securing networks with honeypots motivation
play

Securing networks with Honeypots Motivation Scenario : Web server - PowerPoint PPT Presentation

Benjamin Braun, Klemens Mang Securing networks with Honeypots Motivation Scenario : Web server Internet SSH How to detect attackers accessing your service? How to analyze attack patterns? How to detect yet unknown attack


  1. Benjamin Braun, Klemens Mang Securing networks with Honeypots

  2. Motivation ● Scenario : Web server Internet SSH ● How to detect attackers accessing your service? ● How to analyze attack patterns? ● How to detect yet unknown attack patterns? Source: own graphic

  3. Lecture Overview ● Attacking a network ● Protecting your network ● What are Honeypots? ● Types of Honeypots ● Honeypot lab ● Summary 3

  4. Attacking a network ● Random attacks: ● Automated tools searching for weaknesses ● Known vulnerabilities ● Already installed backdoors ● Weak or default login credentials ● Often preceded by IP range scans Oct 3 14:11:54 xxxxxx sshd[29972]: Invalid user admin from 212.64.151.233 Oct 3 14:11:54 xxxxxx sshd[29972]: input_userauth_request: invalid user admin [preauth] Oct 3 14:11:54 xxxxxx sshd[29972]: Received disconnect from 212.64.151.233: 11: Bye Bye [preauth] 183.60.244.29 - - [13/Dec/2013:15:13:23 +0100] "GET /cgi- bin/rtpd.cgi?echo&AdminPasswd_ss|tdb&get&HTTPAccount HTTP/1.1" 301 185 "-" "Python-urllib/2.7"

  5. Attacking a network ● Sophisticated attacks: ● Find out how the network is structured ● Get to know valuable or vulnerable targets ● Active Fingerprinting: ● Varying protocol implementations reveal operating system ● Port scan shows running services ● Service banners reveal specific version root@evil ~ % telnet 131.159.202.97 22 Trying 131.159.202.97... Connected to 131.159.202.97. Escape character is '^]'. SSH-1.99-OpenSSH_3.5p1 FreeBSD-20060930 CVE-2010-1938 OpenSSH 3.5p1 Remote Root Exploit For FreeBSD: Off-by-one error [...] execute arbitrary code via a long username

  6. Protecting your network ● Prevention: Firewall ● Block unwanted traffic at edge of network ● Detection: Network Intrusion Detection System ● Signature-based detection ● Very effective against known threads ● Anomaly detection ● Problem: False positives ● Response strategies: ● Packet filtering ● Redirecting traffic ● Rate limiting ● Tracking

  7. Example: Snort rule ● # alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-CNC Win.Trojan.Zeus variant outbound connection"; flow:to_server,established; content:"POST"; http_method; content:".php"; http_uri; content:"|3B 20|MSIE|20|"; http_header; content:!"|0D 0A|Accept|2D|Language|3A|"; http_header; content:!"|0D 0A|Referer|3A|"; http_header; content:!"|0D 0A|Cookie|3A|"; http_header; content:"Content-Length: "; nocase; byte_test:8,<,201,0,string,relative; pcre:"/[^\x20- \x7e\x0d\x0a]{4}/P"; metadata:impact_flag red, policy security-ips drop, ruleset community, service http; classtype:trojan-activity; sid:25050; rev:5;)

  8. What are Honeypots? ● Problem with NIDS: high rate of false-positives and need to know attack signatures -> honeypots ● A honeypot is “ an information system resource whose value lies in unauthorized or illicit use of that resource ” . ● All access attempts are logged and considered unusual behavior ● Features: ● Higher degree of accuracy (low false positive rate) ● Creates more information ● Detects yet unknown attacks

  9. Types of Honeypots ● High interaction Honeypot: ● Real, sophisticated system without productive value Enables collecting comprehensive data about attacking techniques  May be comprised completely - Requires more maintenance - ● Low interaction Honeypot: ● Implement only some parts of a system (service, network stack behavior) ● May be used as an early warning system Easy to set up and maintain + Limited risk of compromise + Generates less information -

  10. Honeyd – an overview ● Low interaction honeynet tool ● Simulation of: ● Thousands of virtual hosts ● Network stack behavior of different OS ’ s ● Arbitrary services via configuration ● Arbitrary routing topologies ● Subsystem virtualization Source: “ Virtual Honeypots- From Botnet Tracking to Intrusion Detection ”

  11. Honeypot Lab Attacker Router 1. Build virtual honeypots with honeyd Honeyd 2. Attack the network from the outside Server 3. Try to distinguish honeypots from real systems 4. Analyse the log files from your honeypot Virtual Honeypots

  12. Summary ● Most attacks aim to exploit known weaknesses ● Network IDS have difficulties with unknown attacks ● Honeypots help to detect and analyze network attacks ● They feature: ● Low false positive rate ● Confuse attackers ● We distinguish between high and low interaction honeypots

  13. Expected Time: 5 minutes Flight Through Your Lab Prepare which things you want to highlight Here, you will open the exercise on the browser on the laptop and scroll through it with explanation This slide is just the place holder for your live presentation. No changes needed. 13

Recommend


More recommend