Dependable Distributed Systems Anti-Honeypot Technology Thorsten Holz Laboratory for Dependable Distributed Systems holz@i4.informatik.rwth-aachen.de Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #1
Overview 1. Brief introduction to honeypot technology ● Overview 2. NoSEBrEaK Honeypot Technology • Workings of Sebek NoSEBrEaK Detecting Other Honeypot Architectures • Detecting & disabling Sebek Conclusion • Kebes • Other anti-Sebek techniques 3. Detecting other honeypot architectures • VMware-based honeypots • UML-based honeypots • Others Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #2
Who we are ■ Laboratory for Dependable Distributed ● Overview Systems at RWTH Aachen University Honeypot Technology ■ Main interests: NoSEBrEaK Detecting Other Honeypot • Theoretical considerations of security (safety Architectures Conclusion / liveness / information flow properties, theoretical models of secure systems) • Threats in communication networks (honeypots, . . . ) • Trusted Computing ■ Summer School “Applied IT-security” ■ “Hacker lab” & “Hacker seminar” http://www-i4.informatik.rwth-aachen.de/lufg Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #3
Honeypot Technology Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #4
"Suppose," he [Winnie the Pooh] said to Piglet, "you wanted to catch me, how would you do it?" ● Overview Honeypot Technology "Well," said Piglet, "I should do it like this: I should make a NoSEBrEaK trap, and I should put a jar of honey in the trap, and you would Detecting Other Honeypot smell it, and you would go in after it, and . . . " Architectures Conclusion A. A. Milne: Winnie the Pooh Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #5
Honeypots? ■ Electronic bait, i.e. network resources (e.g. ● Overview computers, routers, switches, . . . ) deployed to Honeypot Technology be probed, attacked and compromised NoSEBrEaK Detecting Other Honeypot ■ “Learn the tools, tactics, and motives of the Architectures Conclusion blackhat community and share these lessons learned” ■ Monitoring software permanently collects data, helps in post-incident forensics ■ Clifford Stoll: The Cuckoo’s Egg , 1988 ■ Honeynet Project: Non-profit research organization of security professionals dedicated to information security Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #6
Global Honeynet Project ● Overview Honeypot Technology NoSEBrEaK ■ Development of tools, for example monitoring Detecting Other Honeypot Architectures software like Sebek or software for data Conclusion analysis ■ Experiences up to now: • Capturing of exploits and tools, e.g. exploit for known vulnerability ( dtspcd , 2002) • Typical approach of attackers • Monitoring of conversations over IRC Botnets, organized card fraud, . . . Further information: honeynet.org Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #7
Building Blocks: Sebek ■ Kernel-module on Linux & Solaris, patch on ● Overview OpenBSD / NetBSD, device driver for Window$ Honeypot Technology ■ Tries to capture all activities of an attacker NoSEBrEaK Detecting Other Honeypot ■ Hijacks sys_read (access to SSH sessions, Architectures Conclusion burneye -protected programs, . . . ) ■ Direct communication to ethernet driver, therefore mostly stealth ■ Unlinking from module list to hide its presence Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #8
Building Blocks: Honeywall ■ Transparent bridge, used for data capture and ● Overview data control Honeypot Technology ■ IDS snort / IPS snort_inline (now part of NoSEBrEaK Detecting Other Honeypot snort ) Architectures Conclusion alert ip $HONEYNET any -> $EXTERNAL_NET any (msg:"SHELLCODE x86 stealth NOOP"; rev:6; sid:651; content:"|EB 02 EB 02 EB 02|"; replace:"|24 00 99 DE 6C 3E|";) ■ netfilter / iptables for traffic limiting ■ Further monitoring • monit or supervise • swatch Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #9
Setup at German Honeynet Project ● Overview Honeypot Technology NoSEBrEaK Detecting Other Honeypot Architectures Conclusion Official website Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #10
NoSEBrEaK Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #11
NoSEBrEaK ■ We had no attacks on our honeynet, so . . . ● Overview ■ Toolkit written in Python 2.3 to detect and Honeypot Technology remove Sebek from honeypot NoSEBrEaK ● Introduction ● Detection ■ Work together with Maximillian Dornseif and ● Avoid Logging ● Kebes ● Other Techniques Christian N. Klein Detecting Other Honeypot Architectures ■ Presented as academic paper at 5th IEEE Conclusion Information Assurance Workshop, Westpoint Available at arXiv as cs.CR/0406052 ■ Get the source code at md.hudora.de ■ Now: Short presentation of our results Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #12
Sebek [...] monitoring capability to all activity on the ● Overview honeypot including, but not limited to, keystrokes. Honeypot Technology If a file is copied to the honeypot, Sebek will see NoSEBrEaK ● Introduction and record the file, producing an identical copy. If ● Detection ● Avoid Logging ● Kebes the intruder fires up an IRC or mail client, Sebek ● Other Techniques will see those messages. [...] Sebek also provides Detecting Other Honeypot Architectures the ability to monitor the internal workings of the Conclusion honeypot in a glass-box manner, as compared to the previous black-box techniques. [...] intruders can detect and disable Sebek. Fortunately, by the time Sebek has been disabled, the code associated with the technique and a record of the disabling action has been sent to the collection server. Know Your Enemy: Sebek Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #13
Workings of Sebek in short Concentrate on Sebek version 2.1.7 for Linux, ● Overview techniques are applicable for other Sebek Honeypot Technology versions NoSEBrEaK ● Introduction ● Detection Basic mechanism of Sebek and interesting ● Avoid Logging ● Kebes ● Other Techniques points for attack: Detecting Other Honeypot Architectures ■ Hijack sys_read() Conclusion ■ Send data passing through sys_read() in covert manner over the network ■ Overwrites part of the network stack ( packet_recvmsg ) to hide Sebek data passing on to the network Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #14
Hiding of Sebek ■ Sebek loads as a kernel module ● Overview ■ Afterwards cleaner.o (part of adore ) is Honeypot Technology loaded which removes Sebek from modules list NoSEBrEaK ● Introduction ● Detection ● Avoid Logging ● Kebes From cleaner.o ● Other Techniques Detecting Other Honeypot if (__this_module.next) Architectures __this_module.next = __this_module.next->next; Conclusion This works because kernel maintains list of modules ( sys_create_module() ) spin_lock_irqsave(&modlist_lock, flags); mod->next = module_list; module_list = mod; /* link it in */ spin_unlock_irqrestore(&modlist_lock, flags); Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #15
Detecting Sebek Several ways to detect Sebek come to mind: ■ Latency ● Overview Honeypot Technology ■ Network traffic counters NoSEBrEaK ● Introduction ● Detection ■ Modification of sys-call table ● Avoid Logging ● Kebes ● Other Techniques ■ Finding hidden module Detecting Other Honeypot Architectures ■ Other cruft in memory Conclusion Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #16
Setup Setup in movies: ■ Attacker compromised one of the honeypots ● Overview Honeypot Technology ■ SSH-connection from attacker to honeypot NoSEBrEaK ● Introduction ● Detection ( ≈ 1 KB/s data) ● Avoid Logging ● Kebes ● Other Techniques ■ Movies show view of an attacker Detecting Other Honeypot Architectures Conclusion Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #17
Latency First detection method we found during tests: ● Overview “ dd-attack ” Honeypot Technology NoSEBrEaK ● Introduction ● Detection $ dd if=/dev/zero of=/dev/null bs=1 ● Avoid Logging ● Kebes ● Other Techniques Just call sys_read() a couple of thousand Detecting Other Honeypot Architectures times per second. . . Conclusion Movie: dd.mov Thorsten Holz – Laboratory for Dependable Distributed Systems 21st Chaos Communication Congress - slide #18
Recommend
More recommend
