Honeypots observations and their usefulness
Gerard Wagener - TLP:WHITE
CIRCL
March 15, 2017 • The Computer Incident Response Center Luxembourg (CIRCL) is a government-driven initiative designed to provide a systematic response facility to computer security threats and incidents • CIRCL is the CERT for the private sector, communes and non-governmental entities in Luxembourg
2 of 17 Honeypots - introduction
Definition (Honeypots) ”A honeypot is security resource whose value lies in being probed, attacked, or compromised.”1 Evolution • Keeping attacker was experimented by Stoll in the late 80s2 • Honeypot concept pushed in the year 2002
1Lance Spitzner. Honeypots: Tracking Hackers. Addison-Wesley Longman Publishing Co., Inc., Boston, MA, USA, 2002, page 23. 2Clifford Stoll. Stalking the wily hacker. Commun. ACM, 31(5):484–497, 1988. 3 of 17 Host2
Host5
Honeypots - introduction Opportunistic automated attacks
Host1
Host2 • Attacker scans arbitrary hosts attacker Host3 • 232 possibilities for IPv4 • Abuse of vulnerable hosts Host4
Host5
Monitor unused IPs → Honeypots
4 of 17 Honeypots - introduction Opportunistic automated attacks
Host1
Host2 • Attacker scans arbitrary hosts attacker Host3 • 232 possibilities for IPv4 • Abuse of vulnerable hosts Host4
Host5
Monitor unused IPs → Honeypots
4 of 17 Honeypots - introduction Motivation to monitor unused IP addresses
• Do not monitor legitimate traffic ◦ Reduce false positives ◦ Avoid privacy issues • Detect opportunistic attacks • Detect misconfigured machines • Detect victims: DDOS, compromised servers, ...
5 of 17 Honeypot observations capabilities Interactions
Information gain • The more protocols you speak, the more information you get • The more information you get, the more you get involved
Honeypot interaction levels • Low interaction honeypots • Mid interaction honeypots • High interaction honeypots
6 of 17 Honeypot observations capabilities
data
packets t1, t2, t3, t4 protocol1 ip protocol2 port protocol3
botnet command = b1 + b2 + b3 + b4
7 of 17 Observing SYN floods attacks in backscatter traffic Attack description
Spoofed requests H0, H1, H2, H3, ... Attacker Victim
H0 H1 H2 H3
Connections H0 H1 H2 H3 Fill up state connection state table of the victim
8 of 17 Observing SYN floods attacks in backscatter traffic Plotting TCP acknowledgement numbers
Honeypot captures - TCP ACK distribution 5 × 109 https://www.circl.lu/pub/tr-16/
4 × 109
3 × 109
2 × 109 ACK value
1 × 109
0 08 09 10 11 12 13 14 15 16 17 18 19 20 21
Time - Hour
9 of 17 Observing amplification attacks
Definition • y request of x bytes triggers responses of (x+∆) bytes × selected vulnerable server (y) • Abuse of vulnerable servers data request from v data delivery to v Server3
Attacker Server2 Victim (v)
Server1
10 of 17 Discovering the attacking infrastructure Historical example: Allaple worm from 2006 - 2017
Attackers constantly scan for vulnerable hosts
Unique IP addresses infected with Allaple per day 35 https://www.circl.lu/pub/tr-40/ 30
25
20
15
Number of10 IPs
5
0 14/10 15/01 15/04 15/07 15/10 16/01 16/04 16/07 16/10 17/01 17/04 Time (year/month/day)
Probes for more than 10 years
11 of 17 Discovering the attacking infrastructure Popular example: Mirai Variant ISN=destination IP
Unique IP addresses with Mirai behaviour 1.8 × 107 https://www.circl.lu/pub/tr-40/https://www.circl.lu/ isn=ip dest 1.6 × 107 1.4 × 107 1.2 × 107 1 × 107 8 × 106 6 × 106 4 × 106
Number of unique IP addresses 6 2 × 10 16/07 16/08 16/09 16/10 16/11 16/12 17/01 17/02 17/03
Month/year
12 of 17 Observing misconfigured systems Human and Internet addressing is a good mix for errors
• Just look at ”internal”3 addresses that should not go on Internet • Further reading: https://www.circl.lu/assets/files/ circl-blackhole-honeynetworkshop2014.pdf Hit wrong key 192.x.z.y → 193.x.y.z Omission of number 192.x.y.z → 12.x.y.z Doubling of keys 10.a.b.c → 100.a.b.c 172.x.y.z 152.x.y.z
3RFC1918 13 of 17 Observing misconfigured systems Generic metrics
compressed volume collected by honeypot 1 × 108
1 × 107
1 × 106 volume in kB 100000
10000 01/26 02/02 02/09 02/16 02/23 03/02 03/09 time - month/day
14 of 17 Observing misconfigured systems Badly configured DNS resolvers
KASPERSKY NORMAN AVAST PANDA KASPERSKY-LABS AVGCLOUD SYMANTEC BAIDU MCAFEE PANDAAPP SYMANTECLIVEUPDATE GDATASECURITY TRENDMICRO NPROTECT2 BITDEFENDER MALWAREBYTES AVG MCAFEEMOBILESECURITY COMODO MCAFEEASAP SOPHOSXL AVGTHREATLABS SOPHOS AVGATE F-SECURE PANDAPOST DRWEB BITDEFENDER-ES PANDASECURITY PANDADOMAINADVISOR KINGSOFT SYMANTECCLOUD PANDASOFTWARE CLAMAV SYMANTECMAIL AVGMOBILATION RISING KASPERSKYLABS FORTINET MCAFEESECURE NPROTECT
Antivirus software trying to fetch their updates from honeypots 15 of 17 Improving threat intelligence data MISP sightings
Definition • Threat intelligence data lookup in honeypot data • Feedback to threat intelligence platform via sighting4 • Link threat intelligence data with honeypot observations ◦ Identify opportunistic attacks ◦ Identify misconfigured systems ◦ Refresh time-to-live of attributes seen in honeypots ◦ Determine the freshness of information
4http: //www.misp.software/2017/02/16/Sighting-The-Next-Level.html 16 of 17 Conclusions
• Usefulness of honeypots ◦ Detect opportunistic attacks ◦ Detect trends: Netis backdoor,Heartbleed, Mirai,... ◦ Detect misconfigured machines ◦ Discover victims: DDOS, compromised servers, ... ◦ Measuring attacker’s capabilities • Ongoing best effort research activities at CIRCL • Getting involved5
5https://circl.lu/pub/tr-16/ 17 of 17