[Honeynet.BR logo]

Home

Brazilian Honeypots Alliance

Project Timeline
Papers
White papers
Presentations
Status Reports

Links
Tools

Team Members
Coordination
Mascot

Press

Status Report: November 2005 -- April 2006

| Deployments | Findings | Misc Activities | Lessons Learned | Future Goals | Previous Reports |

DEPLOYMENTS

Current honeynets deployed

Currently we have two honeynets, running in different address spaces.

Both honeynets use the same topology, comprised of:

  • One administrative network comprised of three machines: one operating in bridge-mode running pf and capturing all incoming and outgoing traffic; one capturing all the traffic in the Honeynet; and a machine dedicated to forensics.

  • The honeynet itself, composed of several machines running different operating systems and services. The following i386 systems were deployed in our honeynets in the past months:

    • 1 OpenBSD 3.4
    • 1 OpenBSD 3.8
    • 4 Linux Red Hat 7.2
    • 3 Linux Fedora Core 3
    • 2 Windows 2000 Server/Windows 2000 Advanced Server (en)
    • 1 Windows 2000 Pro (pt-BR)
    • 1 Windows XP Professional (en)
    • 1 Windows XP Professional (pt-BR)

Current Status of the Brazilian Honeypots Alliance -- Distributed Honeypots Project

The Honeynet.BR team has been deeply involved in the maintenance and expansion of the Brazilian Honeypots Alliance -- a network comprised of distributed low-interaction honeypots (Honeyd), deployed in academic, commercial, governmental and military institutions.

The objective of this project is to increase the capacity of incident detection, event correlation and trend analysis in the Brazilian Internet space.

Since last November 3 new institutions joined the alliance (UPF, Embratel and PoP-PR). Currently we have 34 partner institutions in the project, and other 5 are in the final phase of deployment.

Improvements needed in the technology

  • Sguil is a Network Security Monitoring (NSM) tool that relies on snort to recieve alerts. It provides a way to analysts to identify and respond to incidents quickly because its GUI eases network context understanding.

    In our tests we found out that Sguil is lacking better ways to analyze data. This is very important to allow analysts to gather information about network traffic on real time.

FINDINGS

Number and type of systems compromised

We had 3 machines compromised:

  • 1 Windows 2000 Server SP4 (en)
    • Compromised by Flaw in RPC Endpoint Mapper
  • 2 Linux Red Hat 7.2
    • Compromised by the OpenSSL Buffer Overflow Exploit.

Trends seen in the past months

In the past few months we have seen an increase in the number of brute force attacks against SSH servers, and an increase in bots' activities. The rate of scans looking for vulnerable mod-SSL remains the same.

MISC ACTIVITIES

Presenting at conferences

English

  • Distributed Honeypot Deployment in Brazil, Klaus Steding-Jessen, Annual DoD Honeynet Workshop, March 2006, Pasco, WA, United States.
    [PDF presentation]

Portuguese

  • Consórcio Brasileiro de Honeypots, Antonio Montes, Seminário de Tecnologia, Informação e Conhecimento, Terceiro Centro de Telemática de Área do Exército, Abril de 2006, São Paulo, SP, Brasil.

Tools under development (to be released soon)

  • Improvements in the public statistics. The current public statistics are generated from flows of malicious activity from 24 hour period. We are currently working on the generation of new public statistics, from shorter periods and more detailed information about ports and trends observed.

  • Honeypot's deployment automatization. The deployment scripts have been modified to increase the automatization level of the honeynet deployment, and we added features to also automate the creation of system's images.

  • Honeyd listener to emulate the SOCKS 4/5 protocol to be used as a spamtrap.

Other

  • Data usage in Incident Handling
    The data collected in these honeypots are being used by CERT.br to notify network administrators whose networks are involved in malicious activities.

LESSONS LEARNED

Most of the activities are continuously being conducted by automated bots/worms.

FUTURE GOALS

In the next months we intend to focus the work in these tasks:

  • Improve the statistics of the Brazilian Honeypots Alliance -- Distributed Honeypots Project;
  • Continuously expand the network of distributed honeypots, gathering new partners and covering a larger portion of the Brazilian Internet address space;
  • Work on the correlation between the data gathered in the honeynet and in the network of distributed honeypots.
| Brazilian Honeypots Alliance | Honeynet.BR Project |

Valid XHTML 1.0! Valid CSS! Honeynet.BR Project
$Id: 2006.html,v 1.2 2008/01/28 20:27:41 jessen Exp $