Leurr.com com: : Leurr. a worldwide distributed platform a - PowerPoint PPT Presentation

Leurré.com com: : Leurré. a worldwide distributed platform a worldwide distributed platform to study Internet threats to study Internet threats Deployed and and Managed Managed by by Deployed The Eurecom Eurecom Institute Institute The ( (teaching teaching and and research research institute institute located located on on the the French Riviera) French Riviera) Contact Point: Contact Point: dacier@eurecom.fr dacier@eurecom.fr

02/24/2005 – APRICOT Security Track – Dacier M. 2/31 Overview Overview • Leurré. • Leurré.com com: : why why and and how how • Web interface: a • Web interface: a few few examples examples • Some • Some ‘non trivial’ ‘non trivial’ results results. . • Conclusions • Conclusions

02/24/2005 – APRICOT Security Track – Dacier M. 3/31 Motivations Motivations • We • We do do not not precisely precisely know know the the threats threats we we are are facing and and we we do do not not know know if/ if/ how how they they evolve evolve … … facing • … • … because of the lack of model to characterize because of the lack of model to characterize them … … them • … because • … because of of the the lack lack of of unbiased, quantitative unbiased, quantitative data available to build such model … … data available to build such model • … because • … because of of the the lack lack of of environment environment to to collect collect such data! data! such

02/24/2005 – APRICOT Security Track – Dacier M. 4/31 Leurré.com com Leurré. • This • This project project aims aims at at deploying deploying the the very very same same honeypots in a large number number of of diverse diverse honeypots in a large locations. locations. • Early • Early results results demonstrate demonstrate the the complementarity complementarity of this this approach approach to to so so- -called called Internet Internet telescopes telescopes of and Darknets Darknets. . and • You • You can can see see this this as a simple, as a simple, widely widely distributed distributed, , fine grained grained network monitoring network monitoring system system fine

02/24/2005 – APRICOT Security Track – Dacier M. 5/31 Experimental Set Set Up Up Experimental R Mach0 e Windows 98 Workstation v e V i r Mach1 r t s Windows NT (f tp u I nternet + web server) e a l S F W Mach2 i I T Redhat 7. 3 (f tp r C server) H e w a l Observer (tcpdump) l

02/24/2005 – APRICOT Security Track – Dacier M. 6/31 30 platforms platforms, 20 countries, 5 continents , 20 countries, 5 continents 30

02/24/2005 – APRICOT Security Track – Dacier M. 7/31 In Europe … In Europe …

02/24/2005 – APRICOT Security Track – Dacier M. 8/31 Win- -Win Win Partnership Partnership Win • The interested partner provides … • One old PC (pentiumII, 128M RAM, 233 MHz…), • 4 routable IP addresses, • EURECOM offers … • Installation CD Rom • Remote logs collection and integrity check. • Access to the whole SQL database by means of a secure web access.

02/24/2005 – APRICOT Security Track – Dacier M. 10/31 6 months months of of data, by country data, by country 6 • Count • Count all all IP sources IP sources that that have have contacted contacted all our our platforms platforms during during the the last last six six all months. . months • Identify • Identify the the country country of of the the attacking attacking IP IP • Plot • Plot one one curve curve per per country country

02/24/2005 – APRICOT Security Track – Dacier M. 11/31

02/24/2005 – APRICOT Security Track – Dacier M. ? ? ? ? 12/31

02/24/2005 – APRICOT Security Track – Dacier M. 13/31 YU: Serbia Serbia and and Montenegro Montenegro YU: • YU • YU has has contacted contacted only only one one platform platform • Identify • Identify the the sequence sequence of of ports ports probed probed by by each attacking attacking IP IP each • Plot • Plot one one curve curve per per sequence sequence of of ports ports

02/24/2005 – APRICOT Security Track – Dacier M. 14/31 High similarity High similarity between two between two different attack different attack But … tools!? tools!? ?

02/24/2005 – APRICOT Security Track – Dacier M. 15/31 W32.Welchia.D.Worm ??? W32.Welchia.D.Worm ??? • Exploits multiple vulnerabilities, including: • Exploits multiple vulnerabilities, including: – The DCOM RPC vulnerability using TCP port 135. The DCOM RPC vulnerability using TCP port 135. – – The Workstation service buffer overrun vulnerability The Workstation service buffer overrun vulnerability – using TCP port 445. using TCP port 445. – The Locator service vulnerability using TCP port 445 The Locator service vulnerability using TCP port 445 – • Targets • Targets Windows XP Windows XP and and Windows 2000 Windows 2000 (Windows NT also also vulnerable vulnerable to to the the first first 2 2 attacks attacks) ) (Windows NT

02/24/2005 – APRICOT Security Track – Dacier M. 16/31 One more viewpoint viewpoint One more • Use passive OS • Use passive OS fingerprinting fingerprinting tools tools (p0f, (p0f, disco, ettercap) against against each each attacking attacking IP. IP. disco, ettercap) • Plot • Plot one one curve curve for for each each OS type. OS type.

02/24/2005 – APRICOT Security Track – Dacier M. 19/31 Discussion Discussion • Welchia • Welchia does does not not seem seem to to be be the the only only cause cause of of these attacks attacks because because of of: : these – The The bizarre bizarre peak peak of of attacks attacks coming coming from from NT boxes NT boxes – – The The fact fact that that only only one one platform platform is is targeted targeted by by this this – country country • Are • Are there there attackers attackers ‘ ‘surfing surfing’ on ’ on the the traces traces of of other attacks attacks in in order order to to hide themselves hide themselves? ? other • More • More research research is is required required. .

02/24/2005 – APRICOT Security Track – Dacier M. 21/31 ISC (Dshield) Limitations ? 400 350 300 250 200 150 100 50 0 2004-09-19 2004-09-22 2004-09-25 2004-09-28 Source: Leurré.com Source: Internet Storm Center

02/24/2005 – APRICOT Security Track – Dacier M. 22/31 During the last 6 months During the last 6 months • 345718 • 345718 IPs IPs have have all probed only 1 host probed only 1 host hosts per platform per platform 26% • 36287 have probed • 36287 have probed only 2 hosts per only 2 hosts per 1 host 2 platform platform 67% hosts • 136331 • 136331 IPs IPs have have 7% probed all hosts of a probed all hosts of a given platform given platform

P(sending sending a a packet packet to an open port) to an open port) 02/24/2005 – APRICOT Security Track – Dacier M. 23/31 P( for an attacker attacker who who sends sends packets packets to to all all for an machines of of a a given given environment environment machines 100 80 60 40 20 Mach1 Mach2 Mach3 0 Envi1 Envi2 Envi4 Envi5 Envi6 Envi8 Envi9 Envi13 Envi14 Envi20 Envi21 Envi22 Envi23 Envi25 Envi26 Envi27 Envi28 Envi30 Envi31 ALL

P(sending sending a a packet packet to an open port) to an open port) 02/24/2005 – APRICOT Security Track – Dacier M. 24/31 P( for an attacker attacker who who sends sends packets packets to to only only for an one machine machine of of a a given given environment environment one 100 80 60 40 20 mach1 mach2 mach3 0 Envi1 Envi2 Envi4 Envi5 Envi6 Envi8 Envi9 Envi13 Envi14 Envi20 Envi21 Envi22 Envi23 Envi25 Envi26 Envi27 Envi28 Envi30 Envi31 ALL

02/24/2005 – APRICOT Security Track – Dacier M. 25/31 Targeted attacks attacks: Port 1433 : Port 1433 example example Targeted 12/ 01/ 04 14 3 12 10 24/ 01/ 04 8 4 6 06/ 11/ 03 4 20/ 10/ 03 2 1 2 0 18/10/2003 02/11/2003 17/11/2003 02/12/2003 17/12/2003 01/01/2004 16/01/2004 31/01/2004 15/02/2004

Leurr.com com: : Leurr. a worldwide distributed platform a - PowerPoint PPT Presentation

Leurr.com com: : Leurr. a worldwide distributed platform a worldwide distributed platform to study Internet threats to study Internet threats Deployed and and Managed Managed by by Deployed The Eurecom Eurecom Institute Institute