Download honeypot - Clemson

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
Document related concepts

Security-focused operating system wikipedia , lookup

Unix security wikipedia , lookup

Transcript 
CLEMSON UNIVERSITY
HONEYPOT
By SIDDARTHA ELETI
Introduction
•
Introduced in 1990/1991 by Clifford Stoll’™
s in his book “The Cuckoo’s Egg”
and by Bill Cheswick’€
™
s in his paper “€
A
œn Evening With Berferd.”
• A honeypot is an information system resource whose value lies in
unauthorized or illicit use of that resource.
• Acts as a Decoy or a Bait to lure attackers .
• They are designed to be attacked.
• Its about spying the spy i.e. attacker.
Working
• Uses the concept of deception.
• Honeypots work on the idea that all traffic to a honey pot should be deemed
suspicious.
• Designed to audit the activity of an intruder, save log files, and record events
– Processes started
– Adding, deleting, changing of files
– even key strokes
Location
• Honeypots are usually placed somewhere in the DMZ. This ensures that
the internal network is not exposed to the hacker.
• Most honeypots are installed inside firewalls so that they can be better
controlled.
• But a firewall that is placed in a honeypot works exactly the opposite to
how a normal firewall works.
Types of Honeypots
• Based on level of Deployment:
– Production Honeypots
– Research Honeypots
• Based on Design:
– Pure
– High Interaction
– Low Interaction
Levels of Deployment
•
Production :
– Its easy and captures only limited info.
– Adds value to the security measures of an organization.
– Used by companies and large corporations
• Research :
–
–
–
–
Collects a lot of info i.e. attackers tools, intent, identity etc.
Does not directly add value to an organization
Researches the threats and tries to come up with better measures
Used by military, government organizations and research
Interaction
• What is Interaction?
– Level of Interaction determines amount of functionality a honeypot
provides.
– The greater the interaction, the more you can learn.
– The greater the interaction, greater the complexity.
– The greater the interaction, greater the risk.
• High Interaction:
– Imitates the services and actions of a real system.
– Gives vast amount of information.
– Involves an operating system.
• This involves risk
– Multiple honeypots can be hosted with the use of VM’s
– Difficult to detect
– Expensive to maintain
– Example : Honeynet
• Low Interaction Honeypots:
– It simulates the services of a system.
– Predetermined set of responses
– Not good for interacting with unexpected attacks
– Gives less information. Usually
• Time of attack
• IP and port of attacker
• Destination IP and Port of attack
– Does not involve an operating system
– Easy to Detect
– Cheaper to maintain
Commercial Honeypot Systems
• There are a variety of commercial Honey Pot systems available.
– Deception ToolKit (DTK)
– Specter
• Supported OS’s
– Microsoft NT
– Unix.
Deception Toolkit
• First free Honeypot by Fred Cohen in 1997
• Suite of applications that listen to inbound traffic.
– FTP,
– Telnet,
– HTTP
• Uses scripted responses.
• Experienced attackers can quickly realize that they are in a
Honeypot.
SPECTER
• SPECTER is a smart honeypot-based intrusion detection system.
• A Production Honeypot and easy to configure.
• Provides Real-time counterintelligence against hackers.
• It simulates a vulnerable computer with various operating systems like
Windows, Mac, Linux, Solaris etc.
• Offers common Internet services such as SMTP, FTP, POP3, HTTP and
TELNET.
• These services appear perfectly normal to the attackers but in fact are
traps for them to mess around and leave traces.
• Offers Intelligent systems like TRACER, TRACE ROUTE, DNS, FTP Banner
etc.
Advantages
• The administrator can learn about vulnerabilities in his system
• Intent of the attackers
• Simple design and implementation
• Less resources
• Cheaper to analyze collected information
Disadvantages
• Has to be attacked directly.
• Can be avoided.
• Honeypots can be detected as they have expected characteristics or
behavior.
• They can introduce risk to the environment.
• They don’t prevent or stop an attack.
Conclusion
• It’s a tool to learn and understand the how the attack is being executed
and motives of the attackers.
• Not a solution.
• Provide important information about
– The attacker
– The tools being used by attacker
– What the attacker is after
References
• http://www.techrepublic.com/article/which-honeypot-should-iuse/1042527
• http://www.specter.com/default50.htm
• http://en.wikipedia.org/wiki/Honeypot_(computing)
• http://www.tracking-hackers.com/papers/honeypots.html
• http://www.sans.org/security-resources/idfaq/honeypot3.php
• Honeypots: Tracking Hackers By Lance Spitzner
THANK YOU
Related documents
Introduction CS 239 Security for Networks and System
Introduction CS 239 Security for Networks and System
Honeynet Project
Honeynet Project
Heat-seeking Honeypots: Design and Experience
Heat-seeking Honeypots: Design and Experience
A Virtual Honeypot Framework
A Virtual Honeypot Framework
Banksia nivea plant notes
Banksia nivea plant notes
Slide 1
Slide 1
Factsheet - KFSensor
Factsheet - KFSensor
Group 1C
Group 1C
Honeyfarm
Honeyfarm
HoneyPot1 - Security Research
HoneyPot1 - Security Research
Incident Response and Honeypots
Incident Response and Honeypots