honey@home: the “eyes and ears” of the noah project€¦ · hidden services • in previous...

NoAH http://www.fp6-noah.org Honey@home http://www.honeyathome.org/

Spiros Antonatos

Distributed Computing Systems Lab (DCS)Institute of Computer Science (ICS)

Foundation for Research and Technology Hellas (FORTH)

[email protected]

Honey@home: The “eyes and ears”of the NoAH project


Terena Networking Conference 200820 May 2008 Spiros Antonatos

Outline

• Motivation• Honey@home• Architecture• Challenges and how

to face them• Conclusions



A few words about NoAH

• Network of Affined Honeypots • EU-funded 3 year project (2005-2008)• Develop an infrastructure to detect and

provide early warning of cyberattacks• Gather and analyse information about the

nature of these attacks• More info at http://www.fp6-noah.org

http://www.fp6-noah.org/



Motivation

• Monitoring of unused IP address space yields interesting results

• Honeypots is a useful tool to improve network security…

• ..but are hard to install, configure and maintain• The more address space the more effective

honeypots are• Monitored space should not be static, thus

vulnerable to blacklisting



What are honeypots?

• Computer systems that do not provide production services

• Listening to unused IP address space• Intentionally made vulnerable• Closely monitored to analyse attacks

directed to them• Usually run inside a

containment environment– Virtual machines



Facts

• There is unused IP address space– Large universities and research centers

• UCSD , allocated a /8, only few thousands used• FORTH • UoC

– Organizations and private companies– Public domain bodies– Upscale home users– NAT-based home networks

• 192.168.*.*

} Allocated a /16 eachutilization under 40%



Our approach

• Social aspect– Empower the people to setup honeypots– With minimal installation overhead– Minimal runtime overhead

• Appropriate for organizations– Who want to contribute – But do not have the technical knowledge

• To install/maintain a full-fledged honeypot



Honey@home

• Enables willing users and organizations to effortlessly participate in a distributed honeypot infrastructure– No configuration needed, install and run– Both Windows and Linux platforms

• Runs in the background, sends all traffic from the dark space to NoAH core for processing

• Attacker think they communicate with a home computer but actually talks with honeypots



Install…



…and run

Running at the background

Creating a new virtual interface

Getting an IP address from DHCP server

1

2

3



Features

• Can obtain address from DHCP or statically• BPF filters can be used

– Useful to get traffic from the whole unused subnet• NAT detection and automatic port forwarding

– Mostly for DSL users and small enterprises that are behind NAT

• Graphic overview of traffic statistics captured by the client

• Automatic updates



Screenshots



But I only have one IP address…

• Dial-up/cable users do not have extra IP addresses

• Monitoring of unused port space for such cases

• Users are unlikely to run servers• Select a set of ports and monitor those

which are not bound• Stop monitoring a port when it gets bound



Handoff

Backend architecture

• Honey@home clients connect to a honeypot core • Communication is done over port 80• Honeyd as front-end to filter out scans

– Filters out scans and unfinished connections• Honeyd hands off connection to Argos• Argos is an instrumented virtual machine able to catch zero-day

exploits without the danger of getting infected– http://www.few.vu.nl/argos/

HoneydHoney@home

Forward

Honeypot core

Attacker

Attack

http://www.few.vu.nl/argos/



Challenges

• We cannot trust clients– Anyone will be able to set up honey@home

• Addresses of clients must remain hidden• Addresses of servers must also remain hidden

– Honeypots may become victims of direct attacks– Attacker can blacklist them to blind the honeypot core

• Computer-based mass installation of Honey@home mockup clients should be prevented



Hiding honeypots and clients

• Use of anonymous communication system• Onion routing is an attractive solution

– Prevents eavesdropping attacks– Based on a set of centralized nodes (onion

routers)– Even when a router is compromised, privacy

is preserved• Tor, an implementation of second

generation onion routing– Provides both client- and server-side

anonymity



Preventing automatic installation

• Goal: prevent mass installation of maliciously controlled clients

• CAPTCHAs as a proposed solution– Instruct human to solve a visual puzzle– Puzzle cannot be identified by a computer– Puzzle can also be an audio clip



Enhancing CAPTCHAs

• Attacker may post the image to their site and use visitors to solve it

• Adding animation to avoid “CAPTCHA”laundering

• User clicks on the correct (animated) answer to continue with the registration– Animation prevents users to provide static

responses, like “I clicked the upper left corner”• We use the Java applet technology



Enhancing CAPTCHAs



www.honeyathome.org



MyHoney@home



Summary

• Honey@home is an easy way to setup a virtual honeypot at every home PC

• Just install and run, no maintenance cost• Two main challenges: protect identity of

users and honeypots and prevent massive installations

• Available at www.honeyathome.org

http://www.honeyathome.org/


backup slides



First and last OR in path compromised



Creating a Location Hidden Server

Server creates onion routesto “introduction points”

Server gives intro points’descriptors and addresses to service lookup directory

Client obtains servicedescriptor and intro pointaddress from directory



Using a Location Hidden Server

Client creates onion routeto a “rendezvous point”

Client sends address of therendezvous point and anyauthorization, if needed, toserver through intro point

If server chooses to talk to client,connect to rendezvous point

Rendezvous pointmates the circuitsfrom client & server



How onion routing works (1/1)

R R4

R1R2

R

RR3

Bob

R

R

R

• Sender chooses a random sequence of routers – Some routers are honest, some controlled by attacker– Sender controls the length of the path

Alice



Shielding Tor against attacks

• Onion routing is subjective to timing attacks– If attacker has compromised the first and last

routers of the path then she can perform correlation

• Solution: client sets itself as first router – Tor clients can also act like routers

• Honeypot can also setup a trusted first router

• Both ends of the path are not controlled by attacker



How onion routing works

R4

R1

R2 R3BobAlice

{R2,k1}pk(R1),{ }k1

{R3,k2}pk(R2),{ }k2

{R4,k3}pk(R3),{ }k3

{B,k4}pk(R4),{ }k4

{M}

• Sender chooses a random sequence of routers •Some routers are honest, some controlled by attacker•Sender controls the length of the path

• Routing info for each link encrypted with router’s public key • Each router learns only the identity of the next router



Hidden services

• In previous examples, Alice needed to know the address of Bob– That is client needs to know the address of honeypots– We need to hide our honeypots

• Tor offers hidden services– Clients only need to know an identifier for the hidden

service– This identifier is a DNS name in the form of

“xyz.onion”– “.onion” is routable only through Tor



Hidden services in action

• A hidden service that actually forwards to Google.com



Detectability issues

• Delay introduced by Tor is an indication for the presence of Honey@home client



Scanning home subnets

• Scan for port 80 at 10 diverse subnets• 7% of the hosts responding to port consistently

honey@home: the “eyes and ears” of the noah project€¦ · hidden services • in previous...

Documents