View
 

Distributed Open Proxy Honeypots

This version was saved 14 years, 10 months ago View current version     Page history
Saved by Ryan Barnett
on February 11, 2010 at 6:24:52 am
 

Quick Links

Homepage


 

 

Project Overview

From a counter-intelligence perspective, standard honeypot/honeynet technologies have not bared much fruit in the way of web attack data. Web-based honeypots have not been as successful as OS level or other honeypot applications (such as SMTP) due to the lack of their perceived value. Deploying an attractive honeypot web site is a complicated, time-consuming task. Other than a Script Kiddie probing for an easy defacement or an indiscriminant worm, you just won't get much traffic.

So the question is - How can we increase our traffic, and thus, our chances of obtaining valuable web attack reconnaissance?

 

This project will use one of the web attacker's most trusted tools against them - the Open Proxy server. Instead of being the target of the attacks, we opt to be used as a conduit of the attack data in order to gather our intelligence. By deploying multiple, specially configured open proxy server (or proxypot), we aim to take a birds-eye look at the types of malicious traffic that traverse these systems. The honeypot systems will conduct real-time analysis on the HTTP traffic to categorize the requests into threat classifications outlined by the Web Security Threat Classification and report all logging data to a centralized location.

 

Project Status

Phase III has begun.  We started deploying sensors on July 27th.

 

Project Leader

If you would like to be involved with the project, please contact the project leader - Ryan Barnett (rcbarnettgmail.com).

 

Project Contributors

 

Robert Auger Michael Menefee Bill Pennington William Salusky Nick Malecky Kurt Grutzmacher Matt Nelson
Daniel Cuthbert Mike Schiffman Chris Luhman Mike Klingler Andrew Lamb Anton Chuvakin Jasper Wonnick
Pete LeMay Raffael Marty Aaron Weaver Dan Azzariti Amachai Shulman Jeremiah Grossman Rafael Dreher
Rodrigo Montoro Ralph Thomas Michael Renzmann Mike Eynon Michele Orru' Ivan Ristic Spiros Antonatos
Thorsten Holz Trey Ford Peter Guerra Laura Mather Craig Valli Erwin Geirnaert Albert Gonzalez
Sandeep D. Andre Protas Sebastien Gioria Time McGuire Travis Schack Sutapa Dey Sebastien Garcia
Mark Angel Bogdan Calin Roman Medina-Heigl Hernandez Fabio Sam Stover Stan Scalsky Garth Somerville
Prince Kholi Apurv Singh Mark Ryan del Moral Talabis Tomasz Sawiak Mike Shinn Michael Miller Scott Scheferman
Laurent Oudot Bjoern Weiland Brian Rectanus Michael Condon Billly Rios Robert Hansen  

 

Project Sponsors

The central log host and development of the VMware honeypot images were provided by Breach Security Labs.

Frequently Asked Questions (FAQ)

To find out more information about the project - please see the FAQ

 

How to Participate

There are two ways to participate:

 

  1. Deploy a honeypot sensor

You can participate by deploying the WASC Open Proxy Honyepot sensor on your own network. WASC has created a VMware image of the standard sensor. This image includes all of the software to quickly get your sensor up and running with little configuration on the end user's part. You must contact the project leader via email in order to participate. You will then recieve the link location to download the VMware image.  You will need to have the free version of VMware player or Server.  If you would like to deploy a honeypot sensor, include the following details in your email to the project leader:

 

  • Sensor Point of Contact (POC) name
  • Source IP address that the logs will be coming from
  • Geographic location (Country, State, Locality)
  • Network Block Owner

 

The Project Leader will send back an email with instructions for downloading the VMware honeypot image data and the OS root credentials. The VMware host is configured with dhcp, so after you login, verify that the host has successfully obtained an IP address. The Project Leader will also provide you with the ModSecurity log agent credentials you will need to authenticate when sending your log data. ModSecurity uses a C program called mlogc located in the /usr/local/apache/conf/ directory. This program will take the data generated by the ModSecurity concurrent audit log and uses HTTP PUT requests to upload the individual audit_log files to the central console host. Each WASC honeypot sensor will have a unique username/password combination. The file that you will need to update is /opt/wasc-honeypot/etc/mlogc.conf.  The final step is to start up the apache web server - /etc/init.d/wasc-honeypot-ctl.sh start. You should then review the log files to ensure that they everything is working properly.

 

  1. Data analysis

Even if you do not deploy a honeypot sensor, we need help with data analysis for the capture traffic.  We will provide access to the ModSecurity Management Appliance (MMA) web interface to all project participants.  The MMA has built in searching and reporting functions that may be used for batch analysis.  We will provide all project participants with a reporting procedure so that we have a consistent process for vetting data prior to releasing to the public.

 

Current Threat Reports

Weekly Stat Reports

July 27, 2009 - August 3, 2009

August 3, 2009 - August 10, 2009

August 10, 2009 - August 17, 2009

 

Events of Interest

XSS in User-Agent Header

Identifying Request Anomalies

Distributed Brute Force Attacks Against Yahoo

Apache Tomcat Admin Probes

 

Previous Threat Reports

The WASC Distributed Open Proxy Honeypot team will be releasing periodic threat reports of significant activity and trends.

 

Phase I

Web Security Threat Report, Volume 1: January - April 2007

 

Phase II: Web Security Threat Report, Volume 2: November 2007

 

 

Web Security Threat Report, Volume 2: November 2007 - Video at WASC/OWASP AppSec Conf (Presented by Ryan Barnett)

 

Comments (0)

You don't have permission to comment on this page.