honeyTARG Chapter Status Report For 2013

ORGANIZATION

Current chapter members and their activities:

  • Cristine Hoepers, D.Sc., Chapter Lead
  • Klaus Steding-Jessen, D.Sc., Development of Data Capture and Collection Tools
  • Marcelo H. P. C. Chaves, M.Sc., Development of Data Collection and Visualization Tools
  • Dorgival Olavo Guedes Neto, PhD, Spam Data Mining Research
  • Wagner Meira Jr., PhD, Spam Data Mining Research

DEPLOYMENTS

 

One honeeebox sensor, sending data to the hpfeeds.

 

Distributed Honeypots Project (since 2003)

http://honeytarg.cert.br/honeypots/

Objective: increase the capacity of incident detection, event
correlation and trend analysis in the Brazilian Internet space.

Honeypots deployed: 55 honeypots, deployed in partnership with 43
Brazilian organizations, including: energy sector, government,
telecommunications, ISPs and Universities. In 2013 we had 9
organizations joining the Project, 5 of them from the energy sector.

Tools: OpenBSD systems running honeyd, several honeyd listeners, plus
some code developed in-house.

Results: The analysis of the data collected is made available to the
public via flows and trend analysis graphics available at:
http://honeytarg.cert.br/honeypots/stats/

SpamPots Project (since 2006)

http://honeytarg.cert.br/spampots/

Objective: gather data related to the abuse of the Internet
infrastructure by spammers.
Honeypots deployed: 14 honeypots, deployed in 11 countries, mostly in
partnership with local CERTs. In 2013 we started a spam data analysis
research partnership with the University of Alabama at Birmingham,
hosting one honeypot, and a partnership with Shadowserver Foundation,
that is hosting 2 honeypots, one in the US and another in Norway.

Tools: OpenBSD systems running code developed in-house. In 2013 we
concentrated on developing better data visualization for the partners
private area.

RESEARCH AND DEVELOPMENT

Details about the data analysis research are in the next section,
published as articles, papers and master thesis.

We are cooperating in the SpamPots Project with David Watson, from the
UK Chapter, and with Shadowserver. They are mirroring all data
collected and using this data to identify the spammers origins and to
improve their blacklists. David Watson is also porting the code to
Linux and working on a massive deployment for Shadowserver.

We are donating data to National CERTs, some of them with honeynet
Chapters, so they can act on the attack data collected to stop the
attacks and identify infected machines.

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

Masters' Thesis

Defended on March 06, 2013 by Pedro Las Casas, Advisor Dr. Dorgival
Olavo Guedes Neto.

Title: An Analysis of Spam Traffic Collected Around the World (Original Title
in Portuguese: Análise do Tráfego de Spam Coletado ao Redor do Mundo)
Abstract: Several efforts have been pursued to create a comprehensive view of
spam traffic. However, observations at isolated points of the Internet
are always limited by factors of spatial locality. This dissertation
aims to add a dimension to this analysis by contrasting samples of
spam traffic collected simultaneously at different points.
Furthermore, this study aims to evaluate the time factor in the spam
traffic, and the impacts caused by it.
Our analyses indicate that factors such as location and connectivity
have significant impact on the observed traffic, but certain features,
such as profiles of messages sent by different protocols, source
addresses and test patterns from spammers repeat themselves around the
world. We also identified that the spam traffic varies considerably
over time, with different patterns in different times.

PDF: http://www.bibliotecadigital.ufmg.br/dspace/bitstream/handle/1843/ESBF-97CMDW/pedrohenriquelascasas.pdf?sequence=1
Uri for complete details: http://hdl.handle.net/1843/ESBF-97CMDW

Academic Paper

Title: Análise do tráfego de spam coletado ao redor do mundo (English: An
Analysis of Spam Traffic Collected Around the World)
Authors: Pedro Henrique B. Las-Casas, Dorgival Guedes, Wagner Meira
Jr, Cristine Hoepers, Klaus Steding-Jessen, Marcelo H. P. C. Chaves,
Osvaldo Fonseca, Elverton Fazzion , Rubens E. A. Moreira.
Conference: XXXI Simpósio Brasileiro de Redes de Computadores e Sistemas
Distribuídos (SBRC 2013 - 31st Brazilian Symposium on Computer
Networks and Distributed Systems (SBRC)), 2013, Brasília.

PDF: http://sbrc2013.unb.br/files/anais/trilha-principal/artigos/artigo-57.pdf

Magazine Article

Title: Anatomy of SIP Attacks
Authors: João Marcelo Ceron, Klaus Steding-Jessen, and Cristine Hoepers
USENIX ;login:
Article Section: SECURITY
Abstract:In the past few years we have seen a steady increase in the popularity
of VoIP (Voice over IP) services. Scans for SIP (Session Initiation
Protocol) servers have been reported for many years, and to gather
more details about these activities we emulated SIP servers in a
network of 50 low-interaction honeypots, and collected data about
these attacks for 358 days. What will follow is a description of our
observations and advice on how to prevent these attacks from being
successful.

PDF: https://www.usenix.org/system/files/login/articles/login1212_ceron.pdf

Symposium Presentation

Title: Anatomia de Ataques a Servidores SIP (English: Anatomy of Attacks to SIP Servers)
Symposium: 1º Colóquio Técnico CTIR Gov de 2013, maio de 2013, Brasília, DF

PDF: http://www.cert.br/docs/palestras/certbr-ctir2013-1.pdf

Use of our data by the security community

To help the security community to identify infected or compromised computer and be able to act promptly we:

  • provide data feeds to National CERTs, about attacks coming from
    their respective constituencies;
  • provide public statistics about attack trends;
  • some data feeds provided to organizations like ShadowServer, Arbor
    Atlas and Team Cymru, so this can be used by a broader community
    to detect infected/compromised systems.

FINDINGS:

We continue to see that the most attacked services are those that
allow brute force attacks, with SSH and SIP still as the most targeted
ones.

Regarding abuse of the Internet infrastructure to send spam we are
continuously seeing the abuse of SOCKs proxies, a behavior that hasn't
changed since we started the project in 2006.

GOALS:

2013: we reached our goal to focus more on data analysis and
visualization of attacks and trends. Our staff got trained in data
visualization, and we concluded the work for the SpamPots Partners'
website data visualization.

2014: revamp our project's websites, and start the implementation of
new visualization techniques for the public data on both of them.

Groups: