Honeypots as a Security Honeypots as a Security Mechanism - PowerPoint PPT Presentation

Monitoring, Attack Detection and Mitigation Monitoring, Attack Detection and Mitigation MonAM 2006 MonAM 2006 Honeypots as a Security Honeypots as a Security Mechanism Mechanism Presenter: Émerson Virti Authors: Émerson Virti, Liane Tarouco, João Ceron, Leandro Bertholdo, Lisandro Granville

Index Index 1. Honeypots 1. Honeypots 2. Principle of the Proximity 2. Principle of the Proximity 3. Experiment 3. Experiment 4. Conclusion 4. Conclusion MonAM – September - 2006 Honeypots as a Security Mechanism

Honeypot Concept Honeypot Concept • Experiment of Lancer Sptizner • 1999 • RedHat 5.1 • Concept: A network resource whose function is to be attacked and compromised . Sptizner MonAM – September - 2006 Honeypots as a Security Mechanism

Cooperation for Security Cooperation for Security Honeypots IDS Security IPS Mechanisms Sniffers DarkNet MonAM – September - 2006 Honeypots as a Security Mechanism

Importance of the Honeypot Importance of the Honeypot Prevention Detection Reaction Prevention Detection Reaction Prevention All traffic Depends on to the same destined to the institution attack one security already honeypot is politics destined to malicious one honeypot MonAM – September - 2006 Honeypots as a Security Mechanism

Honeyd Software Honeyd Software MonAM – September - 2006 Honeypots as a Security Mechanism

Principle of the Proximity Principle of the Proximity The majority of malwares tries to attack targets next to its addressing space. “New Fields of Application for Honeypots” – Thorsten Holz MonAM – September - 2006 Honeypots as a Security Mechanism

Experiment Experiment Used blocks IPV4: Academic /17 Academic /18 Comercial /18 Cable Modem /20 69.632 emulated computers MonAM – September - 2006 Honeypots as a Security Mechanism

Experiment - Results Experiment - Results Traffic – bit/s MonAM – September - 2006 Honeypots as a Security Mechanism

Experiment - Results Experiment - Results Traffic – package/s MonAM – September - 2006 Honeypots as a Security Mechanism

Experiment - Results Experiment - Results Statistics Access Address Space X Access per Acces per Number of Access IP per day IP per min Per day Academic /18 32.145.835 1977,48 2,75 Comercial /18 3.838.989 236,16 0,38 Academic /17 3.941.556 121,23 0,17 Cable Modem /20 5.172.852 1272,85 1,76 MonAM – September - 2006 Honeypots as a Security Mechanism

Experiment - Results Experiment - Results Attack Origin – IP source nationality Honeypot Brazilian Block Honeypot Brazilian Block Honeypot Brazilian Block Honeypot Brazilian Block 50% 98% 98% 98% 98% 2% 2% 2% 2% 50% Honeypot before CIDR Block Honeypot before CIDR Block Honeypot before CIDR Block Honeypot before CIDR Block MonAM – September - 2006 Honeypots as a Security Mechanism

Experiment - Results Experiment - Results

Conclusion Conclusion • Prevention, Detection and Reaction • Principle of Proximity • Honeypots as a security mechanism MonAM – September - 2006 Honeypots as a Security Mechanism

References References • T. Holz, "New Fields of Application for Honeynets" Diploma Thesis, Department for Computer Science of Aachen University, Germany, 2005 • L. Spitzner, Honeypots: Tracking Hackers. Addison- Wesley, 2003. [Online]. http://www.tracking-hackers.com/book/ • B. Schneier. "Secrets and lies: digital security in a networked world", Willey & Sons , 2000. MonAM – September - 2006 Honeypots as a Security Mechanism

Questions? Questions? Émerson Virti emerson@tche.br Federal University of Rio Grande do Sul – Brazil - UFRGS MonAM – September - 2006 Honeypots as a Security Mechanism