Slashdot Mirror

← Back to Stories (view on slashdot.org)

Using Honeypots to Fight Worms

Posted by CmdrTaco on from the we-hates-them-tony dept.

scubacuda writes "Laurent Oudout, an active member of the French Honeynet Project (part of the Honeynet Alliance), has written a paper evaluating the usefulness of using honeypots in fighting Internet worms. (Imagine a well-constructed honeypot framework capturing a worm, redirecting worm traffic to fake services, and launching counter attacks to clean infected hosts!)"

20 of 229 comments (clear)

  1. Honeypot for lawyers by rot26 · · Score: 4, Insightful

    Sounds like a lawsuit waiting to happen, unfortunately.

    --



    To ensure perfect aim, shoot first and call whatever you hit the target
    1. Re:Honeypot for lawyers by zasos · · Score: 3, Informative

      nevermind... RTFA :) here's what it says in the article: Honeypots are computer elements helping to delude aggressors. On a production network, evil hackers will attack some kind of fake system, losing time in doing so and giving information about themselves and their methods [ref 4]. When a honeypot is a dedicated host uniquely used to delude aggressors, it is supposed to play no role linked to systems in production. This implies that every request directed to the honeypot is suspect. While honeypots are often thought to be used for passive analysis, they can also play an interactive role to deal with worms. Two kinds of honeypots are often used : high interaction: a kind of real host is usually almost sacrificed (called a "sacrificial lamb") on a network while waiting for any aggressor. low interaction: services and/or hosts are simulated (for example, Honeyd by Niels Provos).

      --

      Just because I don't care, it doesn't mean I don't understand. Homer J. Simpson
    2. Re:Honeypot for lawyers by SirLantos · · Score: 3, Informative

      A honeypot is a server that is intentionally left unsecure to lure a cracker in to trying to break in to it.
      It is kind of like leaving your car doors unlocked in the middle of NYC and pointing a video camera at it to see who tries to steal it.

      --
      The flying hamster of DOOM rains coconuts on your pitiful city.
  2. Counter attacks don't work by bobbabemagnet · · Score: 4, Insightful

    We are all well aware of Welchia and the fact that it caused nearly as much nuisance as Blaster. Let us learn from this and never again release a worm for good purposes.

    1. Re:Counter attacks don't work by IncarnadineConor · · Score: 5, Interesting

      That was proactive, the solution described here is reactive. Rather then using network resources searching for infected computers, it would only respond to infected computers that attempt to infect it. Seems somewhat resonable to me.

    2. Re:Counter attacks don't work by gorfie · · Score: 5, Interesting

      There's a difference between Welchia and this concept though. Welchia *SEEKS OUT* infected hosts, which is why it was so damaging. The honeypot would only attempt to fix machines that are already infected, it wouldn't probe and spread like Welchia.

      However, as another poster said, it's a lawsuit waiting to happen. Even if the project were technically successful, some schmoe out there would try to abuse it somehow.

  3. Worms too?! by MeanE · · Score: 4, Funny

    And here I thought they only caught bears named Poo.

  4. Clean infected hosts? by DrEldarion · · Score: 3, Interesting

    Launching counter attacks to clean infected hosts? I see how this could be useful for internal networks where you actually have permission to clean machines, but it had better be restricted to that network, otherwise this could cause some major legal problems...

  5. Reminds me of what AOL did by DaneelGiskard · · Score: 5, Interesting

    Personally I don't like the "launching counter-attacks to clean infected hosts". It reminds me of what AOL did.

    Still what can one do against users who do not care if they have a worm or not? Should we invet a driving-license thing for the internet, with fines for disregarding the rules? But then we would have the "internet must stay free"-activists on it again :-/

    Personally I'd vote for some sort of internet driving license, without having thought much about it. But it feels like the right thing.

    Oh well, babbled enough, back to work ;)

  6. idiocy by RMH101 · · Score: 5, Insightful
    so you have loads of honeypots out there waiting for worms to exploit them, then you redirect these to "fake services". Whoop-de-hoop.
    I don't think worm writers are going to care very much. If they're spammers, then some more of their spam will go in the bin - but it's not costing them, so who cares?

    On top of this you are definitely on crack if you think that "launching counter attacks to clean infected hosts!" is a) a good idea or b) legal.

    1. Re:idiocy by Afty0r · · Score: 3, Interesting
      On top of this you are definitely on crack if you think that "launching counter attacks to clean infected hosts!" is a) a good idea or b) legal.


      I understand where you're coming from, but let's take an analogy : in any other walk of life, if you are attacked you are allowed to take reasonable actions to defend yourself.

      If someone comes at you and other people in the street with a knife, you are allowed to wrestle the knife from him. Things such as punching him, pinning him or even breaking his arm might be viewed as perfectly reasonable by a judge - in order to prevent harm.

      In the same vein, we're talking about disarming the offensive person (host) without causing any collateral damage... So why might this not be considered legal by an enlightened society?
  7. Smokey the Bear says... by Anonymous Coward · · Score: 3, Funny

    When using your honeypot at the campgrounds, always practice safety.
    Surround your honeypot with rocks to keep the fire from spreading. Be sure when
    you're done with your honeypot to put it out with a bucket of water and make
    sure it has stopped smoking before you leave the area.

    Remember what Smokey the Bear says. Only you can prevent your honeypot from starting a forest fire.

  8. Bad Idea by Mortanius · · Score: 4, Insightful

    ...launching counter attacks to clean infected hosts!

    They're just that, 'attacks.' Unauthorized access to users' machines with the intent of installing software without the users' knowledge (even with, it makes no difference.)

    It's a nice idea in spirit, the Community (I hate that term) working to automatically protect those who can't help themselves (sounds rather elitist, doesn't it). But in the end, it's no better than your average hacker / skript kiddie futzing around with your machines.

  9. legal way to have internet connection shutoff by Dark+Fire · · Score: 5, Insightful

    Welchia proved that good intentions can be disasterous. Even well-intentioned actions could damage someone's livelihood or equipment and open up the vigilante to criminal/civil penalties. A better approach would be a quick legal remedy that would permit one party to obtain a court order ordering the ISP of another party to cut off their internet access until they complied with the remedy (fixing the issue). The ISP is given 10 business days to notify the customer of the court order. An ISP could then try and verify the claim and file a response themselves if they find the claim unsubstantiated, or they could pass on the claim to the customer who would then would be responsible for replying. If the customer or ISP replied without properly addressing the claim or fixing the issue, they would be liable for criminal penalties and fines under the law. Wow, this whole idea ended up sounding kind of draconian which is not at all what I was going for. Any thoughts?

  10. Know your enemy by Twillerror · · Score: 3, Insightful

    Half the time we don't know our network is infected until it is too late, or someone complains the internet is slow.

    Just having a honeypot that can alarm us to what boxes are infected is a big plus. We can take it from there.

    Somehow taking the computer off the network would be a bonus as well. I wish our firewall had this functionality.

  11. Nice try (with fixed link) by Tom · · Score: 5, Insightful

    It is a nice attempt at active worm defense.

    Unfortunately for him, I have just published a paper that shows that and how future worms will be much too fast for his - or anyone elses - manual defense methods.

    In short, I've demonstrated that by the time he's starting to analyze the worm, it has already infected 90%+ of the vulnerable machines.

    As soon as worm writers acquire some coding skills (most of the past worms were pathetic), all defenses that require manual actions will be too slow.

    Sorry.

    --
    Assorted stuff I do sometimes: Lemuria.org
  12. Yes, imagine that.. by kcm · · Score: 5, Informative

    wait, here it is.

  13. fascinating article.. by herrvinny · · Score: 3, Interesting

    This honeypot can either be a "sacrificial lamb" (a normal host without the very latest updates applied on, sacrificed in expectation of an attack), or just a simulation of services.

    If a host had the latest patches applied, wouldn't it be immune from attack? Didn't MS release the patch for the RPC exploit months before the virus came out? I think it would be better to have a small network of 6-8 computers (wouldn't have to be much, just get a rack off Ebay and a few of those mini-itx components, load em in, don't need a fan, case, etc) and have each computer at varying levels of patches. One computer is patched every day, one patched every two weeks, etc. There isn't enough time to customize a computer to be infected by the worm; by the time you hear about it, the worm has already infested millions of computers.

    They also should look more into that counterstrike idea. Seriously, if you attack my computer, even if you didn't know about the virus, then I have the right to self defense. I'll gladly install some of that counterstrike software when I set up a honeypot. You're PO'ed because I attacked your computer? You attacked me first. I'm only exploiting the same vulnerability the worm did. If you were a SMART web citizen, you would have gotten a firewall to protect yourself from the worm in the first place.

  14. Honeypot by Anonymous Coward · · Score: 5, Interesting

    I work for a large UK ISP and we have had honeypots in use since the blaster outbreak - they work well.

    If a user is infected and randomly attacks IPs within our network, they eventually hit one of the honeypots. The honeypots flag their account and when they next reconnected they are sent to a 'walled garden' - a dummy DNS RADIUS community where they can only get one webpage, that advises them that they have a virus and provides a download section for removal tools. When they have downloaded all necessary patches, they are automatically removed from the walled garden (using apache logs and RADIUS trace IPs to link the download with their account) and allowed back on the network.

    There's no legal issues involved with us - we are a residential ISP and stuff like this is covered in T&Cs.

  15. Good article by lamj · · Score: 4, Informative

    Overall a very good article. The article could have touch upon the ability for honeypot to help create IDS signature. At current technology level, IDS are mostly still signature based and early detection with honeypot to help with creating IDS signature is very important.

    For active countermeasure (or attack), this has to be done VERY carefully. Remember Max Vision? It's good to fix your own machines, and make sure you only attack and fix yours. Access to unauthorized machines are almost always illegal. If one of your boxes got hacked, the incident response team should get involved and do their investigation, auto-patching without investigation can be a risky thing because you just don't know the extend of the problem. When you fix it, the hacker could have backdoor installed on your box.