Georgia Tech HoneyNet Report (January-March 2004)

Georgia Tech Honeynet Report (April 1, 2004 -- September 15, 2004)

1.0 HONEYNET DEPLOYMENTS

=========================

1.1 Current technologies deployed.

We are running a GEN II Honeynet with a variety of OSs of interest. We continue to use live OSs instead of VMware or HoneyD. Our web page with a diagram of our current setup is located at: http://users.ece.gatech.edu/~owen/Research/HoneyNet/HoneyNet_home.htm. Since our last report, we have restructured our honeynet and converted to the Honeywall CD configuration; we also now conduct all monitoring of the honeynet on an analysis box that is separate from the Honeywall (bridge) machine. We continue to deploy a Darknet within our Honeynet and have added a SUN workstation during this period. Our focus continues to be the use of the Honeynet to help secure the campus network.

1.2 Lessons learned from the technology, what you like about it.

Honeynets can be incorporated into an organization’s network security plan to help secure the network. We work closely with Georgia Tech’s Office of Information Technology to help secure the campus network.

We have improved our log file naming convention. Previously we created a new folder for each day’s log file(s) and named the folder by the month and day (i.e. Mar15, Apr24, Aug12). This format required separate storage locations for different years, and was more difficult to navigate both within Ethereal and in developing scripts that run on a series of logs because the folders were sorted alphabetically by month instead of in date order. Our improved format is to create a folder for each day in the numerical form of <yearmonthday> (i.e. 20020315, 20030424, 20040812).

                Our new setup with the honeywall CD, separate analysis box, and cleanly wired honeynet rack appears to be stable and makes it much simpler to adjust the configuration of the honeynet; adding a honeypot to the network or quickly disconnecting a honeypot from the network is now a simpler task as a result of the improvements made this summer.

The data consistency created by using the honeywall CD is very beneficial.

1.3 Lessons learned from the technology, what is lacking, what you

would like to see improved.

We need better methods to analyze the large amount of data collected by the honeynet. We are working towards developing tools to both analyze and visualize the data collected.

2.0 FINDINGS

=============

2.1 Number and type of systems compromised during six month period.

We have had two hoenypots compromised by worms since our last report. One machine was a Microsoft Windows 2000 system and the other was a Linux RedHat 7.3 system.

2.2 Highlight any unique findings, attacks, tools, or methods.

We found it interesting to observe the large spike in traffic to the honeynet from the Georgia Tech address range as students moved back in to start the Fall semester. Over the course of the summer, a typical day would include less than five (and often zero) IP’s attempting to establish connections to the honeynet from within Georgia Tech’s two and a half Class B address range. As students returned for the Fall semester, the number of IP’s attempting to establish connections increased dramatically, with a typical day including 10-20 separate IP’s attempting to establish connections.

Using a darknet to increase our IP address range provides additional traffic to include in our analysis (without the addition of physical honeypots) and helps us to observe scanning patterns.

We had 489 unique machines on the Georgia Tech campus that attempted to connect to the Honeynet between January 1^st, 2004 and August 31^st, 2004. (These machines are assumed to be compromised or in use by a malicious person.)

2.3 Any trends seen in the past six months;

The majority of traffic to our honeynet originating from within the campus network attempts to establish connections to Port 445. Between January 1, 2004 and August 31, 2004, 795 machines from within the campus attempted to establish a connection using port 445. (This number includes repeat attacks from a single IP address, but only counts one connection attempt per machine per day to port 445.)

We found an article that mentions the use of TCP ports 135 and 1026 to send popup spam to Windows systems. On at least one occasion we observed this type of traffic, but it did not result in a popup window on our honeypot.

2.4 Document data analysis tools and methods being used.

We currently use ethereal with various filters as our primary data analysis tool. We are developing perl scripts to parse through the logs and generate plots of the data. (PCAP data is parsed and the extracted results are stored in an XML file. Plots are then generated from the XML data.)

    2.5 For data analysis what tools work well, and what still needs to

be developed.

Ethereal is not a very efficient or effective way to analyze daily logs, especially as the size of the honeynet is increased, resulting in additional traffic. We have begun to develop perl scripts, but this method appears to be too slow as well. What we need to do is implement our perl scripts in C. We also are considering the use of an SQL database to be able to cope with the large amount of data and access it more quickly.

We could reap huge benefits from a data analysis CD in addition to the honeywall CD. The data analysis CD could be used to setup your

analysis box and could be another way to standardize honeynets throughout the alliance.

3.0 MISC ACTIVITIES

====================

3.1  Presenting at conferences

The papers listed in 3.3 were presented at conferences.

3.2 Developing, testing or releasing code

We have developed several perl scripts for data analysis, but we believe implementing these (and other) scripts in C will prove more beneficial for data analysis. We also have a PhD student working on network security visualization techniques and are using the software he is developing to observe our honeynet data.

3.3 Publication of papers

The following papers were published and presented at the IEEE Information Assurance Workshop at West Point, New York:

"Application of a Methodology to Characterize Rootkits Retrieved from Honeynets" by John Levine, Julian Grizzard, and Henry Owen; and

"An Investigation of a Compromised Host on a Honeynet Being Used to Increase the Security of a Large Enterprise Network" by Timothy Jackson, John Levine, Julian Grizzard, and Henry Owen.

The following paper was published an presented at DEFCON 12:

“Network Attack Visualization” by Greg Conti.

The following paper was published and presented at the Recent Advances in Intrusion Detection (RAID) Symposium:

"HoneyStat: Local Worm Detection Using Honeypots" by David Dagon, Xinzhou Qin, Guofei Gu, Wenke Lee, Julian Grizzard, John Levine, and Henry Owen.

3.4 Involvement in SotM challenges.

We have not participated.

3.5 Other

We have developed a honeynet continuity file for the Georgia Tech Honeynet. One of the challenges of a student run honeynet at an academic institute is that students (graduate and undergraduate) arrive and depart on a regular basis. For example, John Levine, who created the Georgia Tech Honeynet, graduated with a PhD in May 2004 and is now an instructor at West Point, and Julian Grizzard, who is currently in charge of the honeynet, expects to graduate with his PhD in 2005. We developed the continuity file to streamline the process of teaching new people how to run and monitor the honeynet, as well as serve as a source for lessons learned. The file includes configuration information, points of contact (internal and external), web sites of interest, logging information, and policy guidelines for monitoring our honeynet. We recommend a continuity file for any organization, but especially for academic institutes.

4.0 ORGANIZATIONAL

==================

4.1 Changes in your structure of your organization.

We have new undergraduate students getting involved in the honeynet, to include Neil Joshi, and Alfredo Ramos.

5.0 LESSONS LEARNED

===================

5.1 What positive things can you share with the community, so they can replicate your success.

The Georgia Tech Honeynet is a great tool for helping to secure the campus network. Since all traffic to the Honeynet is suspicious, any packet to the Honeynet originating from within the Georgia Tech address range is likely from a compromised computer, a malicious user, or the campus IDS. We send reports of all computers attempting to connect to the Honeynet to the campus network managers (OIT); they can then take action to keep the network secure by correlating our data with their IDS tools in order to reduce false positives.

The honeywall CDROM has worked out well. When making significant changes to a honeynet, we recommend making the changes in a down

period in case there are configuration issues. Making the transition to the honeywall CDROM during the summer semester proved very beneficial. We also recommend testing any configuration changes on a private network prior to connecting to the internet.

5.2 What mistakes can you share with the community, so they don't make the same mistakes.

Parsing through large data sets can be very time consuming. We need better tools that the community can use to make this analysis easier and more efficient.

6.0 GOALS

=========

6.1 Plans/Goals for next six months.

We are currently working on writing a Know Your Enemy Paper based on a statistical analysis of our data. We also intend to add honeypots to our honeynet within the next few months, with a long term goal of developing a distributed honeynet across the Georgia Tech network. We also plan to develop more elaborate quality analysis tools (in a beta state right now) to share with the community.