Distributed Honeynet System by ewghwehws

VIEWS: 35 PAGES: 61

									Data Capture and Analysis
           C-DAC Mohali
   Honeynet/Honeypot Technology
    ◦ Honeypot/Honeynet Backgroud
    ◦ Type of Honeypots
    ◦ Deployment of Honeypots
   Data Collection
   Data Control
   Data Analysis
◦ A honeypot is an information system resource
  whose value lies in unauthorized or illicit use of
  that resource
◦ Has no production value, anything going to or from
  a honeypot is likely a probe, attack or compromise
◦ A highly controlled network where every packet
  entering or leaving the honeypot system and
  related system activities are monitored, captured
  and analyzed.
◦ Primary value to most organizations is information”
   Fidelity – Information of high value
   Reduced false positives
   Reduced false negatives
   Simple concept
   Not resource intensive
                        Detection Techniques


    Proactive Techniques                      Defensive Techniques


            Honeynets            Anomaly-based          Signature-based




                          CDAC-Mohali "NETWORK PACKET
7/27/2012                    CAPTURING & ANALYSIS"
      Monitor
    Detect
Response                                                Attackers




            Attack Data



                          HoneyPot A




                                            Gateway




                          CDAC-Mohali "NETWORK PACKET
7/27/2012                    CAPTURING & ANALYSIS"
   Data Control: Contain the attack activity and ensure that
    the compromised honeypots do not further harm other
    systems.Out bound control without blackhats detecting
    control activities.

   Data Capture: Capture all activity within the Honeynet and
    the information that enters and leaves the Honeynet, without
    blackhats knowing they are being watched.

   Data Collection: captured data is to be Securely forwarded
    to a centralized data collection point for analysis and
    archiving.

   Attacker Luring: Generating interest of attacker to attack
    the honeynet
       Static : web server deployment, making it vulnerable
       Dynamic : IRC, Chat servers,Hackers forums
                       CDAC-Mohali "NETWORK PACKET
7/27/2012                 CAPTURING & ANALYSIS"
    By level of interaction
       High
       Low
       Middle?
    By Implementation
       Virtual
       Physical
    By purpose
       Production
       Research




                     CDAC-Mohali "NETWORK PACKET
7/27/2012               CAPTURING & ANALYSIS"
   Low-interaction
    ◦ Emulates services and operating systems.
    ◦ Easy to deploy, minimal risk
    ◦ Captures limited information
   High Interaction
    ◦ Provide real operating systems and services, no
      emulation.
    ◦ Complex to deploy, greater risk.
    ◦ Capture extensive information.
    Diverts attacker’s attention from the real
     network in a way that the main information
     resources are not compromised.

    Captures samples of new viruses and worms
     for future study

    Helps to build attacker’s profile in order to
     identify their preferred attack targets,
     methods.


                    CDAC-Mohali "NETWORK PACKET
7/27/2012              CAPTURING & ANALYSIS"
    Prevention of attacks
        through deception and deterrence
    Detection of attacks
        By acting as a alarm
    Response of attacks
        By collecting data and evidence of an
         attacker’s activity




                    CDAC-Mohali "NETWORK PACKET
7/27/2012              CAPTURING & ANALYSIS"
GEN III
A highly controlled network where every packet entering
or leaving is monitored, captured, and analyzed.

    Data Capture
    Data Control
    Data Analysis




                     CDAC-Mohali "NETWORK PACKET
7/27/2012               CAPTURING & ANALYSIS"
            CDAC-Mohali "NETWORK PACKET
7/27/2012      CAPTURING & ANALYSIS"
  ETH0             APP LOGS

IPTABLES             HIDS
                     AISD
                   ARGUS

                   SNORT
                                                            HFLOW
                                          HFLOWD
                     POF                                      DB
                                        CONVERT INTO
                                       UNIFIED FORMAT
                   SEBEKD                                             WALLEYE
                                                            ETH2
                   SYS LOGS                                              GUI
                                                                    WEB INTERFACE
                   TCPDUMP                PCAP DATA                  (192.168.2.2)
   ETH1
 (0.0.0.0)


             SEBEK CLIENT
                              CDAC-Mohali "NETWORK PACKET
 7/27/2012    HONEYPOT             (203.100.79.122)
                                 CAPTURING & ANALYSIS"
Network Level Data Capture      System Level Data Capture


Raw Packet    Analyzed Packet                   Kernel Level
                                System Logs
 Capture         Capture                           Logs



Tcpdump          Argus           Syslogd            Sebek
                                                 Client-Server
                  P0F

                  Snort

      HONEYWALL                       HONEYPOT

      DATA CAPTURE TOOLS IN GEN 3 HONEYNET
            CDAC-Mohali "NETWORK PACKET
7/27/2012      CAPTURING & ANALYSIS"
                    DATA CONTROL


PURPOSE:
Mitigate risk of COMPROMISED Honeypot being used to harm non-
honeynet systems

Count  outbound connections (Reverse Firewall)
IPS (Snort-Inline)

Bandwidth Throttling (Reverse Firewall)
              FORWARD
               CHAIN



INPUT                       OUTPUT
CHAIN                       CHAIN
        IPTABLES FIREWALL
### Set the connection outbound limits for different protocols.
  SCALE="day"
  TCPRATE=“20"
  UDPRATE="20"
  ICMPRATE="50"
  OTHERRATE="5“

   iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW
        -m limit --limit ${TCPRATE}/${SCALE} --limit-burst
        ${TCPRATE} -s ${host} -j tcpHandler

   iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW
        -m limit --limit 1/${SCALE} --limit-burst 1 -s ${host}
        -j LOG --log-prefix "Drop TCP after ${TCPRATE} attempts“

   iptables -A FORWARD -p tcp -i $LAN_IFACE -m state --state NEW
        -s ${host} -j DROP
   Distributed sensor Honeynet
    ◦ Configuration/
      reconfiguration
    ◦ Central Logging & Alerting
    ◦ Honeypot management & analysis (forensics take
      time!)
                                   BSNL N/W                        /28                                                               CONNECT N/W                       /27
                                                   Honeypot1        Honeypot2
                                                                                                                                 Honeypot1       Honeypot2
                     Software Bridge
                                                                                                       Software Bridge
                                       Honeywall
                                                       Virtual Switch
     Host machine                          Nepenthes                                                                     Honeywall
                                                                                              Host machine                                Virtual Switch

                                                                                 Router                      Nepenthes
                       Router




                                                                     In te rn e t

                                    Router
                                                                                             Router
    Central Database Server                                                                                                               Honeypot1        Honeypot2
                                Router                         Honeypot1         Honeypot2
                                                                                                                 Software Bridge
                                   Software Bridge

                                                                                                                                     Honeywall
               Host machine                            Honeywall                                      Host machine                                    Virtual Switch
                                                                           Virtual Switch
                                                                                                                Nepenthes
                                                               Nepenthes


                                                                                                                                                 STPI N/W /28
                       Airtel N/W /29


                                                      Network Diagram of Distributed Honeynet System


     Large Enterprise Network (STPI)                  /27
     Broadband Providers (BSNL,CONNECT,AIRTEL) /28,/28/29
Life Cycle of Distributed
HoneyNet System
Remote Node Architecture
          1                              2                           3


                             Malware Analysis Module         Botnet Tracking
 Malware Collection
     Module
Remote Node of DHS
                              Bot
                            Detection    Anti     Bot        Botnet Tracking
   Low-          High
                             Engine      virus   hunter      engine
Interaction   Interaction
 Honeypot      Honeynet      Sandbox
                               (Bot
                            Execution)




   Malware collection                                     Botnet Tracking
                             Bot Binary database
       Data Base                                             database

                                Central server
                    DATA ANALYSIS STEPS

                                                 HONEYWALL
                    REVERSE FIREWALL RULES
 ETH0
                  (CONTROL OUTBOUND TRAFFIC)

IPTABLES
                                        Collect & Merge
                   ARGUS

                   SNORT
                                                      HFLOW
                    POF               HFLOWD
                                                        DB
                                    CONVERT INTO
                  SEBEKD           UNIFIED FORMAT
                                                     ETH2        WALLEYE
 ETH1              TCPDUMP           PCAP DATA                     GUI
(0.0.0.0)                                                     WEB INTERFACE


            SEBEK CLIENT
             HONEYPOT
   “Eye on the Honeywall” is a web based
    interface for Honeywall Configuration,
    Administration and Data analysis
Introduction
 Botnet Problem
 Typical Botnet Life Cycle
 How Botnet Grows
 Challenges for Botnet detection
 Roadmap to Detection system
 Botnet Detection Approaches
 Our Implemented Approach
 Experiments and results
What Is a Bot/Botnet?
 Bot
    A malware instance that runs autonomously and
     automatically on a compromised computer (zombie)
     without owner’s consent
    Profit-driven, professionally written, widely
     propagated
 Botnet (Bot Army): network of bots controlled by
  criminals
    Definition: “A coordinated group of malware
     instances that are controlled by a botmaster via
     some C&C channel”
    Architecture: centralized (e.g., IRC,HTTP),
     distributed (e.g., P2P)
Botnets are used for …
 All DDoS attacks
 Spam
 Click fraud
 Information theft
 Phishing attacks
 Distributing other malware, e.g., spywarePCs
  are part of a botnet!”
Typical Botnet Life Cycle
How the Botnet Grows
How the Botnet Grows
How the Botnet Grows
How the Botnet Grows
IRC Botnet Life Cycle
Challenges for Botnet Detection
 Bots are stealthy on the infected machines
  –We focus on a network-based solution
 Bot infection is usually a multi-faceted and
  multiphase process
  – Only looking at one specific aspect likely to fail
 Bots are dynamically evolving
 Botnets can have very flexible design of C&C
  channels
 –A solution very specific to a botnet instance is not
   desirable
   Network Level
     ◦ G. Gu, J. Zhang, andW. Lee. BotSniffer: Detecting
       botnet command and control channels in network
       traffic
     ◦ J. R. Binkley and S. Singh. An algorithm for anomaly-
       based botnet detection
     ◦ J. Goebel and T. Holz. Rishi: Identify bot contaminated
       hosts by irc nickname evaluation
     ◦ C. Livadas, R. Walsh, D. Lapsley, and W. Strayer.
       Using machine learning technliques to identify botnet
       traffic
   Host Level
     ◦ E. Kirda, C. Kruegel, G. Banks, G. Vigna, and R.
       Kemmerer. Behavior-based spyware detection
     ◦ R. Sekar, M. Bendre, P. Bollineni, and D. Dhurjati. A
       fast automaton-based method for detecting anomalous
       program behaviors.
   Hybrid
     ◦ BotMiner: Clustering analysis of network traffic for
       protocol- and structure independent botnet detection
Botnet Detection Approaches

 Setting up Honeynets (Honeynet Based Solutions)
 Network Traffic Monitoring:
  – Signature Based
  – Anomaly Based
  – DNS Based
  – Mining Based
Honeynet Based Solution
 It enable us to isolate the bot from network and
monitor its traffic in more controlled way, instead
of waiting to be infected and then monitor the t
traffic
   – Bot execution in Honeynet test bed
   – Monitor the traffic generated by bots
 Open Analysis :
   – Provides connection to Internet
   – More flexible than closed analysis.
                          l
Our Implemented Approach

•   Honeynet Based Solution
     –   Achievements
          •   Approach Implemented
          •   Honeynet Based Bot Analysis
              Architecture
          •   Payload Parser
          •   Web GUI and report generation
Flowchart
Features

 Systematically collect and analyze
  bot traffic over internet
 Provides controlled connection to
  Internet: rate limit the outbound
  connections.
 It uses network-based anomaly
  detection to identify C & C command
  sequences
Principal Mechanism for Botnet
Detection
   Bot Execution
     - Bot Execution in Honeynet Based Environment
     - Collection of Execution traces to extract C & C server
         information.
     - Complete payload sent to central server.
   Payload Parser
     - Extraction of IRC,HTTP command signatures
   Botnet Observation
     - extraction of attack,propagation scan or other attack
      commands
     - extraction of specific network patterns,secondary
      injections attempts
   Output
    - List of unique C & C server
     - Command exchanged between bot client & bot server
             Botname : B14 , MD5 : a4dde6f9e4feb8a539974022cff5f92c
Symantec : W32.IRCBot, Microsoft : Backdoor:Win32/Poebot
PASS 146751dhzx
:ftpelite.mine.nu
NICK kcrbhf8wlzo
USER XPUSA6059014236 0 0 :o4dfmj2ctyc
:ftpelite.mine.nu
PING :AE645AF3
PONG AE645AF3
:ftpelite.mine.nu 332 kcrbhf8wlzo #100+ :| .vscan netapi 50 5 9999 216.x.x.x | .sbk
windows-krb.exe | .sbk crscs.exe | .sbk msdrive32.exe | .sbk woot.exe | .sbk dn.exe |
.sbk Zsnkstm.exe | .sbk cndrive32.exe |
PRIVMSG #100+ :.4[SC]: Random Port Scan started on 216.x.x.x:445 with a delay
of 5 seconds for 9999 minutes using 50 threads.
Experimental Results: IRC
Bot Family    Number of Samples   Percentage
Rbot          70                  6.28%
Poebot.gen    32                  2.87
Rbot.gen      30                  2.69
IRCbot.genK   22                  1.99
Poebot.BT     12                  1.08
IRCbot        8                   0.71
Poebot.BI     6                   0.54
IRCbot.genS   4                   0.35
Poebot        4                   0.35
Poebot.T      4                   0.35
   In total we could identify 99 IRC-based bot
    binaries ,a rate of 8.25% of the overall
    binaries in 12 months
Botnet C&C Server Info
 Sno               Source IP             count
  1             122.160.115.76            191
  2             122.160.76.92              91
  3             122.160.42.85              79
  4             122.160.1.248              66
  5             122.160.74.180             60
  6              61.142.12.86              54
  7            122.160.136.220             49
  8            122.160.154.222             48
  9             122.161.16.82              48
  10            122.160.75.115             48

Sno    Ports                     count
 1      445                      2571
 2      135                       139
 3     1434                       111
 4      139                        42
 5       80                        35
 6       25                        12
 7     3306                        7
 8      705                        6
 9      161                        1

								
To top