Honeypots Observations and Their Usefulness

Home , Honeypot (computing), Mirai (malware)

Honeypots observations and their usefulness

Gerard Wagener - TLP:WHITE

CIRCL

March 15, 2017 • The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents • CIRCL is the CERT for the private sector, communes and non-governmental entities in Luxembourg

2 of 17 Honeypots - introduction

Deﬁnition (Honeypots) ”A honeypot is security resource whose value lies in being probed, attacked, or compromised.”1 Evolution • Keeping attacker was experimented by Stoll in the late 80s2 • Honeypot concept pushed in the year 2002

1Lance Spitzner. Honeypots: Tracking Hackers. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2002, page 23. 2Cliﬀord Stoll. Stalking the wily hacker. Commun. ACM, 31(5):484–497, 1988. 3 of 17 Host2

Host5

Honeypots - introduction Opportunistic automated attacks

Host1

Host2 • Attacker scans arbitrary hosts attacker Host3 • 232 possibilities for IPv4 • Abuse of vulnerable hosts Host4

Host5

Monitor unused IPs → Honeypots

4 of 17 Honeypots - introduction Opportunistic automated attacks

Host1

Host2 • Attacker scans arbitrary hosts attacker Host3 • 232 possibilities for IPv4 • Abuse of vulnerable hosts Host4

Host5

Monitor unused IPs → Honeypots

4 of 17 Honeypots - introduction Motivation to monitor unused IP addresses

• Do not monitor legitimate traﬃc ◦ Reduce false positives ◦ Avoid privacy issues • Detect opportunistic attacks • Detect misconﬁgured machines • Detect victims: DDOS, compromised servers, ...

5 of 17 Honeypot observations capabilities Interactions

Information gain • The more protocols you speak, the more information you get • The more information you get, the more you get involved

Honeypot interaction levels • Low interaction honeypots • Mid interaction honeypots • High interaction honeypots

6 of 17 Honeypot observations capabilities

data

packets t1, t2, t3, t4 protocol1 ip protocol2 port protocol3

botnet command = b1 + b2 + b3 + b4

7 of 17 Observing SYN ﬂoods attacks in backscatter traﬃc Attack description

Spoofed requests H0, H1, H2, H3, ... Attacker Victim

H0 H1 H2 H3

Connections H0 H1 H2 H3 Fill up state connection state table of the victim

8 of 17 Observing SYN ﬂoods attacks in backscatter traﬃc Plotting TCP acknowledgement numbers

Honeypot captures - TCP ACK distribution 5 × 109 https://www.circl.lu/pub/tr-16/

4 × 109

3 × 109

2 × 109 ACK value

1 × 109

0 08 09 10 11 12 13 14 15 16 17 18 19 20 21

Time - Hour

9 of 17 Observing ampliﬁcation attacks

Deﬁnition • y request of x bytes triggers responses of (x+∆) bytes × selected vulnerable server (y) • Abuse of vulnerable servers data request from v data delivery to v Server3

Attacker Server2 Victim (v)

Server1

10 of 17 Discovering the attacking infrastructure Historical example: Allaple worm from 2006 - 2017

Attackers constantly scan for vulnerable hosts

Unique IP addresses infected with Allaple per day 35 https://www.circl.lu/pub/tr-40/ 30

Number of10 IPs

0 14/10 15/01 15/04 15/07 15/10 16/01 16/04 16/07 16/10 17/01 17/04 Time (year/month/day)

Probes for more than 10 years

11 of 17 Discovering the attacking infrastructure Popular example: Mirai Variant ISN=destination IP

Unique IP addresses with Mirai behaviour 1.8 × 107 https://www.circl.lu/pub/tr-40/https://www.circl.lu/ isn=ip dest 1.6 × 107 1.4 × 107 1.2 × 107 1 × 107 8 × 106 6 × 106 4 × 106

Number of unique IP addresses 6 2 × 10 16/07 16/08 16/09 16/10 16/11 16/12 17/01 17/02 17/03

Month/year

12 of 17 Observing misconﬁgured systems Human and Internet addressing is a good mix for errors

• Just look at ”internal”3 addresses that should not go on Internet • Further reading: https://www.circl.lu/assets/files/ circl-blackhole-honeynetworkshop2014.pdf Hit wrong key 192.x.z.y → 193.x.y.z Omission of number 192.x.y.z → 12.x.y.z Doubling of keys 10.a.b.c → 100.a.b.c 172.x.y.z 152.x.y.z

3RFC1918 13 of 17 Observing misconﬁgured systems Generic metrics

compressed volume collected by honeypot 1 × 108

1 × 107

1 × 106 volume in kB 100000

10000 01/26 02/02 02/09 02/16 02/23 03/02 03/09 time - month/day

14 of 17 Observing misconﬁgured systems Badly conﬁgured DNS resolvers

KASPERSKY NORMAN AVAST PANDA KASPERSKY-LABS AVGCLOUD SYMANTEC BAIDU MCAFEE PANDAAPP SYMANTECLIVEUPDATE GDATASECURITY TRENDMICRO NPROTECT2 BITDEFENDER MALWAREBYTES AVG MCAFEEMOBILESECURITY COMODO MCAFEEASAP SOPHOSXL AVGTHREATLABS SOPHOS AVGATE F-SECURE PANDAPOST DRWEB BITDEFENDER-ES PANDASECURITY PANDADOMAINADVISOR KINGSOFT SYMANTECCLOUD PANDASOFTWARE CLAMAV SYMANTECMAIL AVGMOBILATION RISING KASPERSKYLABS FORTINET MCAFEESECURE NPROTECT

Antivirus software trying to fetch their updates from honeypots 15 of 17 Improving threat intelligence data MISP sightings

Deﬁnition • Threat intelligence data lookup in honeypot data • Feedback to threat intelligence platform via sighting4 • Link threat intelligence data with honeypot observations ◦ Identify opportunistic attacks ◦ Identify misconﬁgured systems ◦ Refresh time-to-live of attributes seen in honeypots ◦ Determine the freshness of information

4http: //www.misp.software/2017/02/16/Sighting-The-Next-Level.html 16 of 17 Conclusions

• Usefulness of honeypots ◦ Detect opportunistic attacks ◦ Detect trends: Netis backdoor,Heartbleed, Mirai,... ◦ Detect misconﬁgured machines ◦ Discover victims: DDOS, compromised servers, ... ◦ Measuring attacker’s capabilities • Ongoing best eﬀort research activities at CIRCL • Getting involved5

5https://circl.lu/pub/tr-16/ 17 of 17