SlideShare une entreprise Scribd logo

Honeypot Farms using Ethernet Bridging over a TCP Connection

M
morisson
Technologie
1  sur  5
Télécharger pour lire hors ligne
Honeypot Farms Using Ethernet Bridging over a TCP Connection Bruno Morisson <bruno.morisson@honeynet-pt.org> Marco Vaz <marco.vaz@honeynet-pt.org> Pedro Inácio <Pedro.inacio@honeynet-pt.org> The Honeynet Project - Portugal http://www.honeynet-pt.org March 2005 Abstract This paper describes a methodology and a prototype tool based on libpcap, libnet, mini-lzo and openssl, with the main objective of mitigating honeypot farm deployment complexity. Ethernet bridging over a TCP connection and vlan tagging are used as the way to simplify the deployment of the remote honeypots and achieve better overall results. Keywords Honeypot, honeynet, ethernet bridging, vlan, snort-inline, TCP
Introduction • Honeypot farms use routing rather than bridge, so they are As already presented by Edward Balas in complex to configure and chapter 7 of “Know Your Enemy, 2nd require good network Edition”, Honeypot Farms are used as a knowledge to operate properly. way of virtually distributing honeypots, • This technology is fair new, transporting IP packets from remote there are no tools to help locations to the physical honeypots. It aims automate the configuration and to reduce cost, deployment time and operation of the analysis time. infrastructures. We decided to embrace and simplify this concept of traffic tunneling because it The Portugal Honeynet Project developed gives us the ability to optimize our its own prototype tool, Kangaroo, to help methodology of analysis. Our aim was to us with those tasks. With this tool, it is use bridging rather than routing for possible to tunnel ethernet traffic from transporting the traffic from remote remote locations to the farm on a TCP locations to our honeypots on the farm. connection, injecting it in the physical Bridging provides the simplicity of traffic honeypot Ethernet card/switch. transportation. Since Kangaroo relies on libpcap and libnet for capturing and injecting packets, it This approach enables: doesn't require any kernel patches/modules, and it should be simple • Quickly access to the compromised to port it to most modern operating equipments. systems. • Reduce the physical space required in ISP housing. • Decrease the number of control Architecture equipments (bridge, firewall and database) The topology deployed is based on a Gen II • Transparency honeynet. The big difference is that we are isolating the honeypots using 802.1q, creating virtual interfaces on our bridge As Edward Balas puts it: server. The bridge server has one virtual interface per network segment. Advantages of honeypot farms All traffic to and from the honeypots will • Honeynets can be deployed be bridged by the central server and the with in a very short amount of remote servers. The remote servers will time. create TCP connections to the central • Forensic analysis can be done server, through which interesting traffic faster. will be tunneled both ways. • Honeypot farms can be used to protect production servers (hot-zoning). • Participant networks don’t need to configure or monitor the honeypots. Disadvantages of honeypot farms • Geographic unrelated positions cause anomalies in network latency.
operational needs. Filtering rules can also be applied via BPF on both ends of the tunnel. Another important advantage is that libpcap makes Kangaroo a truly platform- independent application. Transparency This approach to traffic tunneling can be described as medium-independent and inherently protocol-independent. Any LAN medium that can be captured with libpcap and injected with libnet can be tunneled with Kangaroo. Contrary to routing, using bridging there is no way for an attacker to detect that the machine is not physically located next to the others on the same subnet, except for the added latency. Performance Latency: There is, obviously, added latency to the connection. To reduce it, Kangaroo Traffic to the honeypot: offers the ability to compress the packets. The remote client captures the Ethernet Scalability: For now, one instance of frames sent to the honeypot's IP address (as Kangaroo is required for each tunnel well as relevant ARP requests/answers), an created, so for now scalability is an issue at sends the frames through the TCP that level. It is also an issue with the connection to the central server. The bridge, since there is only one snort inline central server receives the frames from the instance which must process every packet TCP connection, and injects them in the for every honeypot. desired interface. Traffic from the honeypot: Example Setup The central server captures the Ethernet frames sent from the honeypot's IP address In the example setup there are two remote (as well as relevant ARP requests/answers), sensors with Kangaroo that will forward and and sends the frames through the TCP receive the traffic to and from the connection to the remote client. The honeynet Firewall. remote client receives the frames from the TCP connection, and injects them on the The firewall will encapsulate each stream local network. into dot1q and send the trunk back to the Bridge. BPF – BSD Packet Filter The SnortInline bridge has several virtual bridges and each one is composed by pairs Using libpcap to capture the packets gives of dot1q interfaces. One SnortInline process the possibility to create a set off powerful is enough to process all bridges. filtering rules that will reduce the transported traffic to the minimal
The switch located behind the SnortInline • ./kangaroo -C -u user -g group -p 4791 -l Bridge will split the trunk traffic, putting 80.x.y.z -i eth1.2 -f 'src host 100.x.y.z' each VLAN in a separate port. Kangaroo will inject traffic coming from RemoteSensor to the VLAN 2 There are two honeypots, one on VLAN 2 interface on the firewall and other on VLAN 3. • ./kangaroo -C -u user -g group -p 4792 -l 80.x.y.z -i eth1.3 -f 'src host 99.x.y.z' Kangaroo will inject traffic coming Honeypot1 will have the (public) IP address from RemoteSensor to the VLAN 3 99.x.y.z and honeypot2 will have the (also interface on the firewall public) IP address 100.x.y.z. The IP address for the firewall’s outside interface (public) will be 80.x.y.z Configuration on the SnortInline Bridge • vconfig add eth0 2 Creation of the VLAN 2 interface on the inside Ethernet NIC. • vconfig add eth1 2 Creation of the VLAN 2 interface on the outside Ethernet NIC. • vconfig add eth0 3 Creation of the VLAN 3 interface on the inside Ethernet NIC. • vconfig add eth1 3 Creation of the VLAN 3 interface on the outside Ethernet NIC. • Creation of the brctl add eth0.2 br2 VLAN 2 interface on the inside Ethernet NIC. • Creation of the brctl add eth1.2 br2 VLAN 2 interface on the outside Ethernet NIC. Configuration on the remote sensors • ./kangaroo -C -u user -g group -p 4791 -c • Creation of the brctl add eth0.3 br3 80.x.y.z -i eth0 -f 'dst host 99.x.y.z' VLAN 2 interface on the inside Kangaroo will capture and inject Ethernet NIC. traffic from and to RemoteSensor1 • Creation of the brctl add eth1.3 br3 • ./kangaroo -C -u user -g group -p 4792 -c VLAN 2 interface on the inside 80.x.y.z -i eth0 -f 'dst host 100.x.y.z' Ethernet NIC. Kangaroo will capture and inject traffic from and to RemoteSensor2 • iptables –A FORWARD –s 99.x.y.z –j ACCEPT Firewall rule to permit Configuration on the Firewall inbound traffic to the honeypot1. • vconfig add eth1 2 Creation of the • iptables –A FORWARD –d 99.x.y.z –j VLAN 2 interface on the inside QUEUE Firewall rule to queue Ethernet NIC. outbound traffic from the • vconfig add eth1 3 Creation of the honeypot1. VLAN 3 interface on the inside Ethernet NIC.
• iptables –A FORWARD –s 100.x.y.z –j ACCEPT Firewall rule to permit Libnet inbound traffic to the honeypot2. http://www.packetfactory.net • iptables –A FORWARD –d 100.x.y.z –j Mini-LZO QUEUE Firewall rule to queue http://www.oberhumer.com outbound traffic from the honeypot2. Openssl http://www.openssl.org The Honeynet Project http://www.honeynet.org TODO Book – Know Your Enemy, 2nd Edition • The prototype code is being http://www.honeynet.org/book completely re-written. • Multiplexing - One central Kangaroo daemon for several remote servers. • Direct integration with snort-inline • Performance enhancements • SSL enhancements(Certificates for authentication, stream encryption for performance) Conclusions Using the methods described, with the aid of Kangaroo, Linux bridging, VLAN tagging, and snort inline, is is possible to truly decentralize honeynets, deploying honeypots remotely, while keeping all the hardware centralized at a close location. This also allows for costs reduction on hardware: there is no need to replicate honeynets in every participating network. We need can use the same firewall, bridge, log server, etc., for every honeypot deployed. With Kangaroo routing configuration troubles can be avoided, and network transparency obtained. Since Kangaroo was specifically thought for this application, its configuration is also simple and straightforward. References Kangaroo http://www.honeynet- pt.org/research/kangaroo-0.5.0a.tar.gz Libpcap http://www.tcpdump.org

Recommandé

Hiperlink optical 05 Ghz-lanrtx
Hiperlink optical 05 Ghz-lanrtxHiperlink optical 05 Ghz-lanrtx
Hiperlink optical 05 Ghz-lanrtxRes-Ingenium
 
IEEE 1588 Timing for Mobile Backhaul_Webinar
IEEE 1588 Timing for Mobile Backhaul_WebinarIEEE 1588 Timing for Mobile Backhaul_Webinar
IEEE 1588 Timing for Mobile Backhaul_WebinarSymmetricomSYMM
 
HIPERLINK 05G backhaul - IRTX
HIPERLINK 05G backhaul - IRTXHIPERLINK 05G backhaul - IRTX
HIPERLINK 05G backhaul - IRTXRes-Ingenium
 
PLNOG 5: Emil Gągała - ADVANCED VPLS
PLNOG 5: Emil Gągała - ADVANCED VPLSPLNOG 5: Emil Gągała - ADVANCED VPLS
PLNOG 5: Emil Gągała - ADVANCED VPLSPROIDEA
 
ASIS CCCT Workshop: Wireless Security & Surveillance
ASIS CCCT Workshop: Wireless Security & SurveillanceASIS CCCT Workshop: Wireless Security & Surveillance
ASIS CCCT Workshop: Wireless Security & SurveillanceFiretide
 
User manual ramon
User manual ramon User manual ramon
User manual ramon Dr. Edwin Hernandez
 
Somerdata AROW Data Diode
Somerdata AROW Data DiodeSomerdata AROW Data Diode
Somerdata AROW Data DiodeSomerdata
 
The State of 3G/GPRS IPv6 Deployment
The State of 3G/GPRS IPv6 DeploymentThe State of 3G/GPRS IPv6 Deployment
The State of 3G/GPRS IPv6 DeploymentJohn Loughney
 

Recommandé

Hiperlink optical 05 Ghz-lanrtx
Hiperlink optical 05 Ghz-lanrtxHiperlink optical 05 Ghz-lanrtx
Hiperlink optical 05 Ghz-lanrtxRes-Ingenium
 
IEEE 1588 Timing for Mobile Backhaul_Webinar
IEEE 1588 Timing for Mobile Backhaul_WebinarIEEE 1588 Timing for Mobile Backhaul_Webinar
IEEE 1588 Timing for Mobile Backhaul_WebinarSymmetricomSYMM
 
HIPERLINK 05G backhaul - IRTX
HIPERLINK 05G backhaul - IRTXHIPERLINK 05G backhaul - IRTX
HIPERLINK 05G backhaul - IRTXRes-Ingenium
 
PLNOG 5: Emil Gągała - ADVANCED VPLS
PLNOG 5: Emil Gągała - ADVANCED VPLSPLNOG 5: Emil Gągała - ADVANCED VPLS
PLNOG 5: Emil Gągała - ADVANCED VPLSPROIDEA
 
ASIS CCCT Workshop: Wireless Security & Surveillance
ASIS CCCT Workshop: Wireless Security & SurveillanceASIS CCCT Workshop: Wireless Security & Surveillance
ASIS CCCT Workshop: Wireless Security & SurveillanceFiretide
 
User manual ramon
User manual ramon User manual ramon
User manual ramon Dr. Edwin Hernandez
 
Somerdata AROW Data Diode
Somerdata AROW Data DiodeSomerdata AROW Data Diode
Somerdata AROW Data DiodeSomerdata
 
The State of 3G/GPRS IPv6 Deployment
The State of 3G/GPRS IPv6 DeploymentThe State of 3G/GPRS IPv6 Deployment
The State of 3G/GPRS IPv6 DeploymentJohn Loughney
 
IPv6 in 2G and 3G Networks
IPv6 in 2G and 3G NetworksIPv6 in 2G and 3G Networks
IPv6 in 2G and 3G NetworksJohn Loughney
 
Dissertation Defense August 2002
Dissertation Defense August 2002Dissertation Defense August 2002
Dissertation Defense August 2002Dr. Edwin Hernandez
 
RAMON : Rapid Mobile Network Emulation
RAMON : Rapid Mobile Network EmulationRAMON : Rapid Mobile Network Emulation
RAMON : Rapid Mobile Network EmulationDr. Edwin Hernandez
 
C08 network protocols
C08 network protocolsC08 network protocols
C08 network protocolsRio Nguyen
 
Alternative Transport Protocols
Alternative Transport ProtocolsAlternative Transport Protocols
Alternative Transport ProtocolsPeter R. Egli
 
Introduction To DASH7 Technology
Introduction To DASH7 TechnologyIntroduction To DASH7 Technology
Introduction To DASH7 Technologyjpnorair
 
Basics of multicasting and its implementation on ethernet networks
Basics of multicasting and its implementation on ethernet networksBasics of multicasting and its implementation on ethernet networks
Basics of multicasting and its implementation on ethernet networksReliance Comm
 
Basicsofmulticastinganditsimplementationonethernetnetworks
Basicsofmulticastinganditsimplementationonethernetnetworks Basicsofmulticastinganditsimplementationonethernetnetworks
Basicsofmulticastinganditsimplementationonethernetnetworks Sasank Chaitanya
 
Tr@Ins6 Trackside Communication Herman Claus
Tr@Ins6 Trackside Communication Herman ClausTr@Ins6 Trackside Communication Herman Claus
Tr@Ins6 Trackside Communication Herman Clausimec.archive
 
Research and Experimentation of LoRa in Heavy Multipath
Research and Experimentation of LoRa in Heavy MultipathResearch and Experimentation of LoRa in Heavy Multipath
Research and Experimentation of LoRa in Heavy MultipathHaystack Technologies
 
Feature satip3
Feature satip3Feature satip3
Feature satip3TELE-satellite esp
 
Feature satip3
Feature satip3Feature satip3
Feature satip3TELE-satellite ned
 
Feature satip3
Feature satip3Feature satip3
Feature satip3TELE-audiovision eng
 
Time Synchronisation
Time SynchronisationTime Synchronisation
Time SynchronisationSymmetricomSYMM
 
Feature satip3
Feature satip3Feature satip3
Feature satip3TELE-satellite ara
 
SDN Network virtualization, NFV & MPLS synergies
SDN Network virtualization, NFV & MPLS synergiesSDN Network virtualization, NFV & MPLS synergies
SDN Network virtualization, NFV & MPLS synergiesHector.Avalos
 
Feature satip3
Feature satip3Feature satip3
Feature satip3TELE-satellite man
 
Vsat day-2008-comtech
Vsat day-2008-comtechVsat day-2008-comtech
Vsat day-2008-comtechSSPI Brasil
 
Virtual Network Performance Challenge
Virtual Network Performance ChallengeVirtual Network Performance Challenge
Virtual Network Performance ChallengeStephen Hemminger
 
Feature satip3
Feature satip3Feature satip3
Feature satip3TELE-satellite bul
 
The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Bemorisson
 
Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?morisson
 

Contenu connexe

Tendances

IPv6 in 2G and 3G Networks
IPv6 in 2G and 3G NetworksIPv6 in 2G and 3G Networks
IPv6 in 2G and 3G NetworksJohn Loughney
 
Dissertation Defense August 2002
Dissertation Defense August 2002Dissertation Defense August 2002
Dissertation Defense August 2002Dr. Edwin Hernandez
 
RAMON : Rapid Mobile Network Emulation
RAMON : Rapid Mobile Network EmulationRAMON : Rapid Mobile Network Emulation
RAMON : Rapid Mobile Network EmulationDr. Edwin Hernandez
 
C08 network protocols
C08 network protocolsC08 network protocols
C08 network protocolsRio Nguyen
 
Alternative Transport Protocols
Alternative Transport ProtocolsAlternative Transport Protocols
Alternative Transport ProtocolsPeter R. Egli
 
Introduction To DASH7 Technology
Introduction To DASH7 TechnologyIntroduction To DASH7 Technology
Introduction To DASH7 Technologyjpnorair
 
Basics of multicasting and its implementation on ethernet networks
Basics of multicasting and its implementation on ethernet networksBasics of multicasting and its implementation on ethernet networks
Basics of multicasting and its implementation on ethernet networksReliance Comm
 
Basicsofmulticastinganditsimplementationonethernetnetworks
Basicsofmulticastinganditsimplementationonethernetnetworks Basicsofmulticastinganditsimplementationonethernetnetworks
Basicsofmulticastinganditsimplementationonethernetnetworks Sasank Chaitanya
 
Tr@Ins6 Trackside Communication Herman Claus
Tr@Ins6 Trackside Communication Herman ClausTr@Ins6 Trackside Communication Herman Claus
Tr@Ins6 Trackside Communication Herman Clausimec.archive
 
Research and Experimentation of LoRa in Heavy Multipath
Research and Experimentation of LoRa in Heavy MultipathResearch and Experimentation of LoRa in Heavy Multipath
Research and Experimentation of LoRa in Heavy MultipathHaystack Technologies
 
SDN Network virtualization, NFV & MPLS synergies
SDN Network virtualization, NFV & MPLS synergiesSDN Network virtualization, NFV & MPLS synergies
SDN Network virtualization, NFV & MPLS synergiesHector.Avalos
 
Vsat day-2008-comtech
Vsat day-2008-comtechVsat day-2008-comtech
Vsat day-2008-comtechSSPI Brasil
 
Virtual Network Performance Challenge
Virtual Network Performance ChallengeVirtual Network Performance Challenge
Virtual Network Performance ChallengeStephen Hemminger
 

Tendances (20)

IPv6 in 2G and 3G Networks
IPv6 in 2G and 3G NetworksIPv6 in 2G and 3G Networks
IPv6 in 2G and 3G Networks
 
Dissertation Defense August 2002
Dissertation Defense August 2002Dissertation Defense August 2002
Dissertation Defense August 2002
 
RAMON : Rapid Mobile Network Emulation
RAMON : Rapid Mobile Network EmulationRAMON : Rapid Mobile Network Emulation
RAMON : Rapid Mobile Network Emulation
 
C08 network protocols
C08 network protocolsC08 network protocols
C08 network protocols
 
Alternative Transport Protocols
Alternative Transport ProtocolsAlternative Transport Protocols
Alternative Transport Protocols
 
Introduction To DASH7 Technology
Introduction To DASH7 TechnologyIntroduction To DASH7 Technology
Introduction To DASH7 Technology
 
Basics of multicasting and its implementation on ethernet networks
Basics of multicasting and its implementation on ethernet networksBasics of multicasting and its implementation on ethernet networks
Basics of multicasting and its implementation on ethernet networks
 
Basicsofmulticastinganditsimplementationonethernetnetworks
Basicsofmulticastinganditsimplementationonethernetnetworks Basicsofmulticastinganditsimplementationonethernetnetworks
Basicsofmulticastinganditsimplementationonethernetnetworks
 
Tr@Ins6 Trackside Communication Herman Claus
Tr@Ins6 Trackside Communication Herman ClausTr@Ins6 Trackside Communication Herman Claus
Tr@Ins6 Trackside Communication Herman Claus
 
Research and Experimentation of LoRa in Heavy Multipath
Research and Experimentation of LoRa in Heavy MultipathResearch and Experimentation of LoRa in Heavy Multipath
Research and Experimentation of LoRa in Heavy Multipath
 
Feature satip3
Feature satip3Feature satip3
Feature satip3
 
Feature satip3
Feature satip3Feature satip3
Feature satip3
 
Feature satip3
Feature satip3Feature satip3
Feature satip3
 
Time Synchronisation
Time SynchronisationTime Synchronisation
Time Synchronisation
 
Feature satip3
Feature satip3Feature satip3
Feature satip3
 
SDN Network virtualization, NFV & MPLS synergies
SDN Network virtualization, NFV & MPLS synergiesSDN Network virtualization, NFV & MPLS synergies
SDN Network virtualization, NFV & MPLS synergies
 
Feature satip3
Feature satip3Feature satip3
Feature satip3
 
Vsat day-2008-comtech
Vsat day-2008-comtechVsat day-2008-comtech
Vsat day-2008-comtech
 
Virtual Network Performance Challenge
Virtual Network Performance ChallengeVirtual Network Performance Challenge
Virtual Network Performance Challenge
 
Feature satip3
Feature satip3Feature satip3
Feature satip3
 

En vedette

The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Bemorisson
 
Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?morisson
 
Virtualization & Security
Virtualization & SecurityVirtualization & Security
Virtualization & Securitymorisson
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgerymorisson
 
Security asap
Security asapSecurity asap
Security asapmorisson
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using sshmorisson
 

En vedette (7)

The Thing That Should Not Be
The Thing That Should Not BeThe Thing That Should Not Be
The Thing That Should Not Be
 
Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?Mobile Securty - An Oxymoron?
Mobile Securty - An Oxymoron?
 
APT
APTAPT
APT
 
Virtualization & Security
Virtualization & SecurityVirtualization & Security
Virtualization & Security
 
Crash Course In Brain Surgery
Crash Course In Brain SurgeryCrash Course In Brain Surgery
Crash Course In Brain Surgery
 
Security asap
Security asapSecurity asap
Security asap
 
(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh(Mis)trusting and (ab)using ssh
(Mis)trusting and (ab)using ssh
 

Similaire à Honeypot Farms using Ethernet Bridging over a TCP Connection

Ethernetv infiniband
Ethernetv infinibandEthernetv infiniband
Ethernetv infinibandMason Mei
 
2002023
20020232002023
2002023pglehn
 
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpPushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpJames Denton
 
Congection control and Internet working
Congection control and Internet workingCongection control and Internet working
Congection control and Internet workingTharuniDiddekunta
 
Pristine rina-sdk-icc-2016
Pristine rina-sdk-icc-2016Pristine rina-sdk-icc-2016
Pristine rina-sdk-icc-2016ICT PRISTINE
 
PLNOG 8: Emil Gągała - DATA CENTER FABRIC COOKBOOK
PLNOG 8: Emil Gągała - DATA CENTER FABRIC COOKBOOK PLNOG 8: Emil Gągała - DATA CENTER FABRIC COOKBOOK
PLNOG 8: Emil Gągała - DATA CENTER FABRIC COOKBOOK PROIDEA
 
Branching out with SDN
Branching out with SDNBranching out with SDN
Branching out with SDNAPNIC
 
Auto default gateway settings for virtual
Auto default gateway settings for virtualAuto default gateway settings for virtual
Auto default gateway settings for virtualijwmn
 
100G Networking Berlin.pdf
100G Networking Berlin.pdf100G Networking Berlin.pdf
100G Networking Berlin.pdfJunZhao68
 
5G in Brownfield how SDN makes 5G Deployments Work
5G in Brownfield how SDN makes 5G Deployments Work5G in Brownfield how SDN makes 5G Deployments Work
5G in Brownfield how SDN makes 5G Deployments WorkLumina Networks
 
Communication Performance Over A Gigabit Ethernet Network
Communication Performance Over A Gigabit Ethernet NetworkCommunication Performance Over A Gigabit Ethernet Network
Communication Performance Over A Gigabit Ethernet NetworkIJERA Editor
 

Similaire à Honeypot Farms using Ethernet Bridging over a TCP Connection (20)

Ethernetv infiniband
Ethernetv infinibandEthernetv infiniband
Ethernetv infiniband
 
V P N
V P NV P N
V P N
 
It6601 mobile computing unit2
It6601 mobile computing unit2It6601 mobile computing unit2
It6601 mobile computing unit2
 
2002023
20020232002023
2002023
 
Vpn_NJ ppt
Vpn_NJ pptVpn_NJ ppt
Vpn_NJ ppt
 
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack UpPushing Packets - How do the ML2 Mechanism Drivers Stack Up
Pushing Packets - How do the ML2 Mechanism Drivers Stack Up
 
MPLS VPN
MPLS VPNMPLS VPN
MPLS VPN
 
Congection control and Internet working
Congection control and Internet workingCongection control and Internet working
Congection control and Internet working
 
Pristine rina-sdk-icc-2016
Pristine rina-sdk-icc-2016Pristine rina-sdk-icc-2016
Pristine rina-sdk-icc-2016
 
PLNOG 8: Emil Gągała - DATA CENTER FABRIC COOKBOOK
PLNOG 8: Emil Gągała - DATA CENTER FABRIC COOKBOOK PLNOG 8: Emil Gągała - DATA CENTER FABRIC COOKBOOK
PLNOG 8: Emil Gągała - DATA CENTER FABRIC COOKBOOK
 
CCNA 1
CCNA 1CCNA 1
CCNA 1
 
Userspace networking
Userspace networkingUserspace networking
Userspace networking
 
Branching out with SDN
Branching out with SDNBranching out with SDN
Branching out with SDN
 
Vp ns
Vp nsVp ns
Vp ns
 
Auto default gateway settings for virtual
Auto default gateway settings for virtualAuto default gateway settings for virtual
Auto default gateway settings for virtual
 
100G Networking Berlin.pdf
100G Networking Berlin.pdf100G Networking Berlin.pdf
100G Networking Berlin.pdf
 
5G in Brownfield how SDN makes 5G Deployments Work
5G in Brownfield how SDN makes 5G Deployments Work5G in Brownfield how SDN makes 5G Deployments Work
5G in Brownfield how SDN makes 5G Deployments Work
 
Communication Performance Over A Gigabit Ethernet Network
Communication Performance Over A Gigabit Ethernet NetworkCommunication Performance Over A Gigabit Ethernet Network
Communication Performance Over A Gigabit Ethernet Network
 
Netw204 Quiz Answers Essay
Netw204 Quiz Answers EssayNetw204 Quiz Answers Essay
Netw204 Quiz Answers Essay
 
Mellanox Approach to NFV & SDN
Mellanox Approach to NFV & SDNMellanox Approach to NFV & SDN
Mellanox Approach to NFV & SDN
 

Dernier

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKJago de Vreede
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 

Dernier (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 

Honeypot Farms using Ethernet Bridging over a TCP Connection

  • 1. Honeypot Farms Using Ethernet Bridging over a TCP Connection Bruno Morisson <bruno.morisson@honeynet-pt.org> Marco Vaz <marco.vaz@honeynet-pt.org> Pedro Inácio <Pedro.inacio@honeynet-pt.org> The Honeynet Project - Portugal http://www.honeynet-pt.org March 2005 Abstract This paper describes a methodology and a prototype tool based on libpcap, libnet, mini-lzo and openssl, with the main objective of mitigating honeypot farm deployment complexity. Ethernet bridging over a TCP connection and vlan tagging are used as the way to simplify the deployment of the remote honeypots and achieve better overall results. Keywords Honeypot, honeynet, ethernet bridging, vlan, snort-inline, TCP
  • 2. Introduction • Honeypot farms use routing rather than bridge, so they are As already presented by Edward Balas in complex to configure and chapter 7 of “Know Your Enemy, 2nd require good network Edition”, Honeypot Farms are used as a knowledge to operate properly. way of virtually distributing honeypots, • This technology is fair new, transporting IP packets from remote there are no tools to help locations to the physical honeypots. It aims automate the configuration and to reduce cost, deployment time and operation of the analysis time. infrastructures. We decided to embrace and simplify this concept of traffic tunneling because it The Portugal Honeynet Project developed gives us the ability to optimize our its own prototype tool, Kangaroo, to help methodology of analysis. Our aim was to us with those tasks. With this tool, it is use bridging rather than routing for possible to tunnel ethernet traffic from transporting the traffic from remote remote locations to the farm on a TCP locations to our honeypots on the farm. connection, injecting it in the physical Bridging provides the simplicity of traffic honeypot Ethernet card/switch. transportation. Since Kangaroo relies on libpcap and libnet for capturing and injecting packets, it This approach enables: doesn't require any kernel patches/modules, and it should be simple • Quickly access to the compromised to port it to most modern operating equipments. systems. • Reduce the physical space required in ISP housing. • Decrease the number of control Architecture equipments (bridge, firewall and database) The topology deployed is based on a Gen II • Transparency honeynet. The big difference is that we are isolating the honeypots using 802.1q, creating virtual interfaces on our bridge As Edward Balas puts it: server. The bridge server has one virtual interface per network segment. Advantages of honeypot farms All traffic to and from the honeypots will • Honeynets can be deployed be bridged by the central server and the with in a very short amount of remote servers. The remote servers will time. create TCP connections to the central • Forensic analysis can be done server, through which interesting traffic faster. will be tunneled both ways. • Honeypot farms can be used to protect production servers (hot-zoning). • Participant networks don’t need to configure or monitor the honeypots. Disadvantages of honeypot farms • Geographic unrelated positions cause anomalies in network latency.
  • 3. operational needs. Filtering rules can also be applied via BPF on both ends of the tunnel. Another important advantage is that libpcap makes Kangaroo a truly platform- independent application. Transparency This approach to traffic tunneling can be described as medium-independent and inherently protocol-independent. Any LAN medium that can be captured with libpcap and injected with libnet can be tunneled with Kangaroo. Contrary to routing, using bridging there is no way for an attacker to detect that the machine is not physically located next to the others on the same subnet, except for the added latency. Performance Latency: There is, obviously, added latency to the connection. To reduce it, Kangaroo Traffic to the honeypot: offers the ability to compress the packets. The remote client captures the Ethernet Scalability: For now, one instance of frames sent to the honeypot's IP address (as Kangaroo is required for each tunnel well as relevant ARP requests/answers), an created, so for now scalability is an issue at sends the frames through the TCP that level. It is also an issue with the connection to the central server. The bridge, since there is only one snort inline central server receives the frames from the instance which must process every packet TCP connection, and injects them in the for every honeypot. desired interface. Traffic from the honeypot: Example Setup The central server captures the Ethernet frames sent from the honeypot's IP address In the example setup there are two remote (as well as relevant ARP requests/answers), sensors with Kangaroo that will forward and and sends the frames through the TCP receive the traffic to and from the connection to the remote client. The honeynet Firewall. remote client receives the frames from the TCP connection, and injects them on the The firewall will encapsulate each stream local network. into dot1q and send the trunk back to the Bridge. BPF – BSD Packet Filter The SnortInline bridge has several virtual bridges and each one is composed by pairs Using libpcap to capture the packets gives of dot1q interfaces. One SnortInline process the possibility to create a set off powerful is enough to process all bridges. filtering rules that will reduce the transported traffic to the minimal
  • 4. The switch located behind the SnortInline • ./kangaroo -C -u user -g group -p 4791 -l Bridge will split the trunk traffic, putting 80.x.y.z -i eth1.2 -f 'src host 100.x.y.z' each VLAN in a separate port. Kangaroo will inject traffic coming from RemoteSensor to the VLAN 2 There are two honeypots, one on VLAN 2 interface on the firewall and other on VLAN 3. • ./kangaroo -C -u user -g group -p 4792 -l 80.x.y.z -i eth1.3 -f 'src host 99.x.y.z' Kangaroo will inject traffic coming Honeypot1 will have the (public) IP address from RemoteSensor to the VLAN 3 99.x.y.z and honeypot2 will have the (also interface on the firewall public) IP address 100.x.y.z. The IP address for the firewall’s outside interface (public) will be 80.x.y.z Configuration on the SnortInline Bridge • vconfig add eth0 2 Creation of the VLAN 2 interface on the inside Ethernet NIC. • vconfig add eth1 2 Creation of the VLAN 2 interface on the outside Ethernet NIC. • vconfig add eth0 3 Creation of the VLAN 3 interface on the inside Ethernet NIC. • vconfig add eth1 3 Creation of the VLAN 3 interface on the outside Ethernet NIC. • Creation of the brctl add eth0.2 br2 VLAN 2 interface on the inside Ethernet NIC. • Creation of the brctl add eth1.2 br2 VLAN 2 interface on the outside Ethernet NIC. Configuration on the remote sensors • ./kangaroo -C -u user -g group -p 4791 -c • Creation of the brctl add eth0.3 br3 80.x.y.z -i eth0 -f 'dst host 99.x.y.z' VLAN 2 interface on the inside Kangaroo will capture and inject Ethernet NIC. traffic from and to RemoteSensor1 • Creation of the brctl add eth1.3 br3 • ./kangaroo -C -u user -g group -p 4792 -c VLAN 2 interface on the inside 80.x.y.z -i eth0 -f 'dst host 100.x.y.z' Ethernet NIC. Kangaroo will capture and inject traffic from and to RemoteSensor2 • iptables –A FORWARD –s 99.x.y.z –j ACCEPT Firewall rule to permit Configuration on the Firewall inbound traffic to the honeypot1. • vconfig add eth1 2 Creation of the • iptables –A FORWARD –d 99.x.y.z –j VLAN 2 interface on the inside QUEUE Firewall rule to queue Ethernet NIC. outbound traffic from the • vconfig add eth1 3 Creation of the honeypot1. VLAN 3 interface on the inside Ethernet NIC.
  • 5. iptables –A FORWARD –s 100.x.y.z –j ACCEPT Firewall rule to permit Libnet inbound traffic to the honeypot2. http://www.packetfactory.net • iptables –A FORWARD –d 100.x.y.z –j Mini-LZO QUEUE Firewall rule to queue http://www.oberhumer.com outbound traffic from the honeypot2. Openssl http://www.openssl.org The Honeynet Project http://www.honeynet.org TODO Book – Know Your Enemy, 2nd Edition • The prototype code is being http://www.honeynet.org/book completely re-written. • Multiplexing - One central Kangaroo daemon for several remote servers. • Direct integration with snort-inline • Performance enhancements • SSL enhancements(Certificates for authentication, stream encryption for performance) Conclusions Using the methods described, with the aid of Kangaroo, Linux bridging, VLAN tagging, and snort inline, is is possible to truly decentralize honeynets, deploying honeypots remotely, while keeping all the hardware centralized at a close location. This also allows for costs reduction on hardware: there is no need to replicate honeynets in every participating network. We need can use the same firewall, bridge, log server, etc., for every honeypot deployed. With Kangaroo routing configuration troubles can be avoided, and network transparency obtained. Since Kangaroo was specifically thought for this application, its configuration is also simple and straightforward. References Kangaroo http://www.honeynet- pt.org/research/kangaroo-0.5.0a.tar.gz Libpcap http://www.tcpdump.org