A Virtual Distributed Honeynet at KFUPM: A Case Study

1. Mohammed Sqalli*, Raed AlShaikh**, Ezzat Ahmed* * Department of Computer Science and Engineering King Fahd University of Petroleum and Minerals Dhahran, Saudi Arabia ** ECC Network Operations Department EXPEC Computer Center (ECC) Saudi Aramco Dhahran 31311, Saudi Arabia A Virtual Distributed Honeynet at KFUPM: A Case Study Aim Introduction • Build a high-interaction honeynet environment at KFUPM’s two main campuses: • The students’ living dorms. • The Computer Engineering College campus • Most enthusiastic and computer-literate intruders are found in the Computer Science and Engineering College. • The aim of our experiment is to explore: • The type of attacks the campuses are exposed to. (DoS, port scanning, …etc). • The most common tools for these attacks. (rsh, ssh, parallel ping, …etc) • The most common source(s) and destination(s) for these attacks. • The feasibility of the design and tools used. • High-interaction honeypots were used: • Collect as much information as possible. • A honeynet is a network set up with intentional vulnerabilities to invite attack, so that an attacker's activities and methods can be studied. • Two commonly used Implementations were tested: • The Honeywall CDROM • KFSensor • VMWare virtualization was used since it offers several advantages as opposed to the use of physical machines: • VMs can be modified more easily than physical machines (software layer). • An administrator can start, stop or clone a VM very easily which is especially important in the case of security. Experimental Results In terms of severity, around 65% of the traffic was considered medium risk, while the remaining 35% was considered low. The high percentage of the medium-level category was due to the fact that the system classifies BitTorrents file sharing, which makes around 70% of the total traffic, as medium risk. This percentage is of no surprise since BitTorrent accounts for an astounding 40-55% of all the traffic on the Internet, and it is expected to be high in the students’ living campuses. Further Enhancements Developed a wrapper that checks these logs, and informs the system administrator for any successful intrusion incident. The script sends emails containing these matched logs. Moreover, we detected a vulnerability attack on the Internet Information Service (IIS) that was installed on the Windows-based honeypots. This vulnerability has the signature KFAGC165421, and indicates that IIS contains a flaw that allows an attacker to cause IIS to return the source code for a script file instead of processing the script. This vulnerability attack traffic was generated by one of the systems in the students’ living campus. Conclusion and Future Work Our experience shows that Honeywall CDROM proved to be a solid tool that is capable of capturing great deal of information and assisting in analyzing traffic on the distributed honeypots. The honeynet designer, nevertheless, needs to consider few issues related to scalability and resource utilization. Out future work includes expanding our honeynet network to include other colleges and campuses in the university and have wider honeynet coverage. This will also require increasing our logging disk space to allow for more logging time, longer logging intervals and thus broader analysis.