- 1. HoneyPotsfor Network Security Using Honeyd
2. Botnets
- One of the biggest threats in network security is botnets
.
- Botnets are a collection of infected computers or bots that
have been taken over by Hackers (sometimes known as botherders) and
are used to perform malicious tasks or functions.
botnets.png 3. Botnets botnets2.jpg
- This example illustrates how a botnetis created and used to
sendemail spam .
- A botnetoperator sends outvirusesorworms, infecting ordinary
users' computers, whose payload is a malicious applicationthe bot
.
- The bot on the infected PC logs into a particular C&C
server (often an IRC server, but, in some cases a web server).
- A spammer purchases the services of the botnetfrom the
operator.
- The spammer provides the spam messages to the operator, who
instructs the compromised machines via the IRC server, causing them
to send out spam messages.
4. Types of BotnetAttacks
-
- software which sends information to its creators about a user's
activities typically passwords, credit card numbers and other
information that can be sold on the black market
-
- advertise some commercial entity actively and without the
user's permission or awareness
-
- multiple systems autonomously access a single Internet system
or service in a way that appears legitimate, but much more
frequently than normal use and cause the system to become busy
botnets3.jpg 5. Types of BotnetAttacks botnets4.jpg
-
- DNS technique used by botnetsto hide phishing and malware
delivery sites behind an ever-changing network of compromised hosts
acting as proxies
-
- user's computer visiting websites without the user's awareness
to create false web traffic for the purpose of personal or
commercial gain
-
- e-mail messages disguised as messages from people, but are
either advertising, annoying, or malicious in nature
6. Honeypots
- Aserverthat is configured to detect an intruder by mirroring a
real production system.
- It appears as an ordinary server doing work, but all the data
and transactions are phony.
- Located either in or outside the firewall, the honeypot is used
to learn about an intruder's techniques as well as determine
vulnerabilities in the real system .
- Set to detect , deflect, or in some manner counteract attempts
at unauthorized use of information systems.
honeypot.png 7. Types of Honeypots
- Generally speaking there are two different types of Honeypots :
Production Honeypotsand Research Honeypots
- Production Honeypotsare used primarily by companies or
corporations to improvetheir overall state of security.
- Research Honeypotsare used primarily by non-profit research
organizations or educational institutions to research the threats
organizations face and learn how to better protect against those
threats.
- Research Honeypotsare used primarily by non-profit research
organizations or educational institutions to research the threats
organizations face and learn how to better protect against those
threats.
honeypot2.jpeg 8. Honeyd
- Honeydis a type ofdaemonhoneypot licensed by GPL that has the
ability to simulate a big network while using only a single host.
To outsiders, the Honeydlooks like a computer network on a
network's unused address space.
honeyd.gif 9. Primary Applications of Honeyd
-
- Using the software's ability to mimic many different network
hosts at once, Honeyd can act as a distraction to
potentialhackers.
-
- If a network only has 3 real servers, but one server is running
Honeyd , the network will appear running hundreds of servers to a
hacker.
-
- The hacker will then have to do more research in order to
determine which servers are real, or the hacker may get caught in
ahoneypot. Either way, the hacker will be slowed down or possibly
caught.
-
- On a network, all normal traffic should be to and from valid
servers only.
-
- Thus , a network administrator running Honeydcan monitor
his/herlogsto see if there is any traffic going to the virtual
hosts set up by Honeyd .
-
- Any traffic going to these virtual servers can be considered
highly suspicious.
-
- The network administrator can then take preventative action,
perhaps by blocking the suspiciousIP addressor by further
monitoring the network for suspicious traffic.
10. HoneydConfiguration
- Contains honeyd.conf , nmap.assoc , nmap.prints , pf.os , and
xprobe2.conf
honeyd1.png
- Contains honeyd.conf , nmap.assoc , nmap.prints , pf.os , and
xprobe2.conf
11. HoneydConfiguration
- Contains honeyd.conf , nmap.assoc , nmap.prints , pf.os , and
xprobe2.conf
- Honeyd.confis the main configuration file for setting the
personalities of the virtual hosts.
12. HoneydConfiguration honeyd1.png
- Creates the default actions for the machines
- creates a personality template called honeypot-template
-
- Sets the macaddress, OS, uptime, available protocols and open
ports
- Binds the templates to 2 unused IP addresses on the
network
13. HoneydConfiguration
- $ iptables-A INPUT -d 192.168.1.201 -j ACCEPT
- $ iptables -A INPUT -d 192.168.1.202 -j ACCEPT
- $ iptables -A INPUT -m state --state RELATED,ESTABLISHED -j
ACCEPT
- Modifies the rules of your firewall to accept packets for the
IP Addresses defined in the honeyd'sconfiguration file
honeypot1.jpg 14. HoneydConfiguration
- Sets the default run behavior of honeyd
honeyd2.png 15. HoneydConfiguration
- Another daemon that runs alongside of honeydis farpdwhich is
the daemon that is forwarding the traffic from the virtual hosts to
the main honeydserver.
- farpd replies to any ARP request for an IP address matching the
specified destination net with the hardware MAC address of the
specified interface , but only after determining if another host
already claims it.
- Any IP address claimed by farpd is eventually forgotten after a
period of inactivity or after a hard timeout, and is relinquished
if the real owner shows up.
- This enables a single host to claim all unassigned addresses on
a LAN for network monitoring or simulation.
16. Testing H oneyd
- The network scanner To test if the virtual hosts are responding
with the right information
nmap.png