-
March 1st, 2004, 04:37 PM
#1
Member
Fascinating Honeypot Result
Hey all - I've begun to examine the data I've captured from my recent honeypot experiments, and have come across something I'd like to show you.
In my final honeypot, I had the following machine exposed to the internet:
-Windows XP (clean install, no patches or service packs)
-DSL connection
-Uptime: Approx 10hrs 15min
-No shares with null passwords
-No firewalls
-No server services running
I was mimicing a home PC with no/little security considerations. This was the third of three deployments (I cycled the DSL between each to ensure a different IP address was assigned to each host). Data capture was done with gateway logs, for incoming and outgoing connection addresses, Etheral for packet dump, and Snort IDS for alert logging.
The W32.gaobot worm eventually brought the PC down when if forced a reboot via the famous RPC exploit, but that's not the interesting part.
18 minutes into the deployment the honeypot starts getting pounded with SYN packets from a single address. This continues for 2 hours and 19 minutes, and effectively kills any and all other communication with the outside world.
Take a look at this chart showing the spike in sustained traffic.
Thereafter, the traffic returned to the expected NetBIOS scans, etc., leading up to the W32.gaobot compromise. This makes me think of a possible strategic scenario:
1) automated scan finds a vulnerable host.
2) DOS launched against host to disallow any others from compromising it until decision can be made.
3) decision is made to compromise host, DOS is stopped, host is compromised.
As I noted, I've changed IP addresses (and operating systems/footprints) between each honeypot, so I don't believe someone would know it's another honeypot and DOS it out of spite.
What's your opinion? I've not seen signatures of DOS attacks in the past, but the scenario above makes some sense to me.. Here's the dump of a single packet from the questionable traffic:
0000 00 08 e3 b9 45 02 00 04 61 a7 b0 a2 88 64 11 00 ....E... a....d..
0010 0f 05 00 2a 00 21 45 00 00 28 31 6f 00 00 80 06 ...*.!E. .(1o....
0020 12 59 44 a2 af d8 8d 9e 74 ef 50 62 13 78 00 00 .YD..... t.Pb.x..
0030 00 00 84 36 26 32 50 14 00 00 aa 85 00 00 ...6&2P. ......
l00p
BTW - I believe the source address of these packets is forged. I saw only DOS traffic from that particular host, and that host sent only DOS traffic.
-
March 1st, 2004, 04:42 PM
#2
That is very interesting. Good post!
-
March 1st, 2004, 04:46 PM
#3
InfiniteLoop,
Interesting project, and yes that approach could well be taken by an attacker. There have been a couple of studies like this conducted and it is amazing the amount of malicous traffic that hits these servers. This is one of the problems when you first implement an IDS on a large corp network, if you put a sensor outside the firewall you see huge volumes of traffic, takes a while to tweak the IDS.
Are you seeing the SYN packets against any particular ports? or across the full range?
Quis custodiet ipsos custodes
-
March 1st, 2004, 05:39 PM
#4
Thats silly tho...
OOOH a open box! Its MINE I say! MINE MINE MINE!
Daffy duck syndrome.
I just find that amazing someone would DoS it so no one else can hack it... lol
guess if you want to zombie it, you gotta "claim" it... sheesh
Remember -
The ark was built by amatures...
The Titanic was built by professionals.
-
March 1st, 2004, 06:14 PM
#5
if you consider that whoever owns it can put an smtp server on it and sell it to spamers its not so silly when you consider how many are in compitition for them...but it is still just a guess.
very interesting InfiniteL00p
do you plan to let it get compromised to see exectly what they will do?
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
-
March 1st, 2004, 06:21 PM
#6
That is true... I can see some of these spammers paying to use a box thats not blacklisted or ordb... good point
Remember -
The ark was built by amatures...
The Titanic was built by professionals.
-
March 1st, 2004, 06:27 PM
#7
Member
The SYN packets are only coming against TCP 4984-4987, in a seemingly random order (doesn't start and cycle one way). Perhaps this could mean there were more than one hosts sending the packets? (well, that's a shot in the dark assumption to make)
I could see someone DOS a host to grab a machine.. the larger your BOT network, the more powerful your DDoS atacks would be - or as Tedob1 said it would be a great use for a spammer.
I failed to mention, but there only traffic that actually broke through (and only twice in that two hours) were single ping ECHO requests from a particular host (Snort tagged them as being from the CyberKit suite). From a recon perspective, this could the actual attacker checking to see if the machine is still online, as a DOS attack with forged SYN packets would send my honeypot's responses into space... I'm going to check into this more this evening.
l00p
-
March 2nd, 2004, 04:47 PM
#8
Junior Member
Good post InfiniteL00p. Interesting to see how fast a computer can become infected or taken advantage of.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|