Development of an IPv6 Honeypot



Similar documents
DNS Amplification Attacks as a DDoS Tool and Mitigation Techniques

SpamPots Project: Using Honeypots to Measure the Abuse of End-User Machines to Send Spam

honeytarg Chapter Activities

Phishing and Banking Trojan Cases Affecting Brazil

Preventing your Network from Being Abused by Spammers

CERT.br: Mission and Services

LACNIC 25 CSIRTs Meeting Havana, Cuba May 4 th, 2016

Cybersecurity and Incident Response Initiatives: Brazil and Americas

The Importance of a Multistakeholder Approach to Cybersecurity Effectiveness

Incident Response and Early Warning Initiatives in Brazil

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Getting started with IPv6 on Linux

DirectAccess in Windows 7 and Windows Server 2008 R2. Aydin Aslaner Senior Support Escalation Engineer Microsoft MEA Networking Team

The Brazilian Internet Steering Committee CGI.br Internet Governance Model in Brazil

Securing the Transition Mechanisms

Configuring Security for SMTP Traffic

IPv6, Perspective from small to medium ISP

IPv6 Trace Analysis using Wireshark Nalini Elkins, CEO Inside Products, Inc.

Firewalls und IPv6 worauf Sie achten müssen!

CALNET 3 Category 7 Network Based Management Security. Table of Contents

IPv4 and IPv6 Integration. Formation IPv6 Workshop Location, Date

APNIC IPv6 Deployment

Secure64. Use cases for DNS64/NAT64

With a little bit of IPv6 magic: Windows 7 DirectAccess

Chapter 11 Cloud Application Development

Securing IP Networks with Implementation of IPv6

ICSA Labs Network Protection Devices Test Specification Version 1.3

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

About Botnet, and the influence that Botnet gives to broadband ISP

CMPT 471 Networking II

Challenges in NetFlow based Event Logging

Updates to Understanding IPv6

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

IPv6-only hosts in a dual stack environnment

464XLAT in mobile networks

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Telepresence in an IPv6 World. Simplify the Transition

ITL BULLETIN FOR JANUARY 2011

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

It should be noted that the installer will delete any existing partitions on your disk in order to install the software required to use BLËSK.

1. Introduction to DirectAccess. 2. Technical Introduction. 3. Technical Details within Demo. 4. Summary

Operational Problems in IPv6: Fallback and DNS issues

Industry Automation White Paper Januar 2013 IPv6 in automation technology

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

IPv6-Only. Now? Sites. Deutscher IPv6 Kongress June 6/7, 2013 Fr ankfur t /Ger many. Holger.Zuleger@hznet.de

Campus IPv6 connection Campus IPv6 deployment

THE ADOPTION OF IPv6 *

Planning the transition to IPv6

The Leading Security Suites

TR-296 IPv6 Transition Mechanisms Test Plan

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Fraud and Phishing Scam Response Arrangements in Brazil

F-Secure Internet Gatekeeper Virtual Appliance

Solution Brief FortiMail for Service Providers. Nathalie Rivat

Network Security. Protective and Dependable. 52 Network Security. UTM Content Security Gateway CS-2000

Interconnecting IPv6 Domains Using Tunnels

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

IPv6 Support in the DNS. Workshop Name Workshop Location, Date

Deployment Guide A10 Networks/Infoblox Joint DNS64 and NAT64 Solution

Software changes for Website and Application IPv6 Readiness

IPv6 Deployment Strategies

Computer and Network Security Exercise no. 4

IPv6 Transition Work in the IETF

Copyright

When Reputation is Not Enough: Barracuda Spam & Virus Firewall Predictive Sender Profiling

Matt Ryanczak Network Operations Manager

Lesson 13: DNS Security. Javier Osuna GMV Head of Security and Process Consulting Division

SESA Securing with Cisco Security Appliance Parts 1 and 2

CS 558 Internet Systems and Technologies

APPLICATION PROGRAMMING INTERFACE

IPv6 Network Security.

When Reputation is Not Enough: Barracuda Spam Firewall Predictive Sender Profiling. White Paper

Use Domain Name System and IP Version 6

Transcription:

Development of an IPv6 Honeypot Klaus Steding-Jessen jessen@cert.br CERT.br Computer Emergency Response Team Brazil NIC.br Network Information Center Brazil CGI.br Brazilian Internet Steering Committee 2009 CSIRTs with National Responsibility Meeting - Kyoto, Japan - July, 2009 p. 1/16

About CERT.br Created in 1997 as the national focal point to handle computer security incident reports and activities related to networks connected to the Internet in Brazil. International Partnerships http://www.cert.br/mission.html 2009 CSIRTs with National Responsibility Meeting - Kyoto, Japan - July, 2009 p. 2/16

Our Parent Organization: CGI.br Among the diverse responsibilities of The Brazilian Internet Steering Committee CGI.br, the main attributions are: to propose policies and procedures related to the regulation of the Internet activities to recommend standards for technical and operational procedures to establish strategic directives related to the use and development of Internet in Brazil to promote studies and technical standards for the network and services security in the country to coordinate the allocation of Internet addresses (IPs) and the registration of domain names using <.br> to collect, organize and disseminate information on Internet services, including indicators and statistics 2009 CSIRTs with National Responsibility Meeting - Kyoto, Japan - July, 2009 p. 3/16

CGI.br/NIC.br Structure 01- Ministry of Science and Technology 02- Ministry of Communications 03- Presidential Cabinet 04- Ministry of Defense 05- Ministry of Development, Industry and Foreign Trade 06- Ministry of Planning, Budget and Management 07- National Telecommunications Agency 08- National Council of Scientific and Technological Development 09- National Forum of Estate Science and Technology Secretaries 10- Internet Expert 2009 CSIRTs with National Responsibility Meeting - Kyoto, Japan - July, 2009 p. 4/16 11- Internet Service Providers 12- Telecom Infrastructure Providers 13- Hardware and Software Industries 14- General Business Sector Users 15- Non-governamental Entity 16- Non-governamental Entity 17- Non-governamental Entity 18- Non-governamental Entity 19- Academia 20- Academia 21- Academia

Agenda Introduction Motivation for a Honeypot The Project Results Conclusion 2009 CSIRTs with National Responsibility Meeting - Kyoto, Japan - July, 2009 p. 5/16

Introduction (1) IPv6 standardized in 1998 (RFC 2460) not widely adopted yet (< 1% of today s traffic) Some improvements over IPv4: larger address space: 32 to 128 bits no more v4 space by the end of 2010... streamlined protocol header autoconfiguration network layer security (IPSec) QoS capabilties mobility 2009 CSIRTs with National Responsibility Meeting - Kyoto, Japan - July, 2009 p. 6/16

Introduction (2) Some of the attacks against v4 networks are the same: attacks against applications Denial of Service attacks malware New problems: transition methods autoconfiguration lack of: best practices policies training tools 2009 CSIRTs with National Responsibility Meeting - Kyoto, Japan - July, 2009 p. 7/16

Motivation for a Honeypot Force us to study IPv6 Better understand the current level of attacks in IPv6 networks scanning, probes, etc malware on v4 hosts using tunnels? harvesting of email addresses spam 2009 CSIRTs with National Responsibility Meeting - Kyoto, Japan - July, 2009 p. 8/16

The Project (1) Cooperation beetwen CERT.br and CEPTRO.br two /48 IPv6 blocks a /48 block is usually given to enterprises a /48 = 2 16 /64 = 65536 /64 blocks or 1208925819614629174706176 IP addresses one domain under.br hosted at v4/v6 reacheable DNS servers just AAAA records 2009 CSIRTs with National Responsibility Meeting - Kyoto, Japan - July, 2009 p. 9/16

The Project (2) one IPv6 server reachable via IPv6 only receiving traffic from those two /48 IPv6 blocks logging all traffic and generating alerts hosting an web server fake content dinamically generated email addresses on each page and inside files hosting an mailserver server MX for this domain configured to receive email to every address on our domain 2009 CSIRTs with National Responsibility Meeting - Kyoto, Japan - July, 2009 p. 10/16

The Project (3) one IPv4 server reachable via IPv4 only hosting an web server on a different domain activelly being harvested by spammers receiveing spam on a daily basis with references to the IPv6 server emails links 2009 CSIRTs with National Responsibility Meeting - Kyoto, Japan - July, 2009 p. 11/16

The Project (4) IPv6 Internet IPv4 Internet DNS Server: Dual Stack (IPv6/IPv4) Returns only AAAA records. IPv6 Honeypot: IPv6 only; Two /48 networks. IPv4 Honeypot: IPv4 only; Have links and e mails addresses from the IPv6 domain in the webpages. 2009 CSIRTs with National Responsibility Meeting - Kyoto, Japan - July, 2009 p. 12/16

Results (1) Since deployment (end of march, 2009) we have observed very little activity: 1 IP using a native IPv6 address DNS query from a.edu server no DNS service running at our end misconfiguation? probe? 3 IPs using 6to4 2002::/16 space, reserved for 6to4 deployments (RFC3056) HTTP activity, following a link Windows machines from.no,.pt,.ir 2009 CSIRTs with National Responsibility Meeting - Kyoto, Japan - July, 2009 p. 13/16

Results (2) 1 IP using a IPv4 to IPv6 gateway HTTP activity Linux machine using the SixXS-IPv6Gate http://ipv4gate.sixxs.net/ 1 IP using Teredo 2001:0000::/32) space, reserved for Teredo HTTP activity, following a link from wikipedia 2009 CSIRTs with National Responsibility Meeting - Kyoto, Japan - July, 2009 p. 14/16

Conclusions overall IPv6 acitivity is still very low malicious or not transition methods like 6to4 and Teredo being used popular search engines do not work with IPv6-only sites 2009 CSIRTs with National Responsibility Meeting - Kyoto, Japan - July, 2009 p. 15/16

References CERT.br http://www.cert.br/ CEPTRO.br http://www.ceptro.br/ IPv6.br http://www.ipv6.br/ This presentation will be available (soon) at: http://www.cert.br/docs/presentations/ 2009 CSIRTs with National Responsibility Meeting - Kyoto, Japan - July, 2009 p. 16/16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information