New Fields of Application for Honeynets

[pdf]

Finally, my diploma thesis is ready. You can find a preliminary version at www.mmweg.rwth-aachen.de/~thorsten.holz/diploma.pdf, the final version for screen-reading will be finished after my vacation.

An excerpt of the thesis:

"In this thesis we report on the experiences we have collected since the start of the deployment of the honeynet. In addition, we describes several new fields of application for honeynets in order to learn more about security threats in communication networks.

The contributions of this thesis are manyfold. Firstly, it serves as the documentation of the activities of the German Honeynet Project. The German Honeynet Project is a voluntary association of researchers and it was founded in June 2004. It is affiliated to the Laboratory for Dependable Distributed Systems and aims at giving honeynet research a solid scientific foundation. Secondly, we introduce a scheme to classify "bots" (a special kind of malware) that is based on the data we have collected with the help of honeypots. We will illustrate the scheme with the help of several examples. Moreover, we show several possibilities how attackers actually use bots for
spying purposes.

We thirdly introduce a general root-cause methodology to prevent "Distributed Denial-of-Service" (DDoS) attacks that uses honeynets. A DDoS attack is an attack on a computer system or network that causes a loss of service to users. Our methodology is one of the first preventive techniques that aim at DDoS attack avoidance, i.e., ensuring that DDoS attacks are stopped before they are even launched. We present an effective approach to DDoS prevention that neither implies a resource arms race nor needs any additional infrastructure.

As a further contribution, we present some preliminary results of a world-wide distributed honeynet. We show how we can identify several attack patterns with the help of this network by means of several examples. In addition, we demonstrate a novel application for honeynets as early-warning system. It is based on the observation that a honeynet can be used as a kind of burglar alarm system within a communication network. Besides illustrating our ideas, we also present concrete results that we have obtained during a case study. Furthermore, we introduce a new application for honeypots to learn more about attacks against client programs, e.g., attackers that use malicious web sites to exploit web browsers. Preliminary results by other people show that this approach is promising. Finally, we identify some limitations of current honeypots and show how an advanced attacker can try to identify the existence of a honeypot and how a malicious program can detect the presence of a debugger. This is one of the first papers that deals with attacks against honeypots, and we hope that it helps to further evolve the idea of honeypots and to develop improved honeypots."