honeynet is not a single system but anetwork. This network sits behind a filterwhere all inbound and outbound data arecontained and captured. This information isthen analysed to learn the tools, tactics, andmotives of the blackhat community. Withinthis Honeynet can be placed any type ofsystem to be used as a honeypot, such asSolaris, Linux, Windows NT, Cisco Switch,etc. This creates a network environment thathas a more realistic feel to it. Also, by havingdifferent systems with different services, suchas a Linux DNS server, a Windows NT Webserver, or a Solaris FTP server, we can learnabout different tools and tactics.

• All systems placed within the honeynet arestandard off-the-shelf systems. These are realsystems and applications, the same as youfind on the Internet. Nothing is emulated noris anything done to make the systems moreinsecure. The risks and vulnerabilities dis-covered within a Honeynet are the same thatexist in many organizations today.

The following points indicate the main differencesbetween a honeynet and other networks:

• The systems in a honeynet are various standard unprotected operating systems andsoftware.

• It is a non-productive network and thereforeany traffic between the Internet and our honeynet is suspect by nature.

• All network traffic is logged and archived so that one can trace back the steps after asystem has been compromised.

• Every target operating system (honeypot) ismonitored by a host intrusion detection sys-tem so that one can trace back which files thecracker has modified, added or removed.

• The firewall between the honeynet and theInternet is not to protect the honeynet fromthe Internet but it is to protect the Internetfrom a compromised system in the honeynetso that no other computers can be attacked.

The types of attacks witnessed continue to reflectthose that are found by organizations around theworld. The locations from which these attacksarise may be somewhat surprising, however. The

objective of the Irish Honeynet is to collect in-depth statistical analysis of illegal hacker activitiesin Ireland. Termed the ‘blackhat’ community, theproject will gather the information on the tools,tactics, and motives of hackers targeting Irish companies. The resulting research will be used todevelop more accurate and effective securitysystems for businesses in Ireland. The originalHoneynet Project was developed in the U.S. and is a not-for-profit research group dedicated toinformation security research. The Irish Honeynet,which was launched by US Honeynet Founder,Lance Spitzer, went live on 15 March 2002. To date,the vast majority of statistical analysis regardingblackhat activity on the Internet has been largelyfocused on U.S.-based, and to a much lesser extentU.K.-based interests. Never before has the Irishmarket place had the opportunity to gain hardfacts and figures on the level of blackhat activityon Irish-registered IP address space. The goal ofthe Irish Honeynet is to create an environmentwhere the techniques, tools, tactics and motives ofblackhats can be captured and analysed in thewild. Based on this information, we can gain intel-ligence on the threats faced by the Irish InternetCommunity in a global context. The findings of theIrish Honeynet effort are published at least once aquarter and all of the information is shared withother interested organizations and institutions inthe hope of adding value to and increasing ourunderstanding of the results.

After observing blackhat activity on the IrishHoneynet, it is clear that many of the attacks canbe easily avoided by the appropriate use of fire-walls and gateway filtering devices. An examina-tion of the statistics for this month (April) revealedthat a huge proportion of the attacks are againstports and services that most companies have typ-ically closed off from the Internet, using a firewall. Irrespective of your size or business, Internetaddresses are continually being probed. A failureto implement appropriate security at your perime-ter will leave you compromised. A successfulattack will cost money and significant downtime,as well as cause a reputational damage to yourorganization. Invariably, larger companies tend tobe well protected, particularly at their perimeter.Smaller companies that have neglected to invest inthe technologies, or who haven’t configured themproperly, are extremely vulnerable to attack andcompromise. A default installation of a Windows

124 K. CURRAN ET AL.

Copyright © 2005 John Wiley & Sons, Ltd. Int. J. Network Mgmt 2005; 15: 123–134

system that has been left on the Internet unpro-tected will be discovered by the blackhats in amatter of hours. The blackhats are extremely proficient at scanning and discovering vulnerablesystems on the Internet very quickly. To put this in perspective, it is feasible for an individual toscan every single Internet-connected computer inIreland in a 12-hour period. The following Sectiondescribes the configuration of the Honeynetproject.

It is clear that many of the attacks can beeasily avoided by the appropriate use of

firewalls and gateway filtering devices.

A Typical Honeynet TechnicalConfiguration

Here we describe in detail the configuration ofour Honeynet. The Honeynet complies with thebasic elements of ‘data control’ and ‘data capture’,as outlined in the Honeynet project’s paper ‘Honeynet Definitions, Requirements, and Standards’ documentation1. It is important to notethat the Honeynet is not ‘advertised’ in any wayto the general public. It is housed in an anonymouslocation and does not have the effect of enticinganyone to it. This is essential in order to maintainthe integrity of the data it produces and the validity of the results.

—Data Control—

According to the paper ‘Honeynets: Know YourEnemy’2, data control ‘is the containment of activity. When we are dealing with blackhats thereis always risk, we must mitigate that risk. We want to ensure that once compromised, a honey-pot cannot be used to harm any system outside theHoneynet (anything inside the Honeynet is fairgame). However, the challenge is to control thedata flow without the blackhats getting suspi-cious. Once a system is compromised, blackhatswill often require Internet connectivity, such asretrieving toolkits, setting up IRC connections, etc.We have to give them the flexibility to execute

these actions, as these are the very steps we wantto learn and analyse’. The Irish Honeynet uses afirewall as the only point of entry and exit to andfrom the Honeynet. The firewall is configured touse a shell script that counts how many connec-tions have been initiated outbound. When thelimit is met (this limit is set to 5 outbound con-nections) the script configures the firewall to blockany more connections from the compromised honeypot. The firewall is also configured to sendan alert when this happens, notifying that a com-promised honeypot has been blocked. The Irish Honeynet uses the guidelines outlined in thepaper ‘Intrusion Detection for FireWall’3 to achievethis functionality and uses the scripts provided bymembers of the Honeynet Project team.

—Data Capture—

According to the paper ‘Honeynets: Know YourEnemy’2 data capture ‘is the capturing of all of theblackhat’s activities. It is these activities that arethen analysed to learn the tools, tactics, andmotives of the blackhat community. The challengeis to capture as much data as possible, without theblackhat knowing their every action is captured.This is done with as few modifications as possible,if any, to the honeypots. Also, data capturedcannot be stored locally on the honeypot. Infor-mation stored locally can potentially be detectedby the blackhat, alerting them the system is a Honeynet. The stored data can also be lost ordestroyed. Not only do we have to capture theblackhats every move without them knowing, butwe have to store the information remotely. The key to this is capturing data in layers. You cannotdepend on a single layer for information. Yougather data from a variety of resources. Combined,these layers then allow you to paint the bigpicture’.

—GenII Honeynet—

Unlike GenI Honeynets4, GenII Honeynets haveall the requirements outlined above combinedonto a single device. This means all Data Controland Capture will happen from a single resource.This will make it much easier to both deploy andmanage a Honeynet. This single device will be a

MONITORING HACKER ACTIVITY WITH A HONEYNET 125


layer2 gateway, its acts as a bridge. This gives usseveral advantages. The fact that the device islayer2 will make it much more difficult to detect,as it has no IP Stack. There is no routing of traf-fic nor any TTL decrement. The device is far more stealthy, the hackers should never knowtheir traffic is being analysed and controlled. Thesecond advantage is, as a gateway, all inbound and outbound traffic must go through the device.This means we can both control and capture allinbound and outbound traffic from the singledevice. A GenII Honeynet deployment, such asused by the Irish Honeynet, is illustrated in Figure 1.

Similarly to the Honeynet Project’s originalHoneynet configuration, the Irish Honeynet usesthe firewall to log all connections to and from theHoneynet. The firewall is also configured to alertwhen a connection is attempted in either direction.An IDS System is also used on the Honeynet.These two systems are both present on the Honeynet Sensor device. According to the paper‘Honeynets: Know your Enemy’2 the IDS has twopurposes: ‘Another critical layer is the IDS system,

it has two purposes. The first, and by far mostimportant, is to capture all network activity. Itsprimary job is to capture and record every packetthat hits the wire. These records are then used to analyse the blackhat’s activities. The secondfunction of the IDS system is to alert us to any suspicious activity. Most IDS systems have a data-base of signatures, when a packet on the networkmatches a signature, an alert is generated. Thisfunction is not as critical for a Honeynet, as any activity is considered suspicious by nature.However, IDS systems can give detailed informa-tion about a specific connection’. Another emerg-ing Honeynet technology is virtual Honeynets.Virtual Honeynets combine all the elements of a Honeynet onto one physical system. Not only are the requirements of Data Control and DataCapture met, but the actual honeypots themselvesrun on the single system. Virtual Honeynets cansupport either GenI or GenII technologies. Thehoneypots are actual operating systems. Nothingis emulated. The advantage here is one of cost andefficiency. It is much cheaper to use a single systemto run all the elements of a Honeynet, and it is



Figure 1. GenII Honeynet deployment

much easier to deploy and maintain. This wasespecially the case with the Irish Honeynet.

The following describes the configuration ofeach individual Honeypot within the Honeynet.Currently there are two honeypots within theHoneynet. To broaden the scope of our project, weare using both Windows and Linux operatingsystems, each running a variety of services. TheWindows-based Honeypot runs MS 2000 SP2 OSwith Microsoft Internet Information Server V.5 (IISv.5). Both the Operating System and Microsoft IIShave been installed in their default state, and nohardening has been carried out on either the oper-ating system or the Web server. The Linux-basedHoneypot runs a default server installation of RedHat Linux 7.1. No hardening has been carried outon the operating system or on any of the servicesrunning.

T he Irish Honeynet project has focused ongaining statistical data regarding the

nature of attacks.

A Year in the Life of a HoneynetThe Irish Honeynet project has focused on

gaining statistical data regarding the nature ofattacks. We have observed a diverse range ofattacks, attempting to exploit a wide range of vul-

nerabilities of a wide range of services. The attacksare sourced from a wide range of countries, andthe number of attacks increases, the longer ourhosts are actively on the Internet. The Irish Honeynet is designed to mimic the Internet infra-structures commonly used by organizations, but itis ‘wired’ with detection sensors that capture allactivity to and from the system. The Honeynet isnot advertised in any way so any traffic to it fromthe Internet is suspicious by nature, as it arisesfrom hackers and crackers who are deliberatelyattempting to identify and attack systems that arevulnerable.

The number of attacks recorded by the IrishHoneynet is continuing to increase month bymonth. In February 2004, we recorded 1800 individual attacks. There were 1121 unique IPaddresses, so we are seeing hackers perform adegree of reconnaissance, and later they decide toreturn to take further action. The IP addressessuggest that the hackers come from 65 countriesaround the world, although as ever, there is a highlikelihood that systems in some of these countrieshave already been compromised and are beingused as springboards for hackers elsewhere. Arange of ports were targeted, 45 in all, reaffirmingthe need for organizations to ensure that, at thevery least, a well-configured and well-maintainedfirewall is implemented. A selection of the attacksperformed on the honeynet in 24 hours is illus-trated in Figure 2, which shows the time of attack,the IP address which launched the attack, the



Figure 2. Selection of attacks from 1 June and 2 June 2003

country of origin and the type of attack. The FTPServer Probe and SQL Snake were quite commonduring June 2003.

The United States accounted for 23% of theattacks, still the largest source country for illicitactivity on the Honeynet. Asia continues to be oneof the main sources of attacks. Particularly activeare countries such as China, South Korea, Japan,and Taiwan which combine to make up 34% of thetotal.

Figure 3 illustrates the different types of attacksthat took place in October 2003 on the Honeynet.There was a massive increase in the amount ofprobes searching for the SubSeven Trojan Horse.SubSeven is a Trojan Horse/BackDoor Programthat allows a user (legitimate or not) to remotelycontrol a computer. If a machine is infected withthe SubSeven Trojan Horse (TCP 27374) a remoteattacker could remotely control the computer bymaking a connection to that port using the Sub-



Figure 3. Various attacks during October 2003

Seven client program. Hackers who successfullyinfect computers with the SubSeven Trojan Horsewould have full control of the files on that com-puter and possess the ability to see a user’s screen,log all keystrokes (even hidden passwords), andeven launch an attack against another systemmaking it look as if that ‘hijacked user’ were theattacker.

Hackers attempt to infect systems with the Sub-Seven Trojan in a variety of ways, including as ane-mail attachment, through exploiting vulnerabil-ities in Operating Systems and applications suchas Web Servers, Database Servers, and FTP (FileTransfer Protocol). The SubSeven Trojan can alsobe configured to inform someone when its infectedcomputer connects to the Internet, and tells thatperson all the information about you they need touse the Trojan against you. This notification can bedone over an IRC network, by ICQ, or by e-mail.

The Irish Honeynet Project recorded a massive597 Internet attacks in January 2003. VulnerableWeb servers, anonymous FTP (File Transfer)servers and open mail relays were all fair game forattackers up until then, but it was a 7 month oldvulnerability in Microsoft SQL Server 2000 andproducts based on it that caused widespread panicas huge numbers of systems running the soft-ware were overwhelmed and ultimately disabled.Once again, the United States featured heavily inJanuary as hackers and crackers with sourceaddresses in that country rampaged the Honeynetleaving no doubt that the U.S. alone accounts forthe biggest threat to Internet connected systems inIreland. The U.S. has consistently been the largestsingle source of attack accounting for a huge pro-portion of the traffic seen on a daily basis in theHoneynet, but it must be recognized that Europe,including Eastern Europe, is running at a closesecond.

While it is easy to jump to conclusions anddeduce that attackers in the US seem to be consis-tently targeting computers in this country it is notalways as cut and dry as it may seem. A typicalattacker will generally be skilled enough to under-stand that using their own personal computer, orcomputers belonging to their employer, for illegalpurposes is an extremely risky business and is tobe avoided at all costs. With advances being madein computer forensics it is becoming more andmore easy to quickly and accurately determinewhether a given computer system has been

involved in illegal activity, be that hacking, virusand worm writing, industrial espionage or anyother electronic vice that may be the flavour of themonth with the blackhats.

Hackers tend to traverse through several com-puters, usually located in multiple countries, and go to great lengths to avoid detection, beforelaunching the final onslaught. By using severalsystems in numerous jurisdictions an attacker cancloak the real source of the attack. Tracking theexact starting point of an attack can be a lengthy,time-consuming process and may require fluencyin a myriad of languages and unlimited patience.If there is one lesson we can learn from the con-sistency and frequency of U.S. attacks on the IrishHoneynet it is simply that there appears to be noshortage of vulnerable systems in that country andthere is equally no shortage of malicious indi-viduals who are intent on using them as the launchpad for attacks on the rest of the world.

—Worms—

The Sapphire Worm, aka SQL Slammer, firstseen on 24 January 2003 was an excellent exampleof a different kind of attack that showed no dis-crimination or preference to any one particularindividual, organization or country. Althoughonly a small proportion of computer systemsaround the world were at risk (about 1%) thisworm still managed to dramatically degrade theperformance of the Internet as a whole and evenhad the effect of momentarily crippling one of themost wired countries in the world, South Korea.The attack had such an impact on the Irish Hon-eynet it was necessary to shut down the operationfor a couple of days. Although the Honeynet isintentionally left in a default, un-patched configu-ration it was never envisaged that a single wormcould generate such huge amounts of traffic soquickly.

It was the usual cry of complacency by systemadministrators against the software developers fortheir lack of secure code, a cry of complacency bythe vendor against system administrators forfailing to apply critical, and long available, patchesto their systems and general ill feeling all around.It is interesting to note that while the vendor, inthis case Microsoft, was busy deflecting blame byclaiming that they released a patch more than six



months previously, they were also busy chasingthe worm around their own organization in arushed, and somewhat late, attempt to secure theirown systems.

It seems everyone is complacent, but nobodyaccountable for their actions—or lack thereof.Whether it is the vendor-developed (or poorlydeveloped) code, the lazy administrator, theincompetent security manager or the high-levelexecutive who refuses to provide the necessaryresources, unless some kind of accountability isforced onto the stakeholders there will be noincentive for improvement and incidents like thiswill become more and more commonplace. Unlessa solution is forthcoming, be it from Industry orGovernment, our exposure to risk from Internet-borne attacks will only skyrocket. One small con-solation was that the Honeynet provided us withan early warning that something unusual wasoccurring in cyberspace and armed us with the relevant information necessary to ensure our pro-duction systems remained unharmed.

—Port Scanning and RootKits—

April 2003 saw a continued increase in thenumber of attacks on the Irish Honeynet. During

the month, we saw 876 attacks launched againstthe system. Three port numbers (445, 80 and 1434)were the main targets against which hackerslaunched their scans and probes. Our experienceties in with the international experience, such asthat tracked by DShield.org5, although in a slightlydifferent order.

Figure 4 shows the attacks according to actualport number attacked. As can be seen, Port 445was the most commonly attacked. Port 445 is asso-ciated with Microsoft’s Directory Services which isan implementation of distributed directory ser-vices, built upon the industry standard, LDAP, andthe Windows 2000 version of Server MessageBlock. For us, the target of most interest was Port445, as this was the first time we had seen such ahigh volume of attacks against this port (nearly31% of the April total). Hence, this port is vulner-able to similar vulnerabilities as the old favourites,Ports 135–137, (for example, denial of serviceattempts, username guessing and brute force pass-word guessing).

Port 1434 on UDP, which is associated withMicrosoft SQL Server Monitor, continued tofeature heavily in the attacks, with 12.5% of thetotal in April. The SQL Slammer worm, whichcaused havoc on the Internet earlier in 2003, is themain vulnerability which uses this port. The



Figure 4. Attacks according to Port number during April 2003

sources of these attacks are almost certainlymachines that are already infected with theSlammer worm.

As we would expect, a large percentage of theattacks (24%) targeted vulnerable Web services,predominantly on Port 80. The rapid growth of e-commerce has exposed new opportunities forhackers to target Web-based applications. Manyin-house Web applications are wide open to com-promise, reflecting the lack of priority given tosecurity.

Many developers who have not received train-ing in security methods may not realise that anyinformation sent to a browser can be manipulatedby users. Whether or not SSL, the secure form ofHTTP, is used, malicious users can intercept the communication between the browser and Webserver, and inject any information they wish.Attackers can manipulate Web applications usingtechniques such as state manipulation and SQLinjection to compromise e-commerce sites. Theexperience of the Irish Honeynet suggests that thetools available to carry out these kinds of attacksare getting simpler to use and more difficult todetect. Old style command lines have given wayto attractive and easy to use Graphical User Inter-faces and the proliferation of rootkits is becominga huge concern for Security Officers and SystemAdministrators.

Rootkits—Rootkits evolved into sophisticatedkernel modules in the mid 1990s. At that time, Sunoperating system administrators observed strangeserver behaviour such as missing disk space, CPUcycles and network connections that strangely didnot show up when using normal monitoring tools.The primary purposes of a rootkit are to allow anattacker to maintain undetected access to a com-promised system. The main technique used is toreplace standard versions of system software withhacked versions, and install a backdoor process byreplacing one or more of the files, such as ls, ps,netstat, and who. The new system commands aredesigned to hide all traces of hacker activities.Using these kinds of rootkits, attackers can bypassnormal security controls and access systems ontheir own terms.

The most important thing to remember aboutrootkits is that a rootkit cannot be installed unlessthe system is already compromised. Maintaining a

secure environment is your primary defence toprotect your organizations information assets. Thefollowing steps will help to better protect againstexternal attack:

• Develop a baseline security policy, and ensurethat all systems meet this level before beingdeployed. This should include disabling allun-needed services and applying relevantpatches before deploying new machines.

• Keep systems patched by having an activeprogram identifying when new patches arereleased, testing patches on a non-productionsystem and rapidly applying them to the pro-duction environment.

• Take a hacker’s-eye view of a system’s vulnerability state. Use port and vulnerabilityscanners on a regular basis. Scan sensitivemachines at least once per month.

By taking these vital steps, the opportunist black-hats will most likely pass by in search of easierprey.

—Trojan Horses—

June 2003 saw an overwhelming 364 attackslaunched against the Irish Honeynet. As we havecome to expect the attacks came from all sorts ofbizarre locations around the world. The U.S.A. and Canada account for 30%, 33% are from Asia and 32% come from Europe. There is no one region of the world that can be singled out as the biggest offender. Interestingly enough, thenumber of attacks originating from both Chinaand South Korea remained static that month, itseems both countries’ respective successes in theWorld Cup still wasn’t enough to lure thosehackers from their bedrooms to join in the fun andcelebration.

A number of highly sophisticated attacks werealso captured, with the perpetrators using spoofedaddresses to launch a number of attacks on thehoneynet. IP (Internet Protocol) spoofing involvestrickery where a hacker pretends to have an IPaddress on your LAN (local area network). Theymay pretend to be a crucial machine on yournetwork such as your e-mail or file server, whichwill receive useful and often confidential informa-tion such as passwords. Most well-configured fire-



walls and Intrusion Detection Systems will detectand block an attempt to use this method of gleam-ing information from your organization but regret-tably a large proportion of companies fail to takethese steps to protect themselves.

June also saw a massive increase in the amountof probes searching for the SubSeven Trojan Horse.SubSeven is a Trojan Horse/BackDoor Programthat allows a user (legitimate or not) to remotelycontrol a computer. Most anti-virus programsshould detect the presence of this Trojan runningon a computer, and it is strongly recommended touse them on a regular basis.

—ICMP—

The ICMP protocol was designed as a helpfultroubleshooting and error reporting tool, but it isalso being used by blackhats for both reconnais-sance and Denial-Of-Service attempts. Our data in late 2003 highlighted a significant number ofICMP, or ping packets preceding full attacksagainst the Irish Honeynet. This is usually done sothe blackhat can glean certain information aboutthe target system in order to conduct a morefocused attack, thus increasing the likelihood ofsuccess.

One of the most common and best-understoodtechniques for discovering the range of hosts thatare alive in the target’s environment is to performan ICMP sweep of the entire target’s networkrange. An ICMP sweep involves sending a seriesof ICMP request packets to the target networkrange and from the list of ICMP replies, inferswhether certain hosts are alive and connected tothe target’s network, and available for furtherprobing.

ICMP can be used to help the attacker determinethe underlying operating system. In some in-stances only a single packet needs to be sent todetermine the operating system used by the targetsystem. Remote operating system fingerprinting isa technique that exploits the fact that differentoperating system vendors have built a slightly dif-ferent way of handling network traffic. Ultimately,disabling the use of ICMP on your network canmean that the opportunist attacker will move onto an easier target. ICMP can be blocked at fire-walls and routers and will usually have the effectof rendering your Internet-connected hosts invisi-

ble to even the more experienced blackhat. How-ever, it will also mean that some of the moreuseful, and legitimate, error reporting and trouble-shooting features will no longer be available. Inour experience the ‘pros’ of disabling this protocolon a network outweigh the ‘cons’ and there aremany other tools and protocols that provide iden-tical functionality and features, that do not posethe same level of risk to the security of an organi-zation’s information.

—FTP Misconfiguration—

One scenario we deliberately created was tomisconfigure our FTP server, so that we couldobserve what the hackers would do. This is a real-istic scenario, as this does happen regularly. Unfor-tunately, due to a lack of training and a pressureon time and resources, misconfigured systems areall too common. FTP is one of the oldest tools onthe Internet and has been around since the early1980s. It allows for an efficient means to transferfiles to and from hosts on the Internet. Since theIrish Honeynet has been active, it has been regu-larly probed for an FTP server, and in particularfor a writeable directory to which files can beuploaded. Frequently we observe that intrudersattempt to anonymously logon and to upload a fileor to create a directory. Therefore we decided toconfigure the FTP server to allow anonymousuploads and the creation of directories, while pre-venting anyone from downloading any files. Fromthis, we hoped to learn something of the motiva-tion of these ftp probers and perhaps pick up sometools along the way.

After only two days, the FTP upload directorycontained many new files and directories. Thenames of these directories were based on the time-stamp of when they were created, a trend we hadpreviously observed in prior attempts to uploadfiles. By analysing the directory names, the logonpasswords and other characteristics of these con-nections, it is possible to identify the tools that areused to scan for FTP servers. One of the potentialabuses of open FTP servers is that by allowinganonymous uploads, hackers will use the systemas a storage depository for the illegal distributionof software, music and pornography. In com-mon with other honeynets, this is the pattern ofbehaviour we observed on our open FTP server.



One of the first things an attacker will do is test theamount of storage space available. Various fileswere found with meaningless content but self-explanatory names. 1kbtest and 1mbtest wereamong them. The more skilled attackers willattempt to test the download speed available. On our system, they were put off when theyrealised that this functionality was not allowed.Further analysis of the files on the FTP serverrevealed a large collection of software, includingcommercial, some open source, and a number ofhacker tools.

Perhaps surprisingly, given the Internet’s repu-tation, no pornography was found on this server.The only image present on the server was a screen-shot of a Windows XP desktop. On the desktop,the user appears to be connected to an IRCchannel. The purpose of this image is inconclusive.It may be another file to determine the uploadcapabilities of the FTP server.

Recommendations for protecting an FTP server—The first step should be to ensure that a reasonablesecurity policy is in place for the FTP server. Thiscan be done by checking the user access lists toensure only authorized users can logon and ensuring that all passwords are complex, and arechanged regularly.

Only allow anonymous logins on the FTP serverwhere there is a genuine business need for thisfacility. Similarly, only allow the uploading of filesif this is required. If uploads are a requirement,separate upload and download directories shouldbe used. If there is a facility to limit the size of an upload, this should be enabled, and possiblyconsider using a separate file system for an incom-ing directory. It is also advisable to limit the sizeof the FTP directory so as excessive uploadingdoes not fill up your hard drive and crash yoursystem. Finally, as with all systems, it is essentialthat all security patches are applied in a timelymanner.

Future WorkThe next step is to continue the deployment of

WWW/FTP servers which permit anonymoususers to upload files. This is a common misconfig-uration found in many networks and it is our goalto attempt to assess the potential risks and prob-

lems that result from inadvertently allowing thiskind of activity. We can expect malicious blackhatsto attempt to store anything from their personalmusic files to illegally ‘cracked’ software packagesto pornography. Later, we intend building a transactional system that looks like an electronic-commerce site. The intent is to make the honeypotirresistible to the more-skilled hackers who arelooking to steal credit-card numbers rather thanjust vandalise Web sites.

ConclusionsThe deployment of the Honeynet gives the Irish

security community and the Irish Internet com-munity in general a unique opportunity to learnand understand the tactics and motives of black-hats active in the Irish Internet address space. It will also give an indication as to the level ofhacking activity on the Internet from an Irish perspective. This is of particular interest as no previous attempt has been made to gauge the level of hacking activity taking place against Irish organizations with Internet connectivity. The lessons learned to date verify the dangers ofrunning outdated or un-patched software pro-grams which pose a huge risk of being identifiedby hackers and compromised. Companies shouldalso not assume that simply because they arerunning secure programs and protocols that theyare safe from harm as even the most secure appli-cations have bugs and can be exploited and com-promised over time.

The Irish Honeynet recommends that organiza-tions have a risk assessment performed on infor-mation assets and determine where the threats and vulnerabilities lie. They should also performregular vulnerability assessments, and performsecurity audits and check with program vendorsfor updates and service packs. Honeynet also recommend purchasing maintenance that willentitle companies to these updates. Securityshould never be taken for granted because if vulnerable systems exist on a network then thechances are they will be discovered and they will be compromised. That is something no organization can afford. Lastly, the right tools tomonitor security should be employed and anythreats and vulnerabilities identified should beacted upon.



References1. http://project.honeynet.org/alliance/

requirements.html2. http://www.honeynet.org/papers/honeynet/

index.html3. http://www.enteract.com/~lspitz/intrusion.html4. http://www.honeynet.org/papers/honeynet/5. http:// www.dshield.org �



If you wish to order reprints for this or anyother articles in the International Journal ofNetwork Management, please see the SpecialReprint instructions inside the front cover.

Monitoring hacker activity with a Honeynet

Documents

Transcript of Monitoring hacker activity with a Honeynet