Georgia Tech Honeynet Report
(March 15, 2006 -- March 18, 2007)

1.0 DEPLOYMENTS

1.1 Current technologies deployed. Describe anything that you have deployed that is collecting information, including honeynets, client honeypots, honeyd, mwcollect, or anything else honeypot related.

We have expanded our operations and are currently running three honeynets (each with different technologies) and experimenting with a fourth technology. We are still running our wonderful GEN II Honeynet with high-interaction honeypots and nepenthes sensors. We've also started a Global Distributed Honeynet. Through relationships with the distributed honeynet guys, William McCammon and Albert Gonzalez, I've started a node on their network. Lastly, we are trying to start a dynamic honeyfarm using a "live" version of the honeymole technology. Our honeyfarm resembles Xuxian Jiang's Callapsar project.

We still haven't figured out how to use sebek correctly, so we use trojaned binaries, which seems to work pretty well. We still use our own custom-made reporting program similar to honeysnap that we call honey reports. We still use the Flow Analysis Database for trend analysis and informational queries.

Our main goal this year was to ease the maintenance of the honeynet (so I can do my thesis work), and to expand our IP visibility through the use of distributed honeynet technologies. During the winter sometime, we had to move our honeynet and was down for over a month, our longest (by many orders of magnitude) outage since our honeynet started 5 years ago.

1.2 Activity timeline: Highlight attacks, compromises, and interesting information collected.

The records for reconstructing the timeline are offline at the time of this report. Please tune in later.

2.0 FINDINGS

2.1 Highlight any unique findings, attacks, tools, or methods.

Nothing terribly exciting that we can recall.

2.2 Any trends seen in the past six months.

HTTP


Massive Mambo scan a few weeks back.

SMB


We had an on campus attack last year and OIT opened the firewall to the honeynet this year allowing all the background traffic to come through.

SSH


Stayin' strong, all day long.

1337


We're looking into this, but there are some interesting scans on this port.

2.3 What are you using for data analysis? What is working well, and what is missing, what data analysis functionality would you like to see developed?

We are using our own custom tools for data analysis: HoneyReport, TrojanSSH, Flowtag. Please see Section 4 for more details on our custom tools.

3.0 LESSONS LEARNED

3.1 What new positive things can you share with the community, so they can replicate your success?

We are continuing our work on visualization techniques to aid in honeynet maintenance, attack response, and data trend analysis. To this work we have added an emphasis on post attack forensics and are developing tools that extend the functionality of existing forensic toolkits by providing more information about the events that have transpired on a honeypot.

3.2 What new mistakes can you share with the community, so they don't make the same mistakes?

  1. Documentation
  2. Current documentation of our honeynet is stale, even our webpage is egregiously out-dated. We need to develop standard procedures and protocols that are executed.
  3. Transition
  4. As our honeynet is deployed and maintained by graduate students, there exists a problem with transition in our environment. When one graduate student ceases to act as the primary administrator of the the honeynet the next graduate student to take on the responsibility should be acclimated to the honeynet environment and community. We are in the process of developing guidelines that should be followed when the honeynet enters this period of transition. These are necessary to ensure continued existence of our honeynet.
  5. Visibility
  6. Our honeynet has occupied the same IP range for some time. This leads us to believe that there is a good chance of our honeynet being fingerprinted. In an effort to gain more interesting attacks, we have started participating in GDH, the Distributed Honeynets project, and we are using Honeymole. Also of interest in the Lawnshark project that will be described more in section 4.

3.3 Are there any research ideas you would like to see developed?

More HoneyClient technologies and data analysis techniques.

4.0 NEW TOOLS

4.1 What new tools or technology are you working on?

Current tools for forensic analysis require many hours to understand novel attacks, causing reports to be terse and untimely. We apply visual filtering and tagging of flows in a novel way to address the current limitations of post-attack analysis, reporting, and sharing. We discuss the benefits of visual filtering and tagging of network flows and introduce FlowTag as our prototype tool for the Honeynet researchers. We argue that online collaborative analysis benefits security researchers by organizing attacks, collaborating on analysis, forming attack databases for trend analysis, and in promoting new security research areas. Lastly, we show three attacks on the Georgia Tech Honeynet and describe the analysis process using FlowTag.

Honeymole allows a computer to act as a front while acting only to foward traffic back and forth between the honeynet and the attacker. This is done by using an encrypted tunnel to encapsulate ethernet, much like the distributed-honeynets project. Chris Lee, of the Georgia Tech Honeynet, originated the idea to place honeymole onto a live CD, such that participants would only need to insert the CD during off-usage hours and traffic would be forwarded to the honeynet. Specifically, for each mole, a virtual machine (honeypot) would be allocated at the honeynet honeymole server to actually participate in any in bound connections to the mole (because the mole forwards the traffic over the VPN to the honeypot). This system allows rapid deployment into many IP spaces, highly-flexible allocation of vulnerable virtual machines, and centralized data collection and control.

The second project builds upon a previously proposed project, Live Honeymole, to capture attacks happening on and within the Georgia Tech LAWN IP space. The monitors will receive a Lawn IP and will use a special login provided by OIT (so they can track the nodes and they won't expire once I graduate or change my password), and redirect any traffic directed toward their IP to the honeynet using the Honeymole client. Note that they will not be in promiscuous mode and will not see other people's traffic. Since they are forwarding all traffic to the honeynet, the sensors cannot be accessed or remotely compromised. Since the LAWN is already considered outside the departmental IP space, we believe that no special mitigation mechanisms, outside our normal rate limiting, is required to reduce the risk to the network.

5.0 PAPERS AND PRESENTATIONS

5.1 Are you working any papers to be published, such as KYE or academic papers?

None that we can talk about right now.

5.2 Are you looking for any data or people to help with your papers?

We would be happy to discuss ideas for possible publications.

5.3 Where did you publish/present honeypot-related material?

Christopher P. Lee presented "HoneyNet Technologies" at NoVA Sec in March.

Published Paper:
C. P. Lee and J. A. Copeland. Flowtag: a collaborative attack-analysis, reporting, and sharing tool for security researchers. In Proceedings of the 3rd international Workshop on Visualization For Computer Security (Alexandria, Virginia, USA, November 03 - 03, 2006). VizSEC '06. ACM Press, New York, NY, 103-108. DOI= http://doi.acm.org/10.1145/1179576.1179597

Accepted Paper:
K. Fairbanks, C. P. Lee, Y. Xia, H. Owen III. TimeKeeper: A Metadata Archiving Method for Honeypot Forensics. Proceedings of the 2007 IEEE Workshop on Information Assurance. United States Military Academy, West Point, NY 20-22 June 2007.

6.0 ORGANIZATIONAL

6.1 Changes in the structure of your organization.

Kevin Fairbanks will be transitioning to act as the lead of the Georgia Tech HoneyNet while Christopher Lee will be transitioning to a lesser role. Currently Christopher Lee is the primary honeynet administrator and Kevin Fairbanks is the assistant honeynet administrator and both are responsible for daily maintenance, status reports (including this one), communicating with other alliance members, recruiting researchers, and sharing results. Julian Grizzard has graduated.

7.0 GOALS

  1. Automate Drive imaging
  2. Develop HoneyNet transition protocols
  3. Develop HoneyNet documentation protocols
  4. Further explore forensic tool development
  5. Deploy LawnShark Technology
  6. Deploy Live HoneyMole Technology

7.1 Which of your goals did you meet for the last six months?

None.

7.2 Which of your goals did you not meet for the last six months?

7.3 Goals for the next six months

  1. Better documentation practices
  2. Rapid archiving and deployment of high-interaction honeypot images
  3. Live Honeymole with SSL Redirection
  4. Getting Chris closer to graduation