One of the biggest threats in network security is botnets
.
Botnets are a collection of infected computers or bots that
have been taken over by Hackers (sometimes known as botherders) and
are used to perform malicious tasks or functions.
botnets.png 3. Botnets botnets2.jpg
This example illustrates how a botnetis created and used to
sendemail spam .
A botnetoperator sends outvirusesorworms, infecting ordinary
users' computers, whose payload is a malicious applicationthe bot
.
The bot on the infected PC logs into a particular C&C
server (often an IRC server, but, in some cases a web server).
A spammer purchases the services of the botnetfrom the
operator.
The spammer provides the spam messages to the operator, who
instructs the compromised machines via the IRC server, causing them
to send out spam messages.
4. Types of BotnetAttacks
Spyware
software which sends information to its creators about a user's
activities typically passwords, credit card numbers and other
information that can be sold on the black market
Adware
advertise some commercial entity actively and without the
user's permission or awareness
Denial of Service
multiple systems autonomously access a single Internet system
or service in a way that appears legitimate, but much more
frequently than normal use and cause the system to become busy
botnets3.jpg 5. Types of BotnetAttacks botnets4.jpg
Fast Flux
DNS technique used by botnetsto hide phishing and malware
delivery sites behind an ever-changing network of compromised hosts
acting as proxies
Click Fraud
user's computer visiting websites without the user's awareness
to create false web traffic for the purpose of personal or
commercial gain
E-mail spam
e-mail messages disguised as messages from people, but are
either advertising, annoying, or malicious in nature
6. Honeypots
Aserverthat is configured to detect an intruder by mirroring a
real production system.
It appears as an ordinary server doing work, but all the data
and transactions are phony.
Located either in or outside the firewall, the honeypot is used
to learn about an intruder's techniques as well as determine
vulnerabilities in the real system .
Set to detect , deflect, or in some manner counteract attempts
at unauthorized use of information systems.
honeypot.png 7. Types of Honeypots
Generally speaking there are two different types of Honeypots :
Production Honeypotsand Research Honeypots
Production Honeypotsare used primarily by companies or
corporations to improvetheir overall state of security.
Research Honeypotsare used primarily by non-profit research
organizations or educational institutions to research the threats
organizations face and learn how to better protect against those
threats.
Research Honeypotsare used primarily by non-profit research
organizations or educational institutions to research the threats
organizations face and learn how to better protect against those
threats.
honeypot2.jpeg 8. Honeyd
Honeydis a type ofdaemonhoneypot licensed by GPL that has the
ability to simulate a big network while using only a single host.
To outsiders, the Honeydlooks like a computer network on a
network's unused address space.
honeyd.gif 9. Primary Applications of Honeyd
Distraction
Using the software's ability to mimic many different network
hosts at once, Honeyd can act as a distraction to
potentialhackers.
If a network only has 3 real servers, but one server is running
Honeyd , the network will appear running hundreds of servers to a
hacker.
The hacker will then have to do more research in order to
determine which servers are real, or the hacker may get caught in
ahoneypot. Either way, the hacker will be slowed down or possibly
caught.
Honeypot
On a network, all normal traffic should be to and from valid
servers only.
Thus , a network administrator running Honeydcan monitor
his/herlogsto see if there is any traffic going to the virtual
hosts set up by Honeyd .
Any traffic going to these virtual servers can be considered
highly suspicious.
The network administrator can then take preventative action,
perhaps by blocking the suspiciousIP addressor by further
monitoring the network for suspicious traffic.
Honeyd.confis the main configuration file for setting the
personalities of the virtual hosts.
12. HoneydConfiguration honeyd1.png
Honeyd.conf
Creates the default actions for the machines
creates a personality template called honeypot-template
Sets the macaddress, OS, uptime, available protocols and open
ports
Binds the templates to 2 unused IP addresses on the
network
13. HoneydConfiguration
$ iptables-A INPUT -d 192.168.1.201 -j ACCEPT
$ iptables -A INPUT -d 192.168.1.202 -j ACCEPT
$ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT
Modifies the rules of your firewall to accept packets for the
IP Addresses defined in the honeyd'sconfiguration file
honeypot1.jpg 14. HoneydConfiguration
/etc/default/ honeyd
Sets the default run behavior of honeyd
honeyd2.png 15. HoneydConfiguration
Another daemon that runs alongside of honeydis farpdwhich is
the daemon that is forwarding the traffic from the virtual hosts to
the main honeydserver.
farpd replies to any ARP request for an IP address matching the
specified destination net with the hardware MAC address of the
specified interface , but only after determining if another host
already claims it.
Any IP address claimed by farpd is eventually forgotten after a
period of inactivity or after a hard timeout, and is relinquished
if the real owner shows up.
This enables a single host to claim all unassigned addresses on
a LAN for network monitoring or simulation.
16. Testing H oneyd
The network scanner To test if the virtual hosts are responding
with the right information