Honeypot, Botnet, Security Measurement, Email Spam.ppt

Honeypot, Botnet, Security Measurement, Email Spam Cliff C. Zou CDA6938 02/01/07 What Is a Honeypot? “A honeypot is a faked vulnerable system used for the purpose of being attacked, probed, exploited and compromised.” Example of a Simple Honeypot Install vulnerable OS and software on a machine Install monitor or IDS software Connect to the Internet (with global IP) Wait monitor being scanned, attacked, compromised Finish analysis, clean the machine Benefit of Deploying Honeypots Risk mitigation: A deployed honeypot may lure an attacker away from the real production systems (“easy target“). IDS-like functionality: Since no legitimate traffic should take place to or from the honeypot, any traffic appearing is evil and can initiate further actions. Attack analysis: Binary code analysis of captured attack codes Spying attacker’s ongoing actions Find out reasons, and strategies why and how you are attacked. Honeypot Classification High-interaction honeypots A full and working OS is provided for being attacked VMware virtual environment Several VMware virtual hosts in one physical machine Low-interaction honeypots Only emulate specific network services No real interaction or OS Honeyd Honeynet/honeyfarm A network of honeypots Low-Interaction Honeypots Pros: Easy to install (simple program) No risk (no vulnerable software to be attacked) One machine supports hundreds of honeypots Cons: No real interaction to be captured Limited logging/monitor function Easily detectable by attackers High-Interaction Honeypots Pros: Real OS, capture all attack traffic/actions Can discover unknown attacks/vulnerabilities Cons: Time-consuming to build/maintain/analysis Risk of being used as stepping stone Must have a firewall blocking all outgoing traffic High computer resource requirement Honeynet A network of honeypots High-interaction honeynet A distributed network composing many honeypots Low-interaction honeynet Emulate a virtual network in one physical machine Example: honeyd