NoAH Honey@home Spiros Antonatos Distributed Computing Systems Lab (DCS) Institute of Computer...
-
Upload
phebe-beasley -
Category
Documents
-
view
213 -
download
0
Transcript of NoAH Honey@home Spiros Antonatos Distributed Computing Systems Lab (DCS) Institute of Computer...
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Spiros Antonatos
Distributed Computing Systems Lab (DCS)Institute of Computer Science (ICS)
Foundation for Research and Technology Hellas (FORTH)
Honey@home: The “eyes and ears” of the NoAH project
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Outline
• Motivation• Honey@home• Architecture• Challenges and how to
face them• Conclusions
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
A few words about NoAH
• Network of Affined Honeypots • EU-funded 3 year project (2005-2008)• Develop an infrastructure to detect and
provide early warning of cyberattacks• Gather and analyse information about the
nature of these attacks• More info at http://www.fp6-noah.org
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Motivation
• Monitoring of unused IP address space yields interesting results
• Honeypots is a useful tool to improve network security…
• ..but are hard to install, configure and maintain• The more address space the more effective
honeypots are• Monitored space should not be static, thus
vulnerable to blacklisting
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
What are honeypots?
• Computer systems that do not provide production services
• Listening to unused IP address space• Intentionally made vulnerable• Closely monitored to analyse attacks directed
to them• Usually run inside a
containment environment– Virtual machines
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Facts
• There is unused IP address space– Large universities and research centers
• UCSD , allocated a /8, only few thousands used• FORTH • UoC
– Organizations and private companies– Public domain bodies– Upscale home users– NAT-based home networks
• 192.168.*.*
} Allocated a /16 eachutilization under 40%
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Our approach
• Social aspect– Empower the people to setup honeypots– With minimal installation overhead– Minimal runtime overhead
• Appropriate for organizations– Who want to contribute – But do not have the technical knowledge
• To install/maintain a full-fledged honeypot
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Honey@home
• Enables willing users and organizations to effortlessly participate in a distributed honeypot infrastructure– No configuration needed, install and run– Both Windows and Linux platforms
• Runs in the background, sends all traffic from the dark space to NoAH core for processing
• Attacker think they communicate with a home computer but actually talks with honeypots
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Install…
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
…and run
Running at the background
Creating a new virtual interface
Getting an IP address from DHCP server
1
2
3
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Features
• Can obtain address from DHCP or statically• BPF filters can be used
– Useful to get traffic from the whole unused subnet• NAT detection and automatic port forwarding
– Mostly for DSL users and small enterprises that are behind NAT
• Graphic overview of traffic statistics captured by the client
• Automatic updates
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Screenshots
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Screenshots
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Screenshots
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
But I only have one IP address…
• Dial-up/cable users do not have extra IP addresses
• Monitoring of unused port space for such cases
• Users are unlikely to run servers• Select a set of ports and monitor those which
are not bound• Stop monitoring a port when it gets bound
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Handoff
Backend architecture
• Honey@home clients connect to a honeypot core • Communication is done over port 80• Honeyd as front-end to filter out scans
– Filters out scans and unfinished connections• Honeyd hands off connection to Argos• Argos is an instrumented virtual machine able to catch zero-day exploits
without the danger of getting infected– http://www.few.vu.nl/argos/
HoneydHoney@home
Forward
Honeypot core
Attacker
Attack
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Challenges
• We cannot trust clients– Anyone will be able to set up honey@home
• Addresses of clients must remain hidden• Addresses of servers must also remain hidden
– Honeypots may become victims of direct attacks– Attacker can blacklist them to blind the honeypot core
• Computer-based mass installation of Honey@home mockup clients should be prevented
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Hiding honeypots and clients
• Use of anonymous communication system• Onion routing is an attractive solution
– Prevents eavesdropping attacks– Based on a set of centralized nodes (onion routers)– Even when a router is compromised, privacy is
preserved• Tor, an implementation of second generation
onion routing– Provides both client- and server-side anonymity
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Preventing automatic installation
• Goal: prevent mass installation of maliciously controlled clients
• CAPTCHAs as a proposed solution– Instruct human to solve a visual puzzle– Puzzle cannot be identified by a computer– Puzzle can also be an audio clip
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Enhancing CAPTCHAs
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
www.honeyathome.org
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
MyHoney@home
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Summary
• Honey@home is an easy way to setup a virtual honeypot at every home PC
• Just install and run, no maintenance cost• Two main challenges: protect identity of users
and honeypots and prevent massive installations
• Available at www.honeyathome.org
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
First and last OR in path compromised
OR
OR
OROR OR
Honey@home client
`
Honeypot
OROR
OR
Encrypted
Unencrypted
OR
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Creating a Location Hidden Server
Server creates onion routesto “introduction points”
Server gives intro points’descriptors and addresses to service lookup directory
Client obtains servicedescriptor and intro pointaddress from directory
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Using a Location Hidden Server
Client creates onion routeto a “rendezvous point”
Client sends address of therendezvous point and anyauthorization, if needed, toserver through intro point
If server chooses to talk to client,connect to rendezvous point
Rendezvous pointmates the circuitsfrom client & server
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
How onion routing works (1/1)
R R4
R1
R2
R
RR3
Bob
R
R
R
• Sender chooses a random sequence of routers – Some routers are honest, some controlled by
attacker– Sender controls the length of the path
Alice
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Shielding Tor against attacks
• Onion routing is subjective to timing attacks– If attacker has compromised the first and last
routers of the path then she can perform correlation
• Solution: client sets itself as first router – Tor clients can also act like routers
• Honeypot can also setup a trusted first router• Both ends of the path are not controlled by
attacker
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
How onion routing works
R4
R1
R2R3
BobAlice
{R2,k1}pk(R1),{ }k1
{R3,k2}pk(R2),{ }k2
{R4,k3}pk(R3),{ }k3
{B,k4}pk(R4),{ }k4
{M}
• Sender chooses a random sequence of routers •Some routers are honest, some controlled by attacker•Sender controls the length of the path
• Routing info for each link encrypted with router’s public key • Each router learns only the identity of the next router
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Hidden services
• In previous examples, Alice needed to know the address of Bob– That is client needs to know the address of honeypots– We need to hide our honeypots
• Tor offers hidden services– Clients only need to know an identifier for the hidden
service– This identifier is a DNS name in the form of “xyz.onion”– “.onion” is routable only through Tor
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Hidden services in action
• A hidden service that actually forwards to Google.com
NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/
Terena Networking Conference 2008 20 May 2008 Spiros Antonatos
Detectability issues
• Delay introduced by Tor is an indication for the presence of Honey@home client