### Spanish Honeynet Project ### Status report for October 2005 - March 2006 1.0 DEPLOYMENTS ================= 1.1 Current technologies deployed. Describe anything that you have deployed that is collecting information, including honeynets, client honeypots, honeyd, mwcollect, or anything else honeypot related. We have not deployed any new honeynet during this period. We have, however, made changes to the currently deployed honeypots: we have modified the SSH server in order to log users and passwords used in brute force attempts in order to analyse that data (users are logged in the server logs, but not the passwords used). 1.2 Activity timeline: Highlight attacks, compromises, and interesting information collected. Our current honeynet is in migration process. We are looking for a better location. Therefore, we have not collected much data of interest for this period. 2.0 FINDINGS ============= 2.1 Highlight any unique findings, attacks, tools, or methods. We have not seen any unique attacks to the honeypots. 2.2 Any trends seen in the past six months. During the last six months we have noticed a spectacular increase of SSH brute force attacks. They have grown from 20 connection attempts per day (median) in 2005 (when we deployed the Linux honeypot) to 398 connection attempts per day in the last period (October 2005 to May 2006). Only this year, the median of daily connection attempts has been 537. The maximum number of connection attempts in a single day was 14.075 (from a single host!). This is more activity by far than that seen in other server ports of the Honeynet. Although port 80 sees an increase in activity (from 10 median daily connections to 53 this last quarter), and so does port 25 smtp (from 4 median daily in 2005 to 16 this quarter) they are far from SSH connection numbers. Surprisingly, we do not see any increase in activity in the DNS service: we have only seen 30 probes since the Linux DNS server was installed. We will try to get our DNS service registered with a valid domain to see if the increase exposure makes it be a target of more attacks. Apart from that, we have registered a high number of SYN packets to ports 1158/tcp and (several peaks) 4489/tcp. The first port is not associated to any known service, and the second one is used by well-known Radmin, a tiny remote administration tool. 2.3 What are you using for data analysis? What is working well, and what is missing, what data analysis functionality would you like to see developed? We still do very basic data analysis with the tools we have at our disposal (old Honeywall). Until we migrate to the new Honeywall version we don't know if the new tools will be good enough or not, but we hope they are. We have written some custom scripts for data analysis in order to do long- trend analysis but these way of looking into data misses the (sometimes relevant) new activity which gets lost by all the noise of ongoing activity. 3.0 LESSONS LEARNED =================== 3.1 What new positive things can you share with the community, so they can replicate your success? We have found networking and word of mouth to be a good way to get the project known and attract people and (hopefully) material resources. The time we are investing in making the project known, and making the Alliance know is time we think is very well spent even if it's deducted from the time working on the honeypots we have deployed. 3.2 What new mistakes can you share with the community, so they don't make the same mistakes? Our main mistake has been to depend in a single hosting provider and not having a backup provider for moving the honeynet deployment too. We are now trying to solve this issue. It is also now evident that the group can only do so much without external funding. We are currently investing time in order to get funding from either the Spanish Public Administration (through funded R&D projects that our companies would develop) or through IT security companies that might wish to sponsor the project. Since the people working on the project are not working full time on Honeypot technologies R&D in our side, unless backed up by our companies is not possible. 3.3 Are there any research ideas you would like to see developed? Trend analysis of honeywall data is really something we would like to see work on. We would also like to start R&D in the area of wireless honeypot technology but we still need to get stable agreements with places (companies or universities) were the honeypots would be installed. Even though we are thinking of Wi-Fi honeypots we believe that research in that area could also be useful to deploy other wireless honeypots (such as Bluetooth). Deployment of honeypot technologies over IPv6 infrastructures is also going to be considered as a new R&D area in order to discover new threats and identify particular implementation issues of that kind of networking technology. 4.0 NEW TOOLS ======================= 4.1 What new tools or technology are you working on? Raul Siles (member of the team) is taking the responsability of leading the development of the Sebek Linux versions (2.4 and 2.6). He is currently working on fixing the bugs still open in the Bugzilla as well as working in implementing new features. We are trying to get his work funded through an R&D project (see below) Javier Fernandez-Sanguino has been working on the OSSIM security information management system, trying to see it it would apply to honeypot technology deployments. Even though it might be useful to setup distributed honeypots it doesn't look like it's mature enough for that task although some of the technologies it integrates (RRDtool with anomaly detection) might be something of interest. He also has done some work in the regression tests of Honeyd (released in version 1.5), which Niels fleshed out based on the work done at the 2005 Alliance Get Together. He still has to produce proper patches for Niels, however. 4.2 Would you like to integrate this with any other tools, or you looking for help or collaboration with others in testing or developing the tool? We're trying to work with the worldwide Honeynet testing team in order to extensively test new Sebek versions prior to its release. 5.0 PAPERS AND PRESENTATIONS ============================ 5.1 Are you working any papers to be published, such as KYE or academic papers? One of the team members have developed a complete SANS Stay Sharp course about GenIII Honeynet deployment. Up to now two sessions have been already run, one in Madrid, Spain, (February 06) and one in Orlando, USA (March 06). We expect much more sessions in the near future. We've published a two-part article in security focus about the latest Sebek version and its integration with GenIII Honeynets: http://www.securityfocus.com/infocus/1855 http://www.securityfocus.com/infocus/1858 During this period we've also tried to extensively promote GenIII Honeynet technologies. Specifically, we performed different presentations at: - "I Mesa Redonda Interprofesional sobre Gestión y Seguridad TIC" that took place on ESNE (Escuela Superior de Negocios) in Madrid the 18th of January 2006, presenting "Nuevas Tecnologías de Seguridad para 2006: Honeynets de 3ª generación". http://www.esne.es/eventos.php?id=16&opc=programa&Lang=es - Conferences of the "GALENSI" (GESTION, AUDITORIA, NORMATIVAS Y LEGISLACION EN SEGURIDAD INFORMATICA) subject, part of the Computer University degree offered by EUI-UPM in Madrid for the 2005-2006 course, presenting "AMENAZAS Y MECANISMOS DE SEGURIDAD EN EL 2006: HONEYNETS DE TERCERA GENERACION" ("Risks and security mechanisms in 2006: Third generation honeynets"). March 14, 2006. http://www.lpsi.eui.upm.es/GANLESI/2005_2006/gconferencia_rsp.htm A "Botnet Malware Analysis" course was given at the joint FIRST Technical Colloquium and 17th TF-CSIRT meeting on January 25th, 2006 by Carlos Fragoso (SHP member) in collaboration with Francisco Monserrat (IRIS-CERT). It mainly described a behavioural and code-based analysis approach using common open-source tools. It was a case-based approach using a real-world specimen obtained from mwcollect/nephentes probes on the spanish national research network. 5.2 Are you looking for any data or people to help with your papers? We are looking for more useful data in order to start working in our KYE Spammers paper. We don't have enough data to get sufficient conclusions on the use of e-mail as honeytokens. 5.3 Where did you publish/present honeypot-related material? Described in item 5.1. 6.0 ORGANIZATIONAL ================== 6.1 Changes in the structure of your organization. The structure of the organization has not changed during the last period. We do envisage changes in the future since there are some inactive members in the group that will need to be substituted or removed. 6.2 Your feedback on Alliance activities. We have provided feedback on discussions in the Alliance mailing list. 6.3 Any suggestions for improving the Alliance? Not currently. 7.0 GOALS ========= 7.1 Which of your goals did you meet for the last six months? - Keep using the parmapatas.net mailing address (in forums, mailing lists, surveys, spam de-suscription links, phishing scams..) and study how they are being used. Try to obtain data that would be statistically useful. - Start off again the coordination of the translations of the HIS sourceforge project: we have contacted the translators and started again the review process of the currently published papers, although the group is not yet working at full speed. Unfortunately, we have not met any other of the goals included in our last report. Nevertheless, we have been involved in other activities related to honeynet technologies as described above. 7.2 Which of your goals did you not meet for the last six months? - Get more active members in the project - Relocate the honeynet to a new location as the ISP no longer provides sufficient support - Deploy the new Honeywall version (roo) and connect with the Kanga server if available - Write a KYE paper on spammers - Review the code in CVS of roo and study its adaptation to Debian or other Linux distributions. - Coordinate a conference in Spain for those people in the IT community and universities working on Honeypot technology 7.3 Goals for the next six months We pretend to archieve as many goals as we can included in point 7.2. We are already in active conversations in order to fulfill the second goal (relocate the honeynet) with a new ISP. One of the main topics for the next (or future) periods is Wireless Honeypots. We've performed some advancements in this area although they're still in alpha-definition phase. We hope that with the R&D proposal we've submitted (see below) we would get funding for developing that topic. We'd like to deploy small distributed virtual GenIII Honeynets, with the future goal of integrating them all using the new (coming) Kanga functionality. 8.0 MISC ACTIVITIES ==================== 8.1 Anything else not covered you would like to share. During this period the local project mailing-list had a bit more activity than in previous periods. It seems some other research groups are starting to install GenIII Honeynets in Spain due to the promotion performed by our team. We have also written two different proposals to increase the work within the group: - A proposal to the Spanish Ministry of Industry in order to get funding for R&D and deployment of honeynet technologies. This proposal amounts to (aprox) 800k EUR and involves some of the companies the members of the group are in. If this proposal goes forward it will be a big impulse to the activities of the group. - A proposal to Eurociber, an ISP company that manages the biggest Internet Exchange Point in Spain (Espanix, which interconnects the commercial ISP providers and routes 70 Gbps). If the proposal goes further we will be able to establish a malware connector in that neutral point. - An alternative proposal to CESCA, a supercomputing center which manages a regional research network and the CATalunya Neutral Internet eXchange, could be performed in order to establish similar activities as described in Eurociber's proposal.