Tomas Sochor

Study of Internet Threats and Attack Methods Using Honeypots and Honeynets

The number of threats from the Internet has been growing in the recent period and every user or administrator should protect against them. For choosing the most suitable protection the detailed information about threats are required. Honeypots and honeynets are effective tools for obtaining details about current and recent threats. The article gives an introduction into honeypots and honeynets and shows some interesting results from initial 3-months period of the implementation of a small honeynet made of 3 Dionaea and one Kippo low-interaction honeypots. Basic conclusions regarding the amount of currently actively spread malware and their type are formulated.

Greylisting method analysis in real SMTP server environment – Case-study

Greylisting is a method for protection against unsolicited electronic mail messages (SPAM) based on the combination of white lists and temporary deferring of incoming messages from new sources. The idea is quite simple and the method proved to be surprisingly efficient but there are some issues to be concerned with. One of the most important issues is possible efficiency decay through a long-term period. Therefore the investigation of the efficiency of the method throughout longer period was done Also various other factors of the greylisting method application were studied and are discussed.

Attractiveness Study of Honeypots and Honeynets in Internet Threat Detection

New threats from the Internet emerging every day need to be analyzed in order to prepare ways of protection against them. Various honeypots combined into honeynets are the most efficient tool how to lure, detect and analyze threats from the Internet. The paper presents recent results in honeynet made of Dionaea (emulating Windows services), Kippo (emulating Linux services) and Glastopf (emulating website services) honeypots. The most important result consists in the fact that the differentiation among honeypots according to their IP address is relatively rough (usually two categories, i.e. academic and commercial networks, are usually distinguished, but the type of services in commercial sites is taken into account, too). Comparisons of results to other similar honeynets confirms the validity of the paper main conclusions.

Anonymization of Web Client Traffic Efficiency Study

Anonymization in the sense of hiding the originator of the web request could be sometimes useful and it can be done using various commercial and public domain tools. The adverse aspect of anonymization is that the anonymized traffic is significantly slower than normal one. The study focused to describe the slowing down and to quantify its rate is presented in this article. The best known free anonymization tools were involved in the study, namely TOR, JAP and I2P. The set of files was formed and their download transmission speed was measured with and without use of anonymization. Also the set of webpages was formed where both latency and transmission speed were measured. All the measurements were done at the application layer. The final comparison showed that the TOR remains to be the best tool for anonymization despite the fact that JAP excelled in latency. The price paid for anonymization also remains to be quite high because it was confirmed that at least 90% transmission speed decrease is inseparable from using free anonymization tools.

Definition of Attack in the Context of Low-Level Interaction Server Honeypots

Honeypots play an important role in network security, since they obtain information about attackers, their targets, methods, and tools. This paper offers a discussion about the definition of attack. The main matter of discuss is when an activity is considered to be an attack. Paper only focuses on low-level interaction server honeypots and outlines the definition of attack from the perspective of windows service emulation and Linux SSH services emulation.

Analysis of attackers against windows emulating honeypots in various types of networks and regions

The paper is devoted to an analysis of a one-year-long period of operation of a honeynet composed of 6 Dionaea honeypots emulating Windows services. The analysis focused on the frequency of attacks according to the location of individual honeypots (sensors) as well as to the geographical location of attackers. From the statistical processing of the results, it was demonstrated that the most frequently attacking malware was well-known Conficker worm. Moreover, attacking OS were studied with the conclusion that Windows is the most frequent OS. Regarding the geographical location of the attackers, several non-western countries and autonomous systems were indicated as being the most frequent origin of the attacks.

Improving efficiency of e-mail communication via SPAM elimination using blacklisting

Despite suggestions that the global ratio of unsolicited e-mail messages (SPAM) has been decreasing recently, the SPAM ratio values measured in individual SMTP servers have not confirmed this trend. Blacklisting can eliminate a part of SPAM even before their delivery. A multilevel anti-SPAM mechanism is described and the behavior and efficiency of blacklisting using DNSBL is analyzed. Drawbacks of DNSBL blacklisting and the potential of their elimination are discussed, too. The efficiency of DNSBL application in a specific mail server and its comparison to the efficiency of other SPAM blocking techniques is also presented.

Greylisting — long term analysis of anti-SPAM effect

Greylisting is a popular method for protection against SPAM messages since 2003. It often complements other methods (usually search-based ones). This article describes results of the analysis of the efficiency of greylisting performed by Postgrey throughout long period (over 2 years). Also other aspects of greylisting like the real delay in greylisted message delivery are analyzed and results are presented in the article.

Behavioral Analysis of Bot Activity in Infected Systems Using Honeypots

New Internet threats emerge on daily basis and honeypots have become widely used for capturing them in order to investigate their activities. The paper focuses on a detailed analysis of the behavior of various attacks agains 7 Linux–based honeypots. The attacks were analyzed according to the threat type, session duration, AS, country and RIR of the attack origin. Clusters of similar objects were formed accordingly and certain typical attack patterns for potential detection automation as well as some aspects of threat dissemination were identified.

High-Interaction Linux Honeypot Architecture in Recent Perspective

High-interaction honeypots providing virtually an unlimited set of OS services to attackers are necessary to capture the most sophisticated human-made attacks for further analysis. Unfortunately, this field is not covered by recent publications. The paper analyses existing approaches and available open source solutions that can be used to form high-interaction honeypots first. Then the most prospective approach is chosen and best applicable tools are composed. The setup is tested eventually and its usefulness is proven.