Honeyd A Virtual Honeypot Daemon Extended Abstract -Books Pdf

Honeyd A Virtual Honeypot Daemon Extended Abstract
15 Feb 2020 | 21 views | 0 downloads | 7 Pages | 254.00 KB

Share Pdf : Honeyd A Virtual Honeypot Daemon Extended Abstract

Download and Preview : Honeyd A Virtual Honeypot Daemon Extended Abstract

Report CopyRight/DMCA Form For : Honeyd A Virtual Honeypot Daemon Extended Abstract


figurable link characteristics like latency and packet. loss When using tools like traceroute the network Router Internet. traffic appears to follow the configured topology 10 0 0 1. We present an experimental evaluation of Honeyd, that shows how fingerprinting tools like Nmap detect. the configured operating system and services Fur 10 0 0 2 Honeyd. thermore we evaluate the support of virtual network. topologies with tools like traceroute Virtual Honeypots. The rest of this paper is organized as follows Sec. tion 2 discusses the design and implementation of Hon. eyd In Section 3 we evaluate the implementation and. show that Honeyd fools fingerprinting tools in practice. We present related work in Section 4 We conclude in Linux 1 0 9 FreeBSD 3 2 4 0 Windows NT 4 NetBSD 1 6H. 10 0 0 101 10 0 0 102 10 0 0 103 10 0 0 104, Figure 1 Honeyd receives traffic for its virtual honeypots. 2 Design and Implementation via a router or Proxy ARP For each honeypot Honeyd. can simulate the network stack behavior of a different. In this section we discuss the design and implemen operating system. tation of Honeyd We discuss our intended goals and. show how they were implemented, We expect adversaries to interact with our honey to fall within our local network We designate them. pots only at the network level Instead of simulating V1 Vn When an adversary sends a packet from. every aspect of an operating system we decided to sim the Internet to honeypot Vi router A receives it first. ulate only its network stack The main drawback of and attempts to forward it The router queries its rout. this approach is that an adversary never gains access ing table to find the forwarding address for Vi There. to a complete system even if he compromises a sim are three possible results the router drops the packet. ulated service On the other hand we are still able because there is no route to Vi router A forwards the. to capture connection and compromise attempts For packet to another router or Vi falls in local network. that reason Honeyd is a low interaction virtual honey range of the router and thus is directly reachable by A. pot that simulates TCP and UDP services We make use of the latter two cases to direct traffic. Honeyd must be able to handle virtual honeypots for Vi to B The easiest way is to configure routing. on multiple IP addresses simultaneously This allows entries for Vi with 1 i n that point to B In that. us to populate the network with a number of virtual case the router forwards packets for our virtual hon. honeypots that can simulate different operating sys eypots directly to the Honeyd host If no special route. tems and services Furthermore Honeyd must be able has been configured the router uses ARP to determine. to simulate different network topologies the MAC address of the virtual honeypot As there is. Honeyd is implemented as a Unix daemon that runs no corresponding physical machine the ARP requests. on a workstation and listens to network traffic see Fig remain unanswered and the router drops the packet af. ure 1 Before we give an overview of the Honeyd ar ter a few retries We configure the Honeyd host to reply. chitecture we explain how network packets for virtual to ARP requests for Vi with its own MAC addresses. honeypots reach the Honeyd host This is called Proxy ARP and allows the router to send. packets for Vi to B s MAC address,2 1 Receiving Network Data. 2 2 Honeyd Architecture, Honeyd is designed to reply to network packets that.
have the destination IP address of one of the honeypots In this section we give an overview of Honeyd s ar. that it simulates We need to configure the network ap chitecture see Figure 2. propriately for Honeyd to actually receive such packets When the Honeyd daemon receives a packet for one. To do this we either create a special route at the router of the virtual honeypots it is processed by a central. for the virtual IP addresses or use Proxy ARP 3 packet dispatcher The dispatcher checks the length of. In the following we assume that A is the IP address the IP packet and verifies its checksum The daemon. of our router and that B is the IP address of the Hon knows only three protocols ICMP TCP and UDP 9. eyd host The IP addresses of virtual honeypots need Packets for other protocols are discarded. The dispatcher queries the configuration database, for a honeypot configuration that corresponds to the. destination IP address If no such configuration ex Configuration. ists the default template is used Then the dispatcher Personality. calls the protocol specific handler with the received Personality Engine. packet and the corresponding honeypot configuration Lookup. For ICMP the only packet that is currently supported Packet Dispatcher. is the ICMP ECHO request The daemon answers with,an ICMP ECHO reply packet. ICMP TCP UDP,For TCP and UDP the daemon can establish con. nections to arbitrary services Services are external. programs that receive data on stdin and send their out Services. put to stdout When a connection request is received. the daemon checks if the packet is part of an estab. lished connection In that case any new data is sent. to the already started service program If the packet. Figure 2 This diagram gives an overview of Honeyd s. contains a connection request a new process is created. architecture Incoming packets are dispatched to the cor. to run the appropriate service, rect protocol handler For TCP and UDP the configured. Honeyd contains a simplified TCP state machine, services receive new data and send responses if neces.
i e the three way handshake for connection establish. sary All outgoing packets are modified by the personality. ment and connection teardown via FIN or RST are fully. engine to mimic the behavior of the configured network. supported However receiver and congestion window,management is not fully implemented. An UDP packet to a closed port is correctly an, swered with an ICMP port unreachable message This tree corresponds to a network. allows tools like traceroute to work correctly When the daemon receives a packet it traverses the. Instead of establishing a connection with a service tree starting at the root until it finds a node that con. program the daemon also supports dynamic redirec tains the destination IP address of the packet The. tion of the service This allows us to forward a con packet loss and latency of all edges on the path is ac. nection request for a web server running on a virtual cumulated and determines if the packet is dropped and. honeypot to a real web server It is also possible to for how long its delivery should be delayed. redirect connections to the adversary herself e g a The daemon also decrements the time to live TTL. redirected SSH connection might cause an adversary of the packet for each traversed router If the TTL. to attempt to compromise her own SSH server reaches zero the daemon sends an ICMP time exceeded. Before any packet is sent to the network it is pro message with the source IP address of the router that. cessed by the personality engine It adjusts the packet s causes the TTL to reach zero. content so that it seems to originate from the net. work stack of the configured operating system see Sec 2 4 Personality Engine. tion 2 4 for more details, Honeyd uses the term personality to refer to the net. 2 3 Routing Topology work stack behavior of a virtual honeypot The dae. mon uses the Nmap fingerprint list as a reference Each. Instead of simulating a flat network Honeyd also fingerprint has a format similar to the following exam. supports virtual routing topologies We can no longer ple. use Proxy ARP for the packets to reach the Honeyd, host but need to configure a router to delegate a net Fingerprint IRIX 6 5 15m on SGI O2. work range to our host This network range can be TSeq Class TD gcd 104 SI 1AE IPID I TS 2HZ. T1 DF N W EF2A ACK S Flags AS Ops MNWNNTNNM, split into sub networks Currently the virtual routing.
T2 Resp Y DF N W 0 ACK S Flags AR Ops, topology is restricted to a rooted tree The root of. T3 Resp Y DF N W EF2A ACK O Flags A Ops NNT, the tree is the point at which packets enter the virtual T4 DF N W 0 ACK O Flags R Ops. routing topology T5 DF N W 0 ACK S Flags AR Ops, Each non terminal node of the tree represents a T6 DF N W 0 ACK O Flags R Ops. router and each edge a link that contains latency and T7 DF N W 0 ACK S Flags AR Ops. packet loss as attributes Each terminal node of the PU Resp N. We use the string after the Fingerprint token as the 0 7 8 15 16 31. personality name The lines after the name describe 16 bit source port number 16 bit destination port number. test results for nine different tests The first test is. the most comprehensive It determines how the net 32 bit sequence number. work stack of the remote operating system creates the. initial sequence number ISN for TCP SYN segments,32 bit acknowledgment number. Nmap indicates the difficulty of predicting ISNs in the. Class field Predictable ISNs are a long known secu 4 bit reserved flags. header 6 bits 16 bit window size, rity problem because they allow an adversary to spoof 6 bits.
connections 2 The gcd and SI field provide more, detailed information about the ISN distribution The 16 bit TCP checksum 16 bit urgent pointer. first test also determines how IP identification numbers. and TCP timestamps are generated options if any, The next seven tests determine the stack s behavior. for packets that arrive on open and closed TCP ports. The last test analyzes the ICMP response packet to a Figure 4 The diagram shows the structure of the TCP. closed UDP port header Honeyd changes options and other parameters to. Honeyd keeps state for each honeypot This includes match the behavior of network stacks. information about ISN generation the boot time of the. honeypot and the current IP identification number,Before a packet is sent to the network it passes. through the personality engine, For ICMP packets the protocol part of the packet When the daemon sends a packet for a not yet es. is currently changed only if it is of type destination un tablished TCP connection it takes the initial window. reachable and code port unreachable see Figure 3 The size from the Nmap fingerprint After a connection has. daemon looks up the PU test entry for the personal been established the daemon adjusts the window size. ity to determine how the quoted IP header needs to according to the amount of buffered data. be modified Many operating systems modify the in If the fingerprint includes TCP options Honeyd in. coming packet by changing fields from network to host serts them into a packet as long as they have been. order and as a result quote the IP and UDP header in correctly negotiated during connection establishment. correctly Honeyd introduces these errors if necessary For TCP timestamps the daemon uses the fingerprint. to determine the frequency with which the timestamp. 0 7 8 15 16 31 is updated For most operating systems the update. type 3 code 3 checksum frequency is 2 Hz, destination port Generating a matching distribution of initial se.
unreachable unreachable,quence numbers is more difficult Nmap obtains six. unused set to 0, ISN samples and analyzes their consecutive differences. Nmap recognizes several ISN generation types con, IP header including options stant differences differences that are multiples of a con. first 8 bytes of UDP header stant completely random differences time dependent. and random increments To differentiate between the. Figure 3 The diagram shows the structure of an ICMP latter two cases Nmap calculates the greatest common. port unreachable message Honeyd introduces errors into divisor gcd and standard deviation for the collected. the quoted IP header to match the behavior of network differences. stacks For each honeypot the daemon keeps track of the. last ISN that was generated and its generation time. Nmap s fingerprinting is mostly concerned with the For new TCP connection requests Honeyd uses a for. operating system s TCP implementation TCP is a mula that approximates the distribution described by. stateful connection oriented protocol that provides er the fingerprint s gcd and standard deviation As a re. ror recovery and congestion control 5 It also sup sult the generated ISNs match the generation class. ports additional options that are not implemented by that Nmap expects for the particular operating system. all systems The size of the advertised receiver win For the IP header Honeyd adjusts the generation. dows varies between implementations and is used by of the identification number It can either be zero. Nmap as part of the fingerprint increment by one or random. route entry 10 0 0 1,route 10 0 0 1 link 10 0 0 0 24. route 10 0 0 1 add net 10 1 0 0 16 10 1 0 1 latency 55ms loss 0 1. route 10 0 0 1 add net 10 2 0 0 16 10 2 0 1 latency 20ms loss 0 1. route 10 1 0 1 link 10 1 0 0 24,route 10 2 0 1 link 10 2 0 0 24.
create routerone, set routerone personality Cisco 7206 running IOS 11 1 24. set routerone default tcp action reset, add routerone tcp port 23 scripts router telnet pl. create netbsd, set netbsd personality NetBSD 1 5 2 running on a Commodore Amiga 68040 processor. set netbsd default tcp action reset,add netbsd tcp port 22 proxy ipsrc 22. add netbsd tcp port 80 sh scripts web sh,bind 10 0 0 1 routerone.
bind 10 1 0 2 netbsd, Figure 5 An example configuration for Honeyd The configuration language is a context free grammar This example. creates a virtual routing topology and defines two templates a router that can be accessed via telnet and a host that. is running a web server, 2 5 Configuration network connection they are handling It is also possi. ble to redirect network probes back to the host that is. Virtual honeypots are configured via templates A probing us. template is a reference for a completely configured com The bind command is used to assign a template to an. puter system New templates are created with the cre IP address If no template has been assigned to an IP. ate command address the default template is used Figure 5 shows an. The set and add commands change the configura example configuration that specifies a routing topology. tion of a template Using the set command we as and two templates The router template mimics the. sign a personality from the Nmap fingerprint file to a network stack of a Cisco 7206 router and is accessible. template The personality determines the behavior of only via telnet Whereas the web server template runs. the network stack as discussed in Section 2 4 The set two services a simple web server and a forwarder for. command is also used to define the default behavior SSH connections In this case the forwarder redirects. for the supported network protocols The default be SSH connections back to the connection initiator. havior can be one of the following values block reset. or open Block means that all packets for the specified. protocol are dropped by default reset indicates that all 3 Evaluation. ports are closed by default and open means that they. are all open by default The latter two settings make This section presents a brief evaluation of Hon. a difference only for UDP and TCP eyd s ability to create virtual network topologies and. Using the add command we specify the services that to mimic different network stacks. are remotely accessible Besides the template name We start Honeyd with a similar configuration to the. we need to specify the protocol port and the com one shown in Figure 5 and use traceroute to find the. mand to execute for each service Instead of specifying routing path to a virtual host We notice that the mea. a service Honeyd also recognizes the keyword proxy sured latency is double the latency that we configured. that allows us to forward network connections to a dif which is the correct time because packets have to travel. ferent host The daemon expands the following four each link twice. variables for both the service and the proxy statement Running Nmap against the two IP addresses. ipsrc ipdst sport and dport This allows services 10 0 0 1 and 10 1 0 2 results in the correct iden. to adapt their behavior depending on the particular tification of the configured personalities Nmap states. traceroute n 10 3 0 10 5 Conclusion,traceroute to 10 3 0 10 10 3 0 10 64 hops max. 1 10 0 0 1 0 456 ms 0 193 ms 0 93 ms,2 10 2 0 1 46 799 ms 45 541 ms 51 401 ms. We presented Honeyd a framework for creating vir, 3 10 3 0 1 68 293 ms 69 848 ms 69 878 ms tual honeypots Honeyd mimics the network stack be.
4 10 3 0 10 79 876 ms 79 798 ms 79 926 ms havior of operating systems to fool fingerprinting tools. We gave a brief overview of Honeyd s design and, Figure 6 Using traceroute we measure a routing path implementation Our evaluation shows that Honeyd. in the virtual routing topology The measured latencies is effective in creating virtual routing topologies and. match the configured ones successfully fools fingerprinting tools. Honeyd is freely available as source code and can,be downloaded from http www citi umich edu u. that 10 0 0 1 seems to be a Cisco router and that provos honeyd. 10 1 0 2 seems to run NetBSD Xprobe identifies, 10 0 0 1 as Cisco router and lists a numer of possible. operating systems including NetBSD for 10 1 0 2 A 6 Acknowledgments. more thorough evaluation of Honeyd is the subject of. future work I would like to thank Dug Song Jamie Van Rand. wyk and Eric Thomas for helpful suggestions and con. tributions I also thank Therese Pasquesi and Jose,Nazario for careful reviews. 4 Related Work,References, There are several areas of research in TCP IP stack.
fingerprinting among them effective methods to de 1 Ofir Arkin and Fyodor Yarochkin Xprobe v2 0 A. termine the remote operating system either by active Fuzzy Approach to Remote Active Operating Sys. probing or by passive analysis of network traffic and tem Fingerprinting http www xprobe2 org Au. defeating TCP IP stack fingerprinting by normalizing gust 2002 1. network traffic 2 Steven M Bellovin Security problems in the TCP IP. Fyodor s Nmap uses TCP and UDP probes to deter protocol suite Computer Communications Review. mine the operating system of a host 4 Nmap collects 19 2 32 48 1989 4. the responses of a network stack to different queries and 3 Smoot Carl Mitchell and John S Quarterman Us. matches them to a signature database to determine the ing ARP to Implement Transparent Subnet Gateways. operating systems of the queried host Nmap s finger RFC 1027 October 1987 2. print database is extensive and we use it as the refer. 4 Fyodor Remote OS Detection via TCP IP,ence for operating system personalities in Honeyd. Stack Fingerprinting http www nmap org nmap, Instead of actively probing a remote host to deter nmap fingerprinting article html October 1998. mine its operating systems it is possible to identify 1 6. the remote operating system by passively analyzing its. 5 Jon Postel Transmission Control Protocol RFC 793. network packets as done by the passive OS fingerprint. September 1981 4,ing tool P0f 10 The TCP IP flags inspected by P0f. are similar to the data collected in Nmap s fingerprint 6 Matthew Smart G Robert Malan and Farnam Ja. database hanian Defeating TCP IP Stack Fingerprinting In. Proceedings of the 9th USENIX Security Symposium,On the other hand Smart et al show how to de. August 2000 6, feat fingerprinting tools by scrubbing network pack.
ets so that artifacts identifying the remote operating 7 Lance Spitzner Honeypots Tracking Hackers Addi. system are removed 6 This approach is similar to son Wesley Professional September 2002 1. Honeyd s personality engine as both systems change 8 Stuart Staniford Vern Paxson and Nicholas Weaver. network packets to influence fingerprinting tools In How to Own the Internet in your Spare Time In Pro. contrast to the fingerprint scrubber that removes iden ceedings of the 11th USENIX Secuirty Symposium Au. tifiable information Honeyd changes network packets gust 2002 1. in such a way that they contain artifacts of the config 9 W R Stevens TCP IP Illustrated volume 1. ured operating system Addison Wesley 1994 2,10 Michal Zalewski and William Stearns Passive OS. Fingerprinting Tool http www stearns org p0f,README Viewed on 12th January 2003 6.

Related Books

Seismic modeling evaluation of fault illumination in the ...

Seismic modeling evaluation of fault illumination in the

Seismic modeling evaluation of fault illumination in the Woodford Shale . Sumit Verma*, Onur Mutlu, Kurt J. Marfurt, The University of Oklahoma . Summary . The Woodford Shale is one of the more important resource plays developed during the last decade. Unlike the more widely studied Barnett Shale, open fractures not only exist

Oil Natural Gas Technology

Oil Natural Gas Technology

Received in-kind contribution Jason Workbench Suite of petrophysical and inversion software to develop analytical routines. Purchased Hampson Russell AVO and inversion software that can be used in this project Modeling mixtures of methane and thermogenic gas hydrate signatures against flux and

Impacts of hydroelectric development on riparian ...

Impacts of hydroelectric development on riparian

Impacts of Hydroelectric Development on Riparian Vegetation in the Sierra Nevada Region, California, USA RICHARD R. HARRIS Department of Forest Science Oregon State University Corvallis, Oregon 97331, USA CARL A. FOX Research and Development Department Southern California Edison Company Rosemead, California 91770, USA ROLAND RISSER Department of Engineering Research Pacific Gas and Electric ...



sufficient time and guidance were not provided to the students by the teachers and also there was no provision for them in the time table. Physical education and participation in games & sports were taken casually by student-teachers. Co-curricular activities were not organized according to interests and needs of the students. There was no ...



NUCLEAR OPERATIONS DICTIONARY (1990) English - Afrikaans . ... accounting report: verantwoordingsverslag . accounting: boekhouding . accrete: aangroei . accrete ...



adanya penerapan sistem manajemen risiko yang baik di dalam manajemen industri itu sendiri dan juga kebijakan pimpinan perusahaan, para pengambil keputusan dan para pemangku kepentingan yang dapat mengelola risiko dengan baik sehingga efisiensi dan efektifitas hasil produk/material dapat berjalan dengan baik. Penerapan sistem manajemen

Pengelolaan Risiko pada Updating Computer Integrated ...

Pengelolaan Risiko pada Updating Computer Integrated

JURNAL TEKNIK, (2013) 1-6 1 ... perusahaan. Pengelolaan manajemen risiko yang baik akan menjadi kekuatan vital bagi corporate governance. Dalam perkembangannya, PT. X telah menggunakan sistem otomasi dalam proses produksi. Mesin-mesin produksi yang ada pada PT. X sudah diintegrasikan dengan program komputer bernama SERA. Dengan adanya program komputer ini, operator dapat menjalankan proses ...

Hubungan antara Penerimaan Diri dengan Harga Diri pada ...

Hubungan antara Penerimaan Diri dengan Harga Diri pada

Hubungan Antara Penerimaan Diri dengan Harga Diri pada Remaja Pasca Perceraian Orangtua 4 Jurnal Psikologi Kepribadian dan Sosial Vol. 2 No. 1, April 2013 merupakan tempat sosialisasi pertama bagi anak.

California Board of Behavioral Sciences

California Board of Behavioral Sciences

BOARD OF BEHAVIORAL SCIENCES SUNSET REVIEW REPORT Licensing Setting appropriate standards for entry into the professions through licensing is one way in which the Board protects the public. Board members and staff frequently speak at schools, colleges, universities

Science Choice Boards - lee.k12.nc.us

Science Choice Boards lee k12 nc us

Science Choice Boards An overview/review activity for 3rd-5th grade science concepts in a choice board format By Caitlin Miller ... Science Choice Board Describe how a delta is formed. Include an illustration of each step. Diagram weathering, erosion, and deposition as they would apply to a glacier. Write a poem as an ode to soil properties. An ode is written to praise or glorify something ...