Report:March-2005
From Honeynet-PT
Contents |
DEPLOYMENTS
We're currently running one Gen II honeynet, deployed remotely via Ethernet tunneling over TCP/IP, as a honeypot farm.
Honeynet architecture:
- Kangaroo - Transparent Ethernet Bridge over TCP/IP [1]
- Linux Firewall/Sebek Database/Log Server
- Linux Bridge, with snort-inline and IPTables
- Solaris 10 default installation with two zones
- RedHat 9 default installation
We have another Gen II honeynet, using also Ethernet tunneling with Kangaroo, for testing and development purposes:
- Kangaroo / Linux Firewall / Sebek Database/Log Server
- Linux Bridge, with dot1q tagging and snort-inline
- Two "testing only" honeypots (fedora core 2 and 3)
Please refer to our paper [2] for further information on this setup.
The Kangaroo tool was developed by the Portuguese team and is currently a prototype to validate the real advantages of using it as to help the easy and fast deployment of honeypot farms, and at the same time, allowing us to have everything centralized.
Solaris 10 was another interesting deployment with two different zones configured, where the main objective is to investigate some rumors about new attacks to break the zones.
FINDINGS
The RedHat 9 honeypot was compromised after two days via samba. The attacker found a text file (left there on purpose) in the root directory with some users and passwords of the Solaris 10 system zones, including the root account of one of the zones.
This attack is particularly interesting because the attacker has patched the RedHat 9 system after installing a rootkit and hasn't installed any kind of IRC client to join any Botnet out there.
Currently the main activity is when the attacker is coming back from time to time, then logs to the Solaris 10 zone, from where he has the root account. After a deeper analysis we have found that he's trying to break it in order to reach main zone.
The system was not yet compromised but it seems that it's taking the attention of the attacker.
MISC ACTIVITIES
During these 6 months we have been developing and testing the methodology for deploying honeynet farms using bridging/kangaroo. The team was also interviewed by a portuguese monthly computer magazine "Bit", regarding our project, as well as honeynets and honeypots in general.
ORGANIZATIONAL
We are being contacted by other Portuguese researchers, individuals, companies and universities, and are creating some relations with them in order to increase the number of honeypots, new tools development and consequent findings.
LESSONS LEARNED
- Kangaroo proved that honeypot farms could be deployed very fast and without deep network knowledge, eliminating all the disadvantages pointed by Eduard Ballas in chapter 7 of "Know Your Enemy, 2nd Edition", except the latency factor. It is also helping manage the honeypots, since now we have 24x7 physical access to the honeypots no matter where they are "virtually" deployed. It also has reduced our needs for hardware, because honeypots can be deployed using only one piece of hardware.
- Deploying new technologies allow us to study different attacks, apparently not coming from regular script kiddies.
FUTURE GOALS
- Release a paper about our Ethernet tunneling approach.
- Finish Kangaroo code in order to publish it was an open-source project.
- Add more Kangaroo sensors around Portugal, tunneling traffic to our honeypot farms.
- Create a WAN of a virtual international company with other Alliance team members, using Kangaroo transparent Ethernet bridge and other routing tunnels.
- Depending on feedback, it would be interesting to include Kangaroo on the honeywall CD.
REFERENCES
[1] http://www.honeynet-pt.org/research/kangaroo-0.5.0a.tar.gz (prototype version)
[2] http://www.honeynet-pt.org/papers/kangaroo-draft.pdf (still in draft)
