Slashdot Mirror
Using Honeypots to Fight Worms
scubacuda writes "Laurent Oudout, an active member of the French Honeynet Project (part of the Honeynet Alliance), has written a paper evaluating the usefulness of using honeypots in fighting Internet worms. (Imagine a well-constructed honeypot framework capturing a worm, redirecting worm traffic to fake services, and launching counter attacks to clean infected hosts!)"
Launching counter attacks to clean infected hosts? I see how this could be useful for internal networks where you actually have permission to clean machines, but it had better be restricted to that network, otherwise this could cause some major legal problems...
What about a P2P honeypot network? I'd think that would greatly increase the overall effectiveness.
Personally I don't like the "launching counter-attacks to clean infected hosts". It reminds me of what AOL did.
:-/
;)
Still what can one do against users who do not care if they have a worm or not? Should we invet a driving-license thing for the internet, with fines for disregarding the rules? But then we would have the "internet must stay free"-activists on it again
Personally I'd vote for some sort of internet driving license, without having thought much about it. But it feels like the right thing.
Oh well, babbled enough, back to work
That was proactive, the solution described here is reactive. Rather then using network resources searching for infected computers, it would only respond to infected computers that attempt to infect it. Seems somewhat resonable to me.
There's a difference between Welchia and this concept though. Welchia *SEEKS OUT* infected hosts, which is why it was so damaging. The honeypot would only attempt to fix machines that are already infected, it wouldn't probe and spread like Welchia.
However, as another poster said, it's a lawsuit waiting to happen. Even if the project were technically successful, some schmoe out there would try to abuse it somehow.
I understand where you're coming from, but let's take an analogy : in any other walk of life, if you are attacked you are allowed to take reasonable actions to defend yourself.
If someone comes at you and other people in the street with a knife, you are allowed to wrestle the knife from him. Things such as punching him, pinning him or even breaking his arm might be viewed as perfectly reasonable by a judge - in order to prevent harm.
In the same vein, we're talking about disarming the offensive person (host) without causing any collateral damage... So why might this not be considered legal by an enlightened society?
This honeypot can either be a "sacrificial lamb" (a normal host without the very latest updates applied on, sacrificed in expectation of an attack), or just a simulation of services.
If a host had the latest patches applied, wouldn't it be immune from attack? Didn't MS release the patch for the RPC exploit months before the virus came out? I think it would be better to have a small network of 6-8 computers (wouldn't have to be much, just get a rack off Ebay and a few of those mini-itx components, load em in, don't need a fan, case, etc) and have each computer at varying levels of patches. One computer is patched every day, one patched every two weeks, etc. There isn't enough time to customize a computer to be infected by the worm; by the time you hear about it, the worm has already infested millions of computers.
They also should look more into that counterstrike idea. Seriously, if you attack my computer, even if you didn't know about the virus, then I have the right to self defense. I'll gladly install some of that counterstrike software when I set up a honeypot. You're PO'ed because I attacked your computer? You attacked me first. I'm only exploiting the same vulnerability the worm did. If you were a SMART web citizen, you would have gotten a firewall to protect yourself from the worm in the first place.
How to 0wn the Internet in your Spare Time is a pretty good approach to this as well.
:)
I've read that one, and it is referenced in my paper.
However, the author makes a good start in terms of preventing that initial spread.
Chapter 4.5.1 of my paper shows how to circumvent that questionabe protection.
But there are several schools of thought related to detecting anomalous traffic and, for example, shutting it off at source, or automatically rate limiting it.
That is the correct approach. Until worms earn polymorph capabilities, of course. Unless you are ready to risk a fairly large false positives quota.
Remember, most of the recent worms spread as web-traffic.
having to prepare a presentation on, you guessed it, worm spread in corporate networks
You might want to check out chapter 8.2 of my paper. There I show how to wipe out a corporate LAN in under 60 seconds.
Yes, I am serious.
Assorted stuff I do sometimes: Lemuria.org
I work for a large UK ISP and we have had honeypots in use since the blaster outbreak - they work well.
If a user is infected and randomly attacks IPs within our network, they eventually hit one of the honeypots. The honeypots flag their account and when they next reconnected they are sent to a 'walled garden' - a dummy DNS RADIUS community where they can only get one webpage, that advises them that they have a virus and provides a download section for removal tools. When they have downloaded all necessary patches, they are automatically removed from the walled garden (using apache logs and RADIUS trace IPs to link the download with their account) and allowed back on the network.
There's no legal issues involved with us - we are a residential ISP and stuff like this is covered in T&Cs.
I wrote about that too. Mine is implemented using a simple Servlet.
A programmer is a machine for converting coffee into code.
Seems somewhat resonable to me.
Unfortunately, what is reasonable and what is legal are not always the same thing. Anyone considering embarking on such a project would be very well advised to consult with a lawyer before getting too far into it.
It's official. Most of you are morons.
If you actively update the "defense boxes" with all the latest exploits and then configure it to use it's full arsenal to take down any attacking hosts (e.g. by making all exploits simply turn off networking on the target machine), then you'll have a very high success rate indeed. Then only worms exploiting previously unknown holes on otherwise fully patched machines will be able to run unchecked. This raises the bar for worm writers by an order of magnitude... or two.
Note that I'm suggesting that the "counter attack" would be simply disable networking on the infected host. This is easier to get right than any sort of complex cleanup, thus lowering the odds that you'll break the infected machine. Also, a machine which keeps dropping off the network will eventually get attended to by a technician, who will hopefully disinfect and patch it properly.
This would also have the beneficial side-effect that worm authors would be forced to close the holes they exploit in order for their worms to live. This would suddenly mean that worms and viruses would be competing against each other instead of coexisting peacefully.
Frankly I hope someone writes such a thing and a government body or group of white hats simply deploys it. Or both. Then the internet will finally have an immune system.
Host your own websites, anywhere!
When you have hackers using automated systems, remote controlled computers, etc, to do their hacking for them, we will eventually reach a point where we, too, will need to use automation to fight them.
This is the exact same pattern you see in every other area where automation is now being used: nuclear power, jet aircraft, etc. Of course, just as with those fields, people should still be required to know how to do the job manually, but the automation will be an eventual happening in networking. Im surprised its taking as long as it has.
Manipulate the moderator system! Mod someone as "overrated" today.