Using Honeypots to Fight Worms

scubacuda writes "Laurent Oudout, an active member of the French Honeynet Project (part of the Honeynet Alliance), has written a paper evaluating the usefulness of using honeypots in fighting Internet worms. (Imagine a well-constructed honeypot framework capturing a worm, redirecting worm traffic to fake services, and launching counter attacks to clean infected hosts!)"

Honeypot for lawyers

[rot26]

Sounds like a lawsuit waiting to happen, unfortunately.

Re:Honeypot for lawyers

[nate1138]

Yeah, but If I do break into your trunk, what the hell are you going to do about it? Go tell the police that somebody stole your stolen laptop?

In addition, that scenario is flawed. In the theft scenario, the crime is already complete, and what is being done is revenge (which is wrong). I think both of us have flawed analogies. A more accurate representation would be if somebody was breaking into my house, and I hit them with a fucking brick to make them stop.

Re:Honeypot for lawyers

[dollar70]

I dont know about you people, but even if I was infected by a worm, I'd rather not be hacked "just to clean up the infection"

Get a clue! If the honeypot system is trying to knock out your computer, you've already been hacked!!! Your computer has gone rogue! In fact, it's almost as bad as the dog jumping the fence and mauling people!

And don't give that sorry excuse: "so two wrongs make a right, eh?" That's no way to run the internet! The internet is supposed to attempt to fix itself when things break. If that means taking out the noise generated by a mad dog computer, then so be it!

Hey, it's not like your "infected" computer was doing you or your company much good at that point anyway, so the counter attack is irrelevant.

Counter attacks don't work

[bobbabemagnet]

We are all well aware of Welchia and the fact that it caused nearly as much nuisance as Blaster. Let us learn from this and never again release a worm for good purposes.

Re:Counter attacks don't work

[David+McBride]

The advantage here is that the server would *only* counter-attack a box with a fix if it was attacked first.

Although decidedly risky legally-speaking, it would mean that only vulnerable hosts would get contacted and have fixes forcably deployed on them -- meaning that as the original infection dies down then so too will the number of forced deployments.

The key problem with the Welchia worm is that it simply didn't go away. It continues to actively probe and scan for vulnerable machines indefinitely -- and enumerating IP addresses and attempting connections to each one generates a lot of traffic.

No, technically speaking this could be a far better solution than a self-propagating worm. Although not necessarily suitable for the 'net at large, it's definitely viable for, say, a deployment within an organisation which would therefore -- by definition -- own and be permitted to patch all the machines on the local network.

You still have to be very careful that the forced patch deployment doesn't break something else -- but that's not a new problem.

I'm going to go read the article now..

Re:Counter attacks don't work

[pebs]

I think a honeypot such as this (or any honeypot) would be useful within an internal network. So set it up in your LAN, so that you can find out about a potential worm or intruder earlier. Launching a counterattack would be fine within an internal network, but it would be very foolish to do this on the internet -- that would get you in legal trouble.

Re:Counter attacks don't work

[silicon+not+in+the+v]

Yeah, unless the worms spoof IP addresses. That is going to open up the legal trouble when the "counter" action starts hitting wrong machines.

Re:Counter attacks don't work

[davburns]

I look at the life-cycle of a worm as follows:

• Infancy: The worm starts from one computer, and begins to spread.
• Adult: The worm has tried all 2^32 addresses in the IPv4 internet. The worm continues to spread, however, as machines come and go, and may "leak" into networks not directly connected to the Internet.
• Lingering: Patches are availible and national news covers the story, so everyone knows they need to update their machines, and almost everyone does. A few leftover machines (unadministered, presumably?) keep the worm alive, though. It continues to infect forever, unless the worm suicides (and the suicide works) as long-dormant machines re-connect to the internet, or are re-installed from media of old OSes.

Counterattacks are generally not developed fast enough to deploy in the infancy phase, when they might actually be useful in giving admins a little more time to patch. Slowing the spread of a worm might be done just as effectively with standard tar-pit/sticky honey-pot methods.

Once worm reaches the adult phase (which could be literally miniutes) then all the systems on the Internet that can be infected are already infected. What point could the counterattack have? Sure, it's fun. But it's not a defensive measure (You're either immune, or already infected.) It uses more bandwidth than it saves. Dealing with counterattacks will divert the time and attention of admins from patching -- which is what they need to be doing.

Counterattacks in the lingering stange may seem tempting, especially as one looks at logs and sees evidence of year-old worms, still in the wild. Surely, no machine should be connected to the Internet while being unmaintained this long, right? I suggest, however, that the cost of these attempts is pretty small, and the potential cost of an attack is pretty big (and a self-replicating attack, even bigger!) If you really want to help, email or telephone some domain or netblock contacts, and/or their upstream ISP.

So, I don't see any real benifit from counterattacks, no matter how well intentioned. The "patch treadmill" is a terrible way of securing our Internet infastructure. Unfortunatly, it's also the only way we have, right now.

Counterstrike

[pheared]

Will these counterattacks get better QA testing than MS patches?

idiocy

[RMH101]

so you have loads of honeypots out there waiting for worms to exploit them, then you redirect these to "fake services". Whoop-de-hoop.
I don't think worm writers are going to care very much. If they're spammers, then some more of their spam will go in the bin - but it's not costing them, so who cares?

On top of this you are definitely on crack if you think that "launching counter attacks to clean infected hosts!" is a) a good idea or b) legal.

Bad Idea

[Mortanius]

...launching counter attacks to clean infected hosts!

They're just that, 'attacks.' Unauthorized access to users' machines with the intent of installing software without the users' knowledge (even with, it makes no difference.)

It's a nice idea in spirit, the Community (I hate that term) working to automatically protect those who can't help themselves (sounds rather elitist, doesn't it). But in the end, it's no better than your average hacker / skript kiddie futzing around with your machines.

Re:Reminds me of what AOL did

[ekephart]

You may get into legal trouble for FIXING an attacker's computer. You can bet though if they don't patch, then they don't turn off unnecessary services either. Enter Windows Messaging Service. Just send them a quick note stating that their machine is infected and they would be best served to patch it.

legal way to have internet connection shutoff

[Dark+Fire]

Welchia proved that good intentions can be disasterous. Even well-intentioned actions could damage someone's livelihood or equipment and open up the vigilante to criminal/civil penalties. A better approach would be a quick legal remedy that would permit one party to obtain a court order ordering the ISP of another party to cut off their internet access until they complied with the remedy (fixing the issue). The ISP is given 10 business days to notify the customer of the court order. An ISP could then try and verify the claim and file a response themselves if they find the claim unsubstantiated, or they could pass on the claim to the customer who would then would be responsible for replying. If the customer or ISP replied without properly addressing the claim or fixing the issue, they would be liable for criminal penalties and fines under the law. Wow, this whole idea ended up sounding kind of draconian which is not at all what I was going for. Any thoughts?

Know your enemy

[Twillerror]

Half the time we don't know our network is infected until it is too late, or someone complains the internet is slow.

Just having a honeypot that can alarm us to what boxes are infected is a big plus. We can take it from there.

Somehow taking the computer off the network would be a bonus as well. I wish our firewall had this functionality.

Nice try (with fixed link)

[Tom]

It is a nice attempt at active worm defense.

Unfortunately for him, I have just published a paper that shows that and how future worms will be much too fast for his - or anyone elses - manual defense methods.

In short, I've demonstrated that by the time he's starting to analyze the worm, it has already infected 90%+ of the vulnerable machines.

As soon as worm writers acquire some coding skills (most of the past worms were pathetic), all defenses that require manual actions will be too slow.

Sorry.

Attractive Nuisance

[supersmike]

The Internet in general is an attractive nuisance to script kiddies.

Re:Automatic firewall definition update

[fuzzybunny]

Good luck. Name me one product you'd trust to automatically adjust your perimeter security.

I nearly wet myself laughing when I first saw ISS present their ideas of reactive firewall configuration based on IDS alerts. There are a number of serious issues with this school of thinking, understandable though the initial logic may be.

First off, there is currently no single piece of software in existence smart enough to intelligently distinguish malicious traffic with a high enough degree of reliability to trust it not to fuck up legitimate business operations.

Second, there are good tools out there (e.g. Snort & co.), but they're very often misconfigured--IDS are often "alibi" exercises, to allow a company to check a tick-box on an audit report ("yeah, we have an IDS. NEXT?")

Third, the moment you find someone using such a tool, assuming it existed, consider the possibilities to DoS a large corporation or network by just making it think it's under attack. You wouldn't even actually need to hit it particularly hard. You'd just make their super-duper IDS Black ICE Skynet AI shit its pants and think it's getting hammered, and decide to close down. Bang, objective achieved without even having to write a working exploit.

Legal implications of counter-attack? NOT!

[Not_Wiggins]

To be perfectly honest, there's no legislation to go after the "Joe Average Infected Computer User" for spreading the original worm. What makes you think they'd be all set to jump on (supposed) "White Hats" with systems that only respond to attacks in an effort to stem them (technically "illegal" or not)?

Before I had a webserver up-n-running doing useful stuff, I had Code Red Vigilante running on port 80; it felt good knowing that machines that had tried to infect me were being warned that they were infected... you know, trying to be a good netizen and enlighten my fellow surfer.

Of course, I was able to do that because I could look through the Java code I was installing and determine exactly what that code was doing (ie, not fall victim to a socially engineered attack where I mistakenly INSTALL someone's worm code on my computer!)

No... the real question won't be how this all gets sorted out legally; we'll figure out how to use technology to stop this crap before any law gets passed to "protect me."

The real question will be how do we protect the average person in the interim without making them easily exploitable targets for malicious anti-worm code that is, in essence, a socially-engineered worm attack in its own right.

Re:Reminds me of what AOL did

[back_pages]

I'm not sure a license to use the internet is the right solution, but there IS a huge issue of accountability these days.

I'm all for privacy and anonymity, but when 1 anonymous person has the potential to introduce a virus that can bring down a corporation's network (or neighborhood's broadband access) through sheer negligence, I very strongly start to question the limits of that privacy.

Of course, a fantastic solution to the problem would be software that doesn't have 59,000 exploits and so many features designed to "Help You Out" that actually "Screw You Sideways", we probably wouldn't be having this discussion. I can't wait for the days when operating systems are bundled 1.) for clueless home users, 2.) for clueful home users, and 3.) for geeks/programmers/sysadmins/et cetera. Then Grandma, 13 year old file sharers, and non-technical corporate workers can be given plastic flatware for software rather than chainsaws and electric knives.

Anyway, something should be done. 5 years ago I would have been vehemently against any type of internet license but these days I'm beginning to think that the solution will be that or an operating system that functions under the assumption that the end user will have no idea if his computer is hacked, hijacked, trojaned, or back doored.

Re:Honeypot

[mbklein]

When they have downloaded all necessary patches, they are automatically removed from the walled garden (using apache logs and RADIUS trace IPs to link the download with their account) and allowed back on the network.

So as long as I get my prescription filled, you'll let me out of quarantine? Great! I don't actually have to take my antibiotics, as long as they're nearby.

Re:Honeypot

[VertigoAce]

I assume that they can get themselves quarantined again if they continue to disrupt the network. And I'd imagine that your account would be flagged so that an administrator would know it's been taken off more than once.