Developing Robust VoIP Router Honeypots Using Device Fingerprints

As the telegram was replaced by telephony, so to Voice over IP (VoIP) systems are replacing conventional switched wire telephone devices, these systems rely on Internet connectivity for the transmission of voice conversations. This paper is an outline of ongoing preliminary research into malfeasant VoIP activity on the Internet. 30 years ago PABX systems were compromised by hackers wanting to make long distance calls at some other entities expense. This activity faded as telephony became cheaper and PABX systems had countermeasures installed to overcome attacks. Now the world has moved onto the provision of telephony via broadband enabled Voice over Internet Protocol (VoIP) this service is now being provided as a replacement for conventional fixed wire telephony by major telecommunication providers worldwide. Due to increasing bandwidth it is possible for systems to support multiple voice connections simultaneously. The networked nature of the Internet allows for attackers of these VoIP systems to enumerate and potentially attack and compromise a wide range of vulnerable systems

An Analysis of Malfeasant Activity Directed at a VoIP Honeypot

This paper analyses data collected over a nine month period in a simple VoIP honeypot based on simple design initially put forward by Usken(2009). The honeypot collected 2083 events of malfeasant activity directed towards commonly used VoIP ports. These events resulted in a range of activity being recorded from simple enumeration to advanced probing and attempts to compromise the victim honeypot. The analysis involved traditional statistics from packet analysis, using customised scripts for extraction of data and graphical analysis using i2 Analyst Workstation. The analysis has uncovered an escalation of network activity directed towards the honeypot over a nine month period. Initial geographical IP resolutions also see the majority of traffic emanating from the Chinese IP space. There is strong evidence to suggest that there is a botnet or worm like malcode being directed or developed for VoIP routers

Using decoys to block SPIT in the IMS

Includes bibliographical references (leaves 106-111)In recent years, studies have shown that 80-85% of e-mails sent were spam. Another form of spam that has just surfaced is VoIP (Voice over Internet Telephony) spam. Currently, VoIP has seen an increasing numbers of users due to the cheap rates. With the introduction of the IMS (IP Multimedia Subsystem), the number of VoIP users are expected to increase dramatically. This calls for a cause of concern, as the tools and methods that have been used for blocking email spam may not be suitable for real-time voice calls. In addition, VoIP phones will have URI type addresses, so the same methods that were used to generate automated e-mail spam messages can be employed for unsolicited voice calls. Spammers will always be present to take advantage of and adapt to trends in communication technology. Therefore, it is important that IMS have structures in place to alleviate the problems of spam. Recent solutions proposed to block SPIT (Spam over Internet Telephony) have the following shortcomings: restricting the users to trusted senders, causing delays in voice call set-up, reducing the efficiency of the system by increasing burden on proxies which have to do some form of bayesian or statistical filtering, and requiring dramatic changes in the protocols being used. The proposed decoying system for the IMS fits well with the existing protocol structure, and customers are oblivious of its operation

Characterising attacks targeting low-cost routers: a MikroTik case study (Extended)

Attacks targeting network infrastructure devices pose a threat to the security of the internet. An attack targeting such devices can affect an entire autonomous system. In recent years, malware such as VPNFilter, Navidade, and SonarDNS has been used to compromise low-cost routers and commit all sorts of cybercrimes from DDoS attacks to ransomware deployments. Routers of the type concerned are used both to provide last-mile access for home users and to manage interdomain routing (BGP). MikroTik is a particular brand of low-cost router. In our previous research, we found more than 4 million MikroTik routers available on the internet. We have shown that these devices are also popular in Internet Exchange infrastructures. Despite their popularity, these devices are known to have numerous vulnerabilities. In this paper, we extend our previous analysis by presenting a long-term investigation of MikroTik-targeted attacks. By using a highly interactive honeypot that we developed, we collected more than 44 million packets over 120 days, from sensors deployed in Australia, Brazil, China, India, the Netherlands, and the United States. The incoming traffic was classified on the basis of Common Vulnerabilities and Exposures to detect attacks targeting MikroTik devices. That enabled us to identify a wide range of activities on the system, such as cryptocurrency mining, DNS server redirection, and more than 3,000 successfully established tunnels used for eavesdropping. Although this research focuses on Mikrotik devices, both the methodology and the publicly available scripts can be easily applied to any other type of network device

From Prey to Hunter: Transforming Legacy Embedded Devices into Exploitation Sensor Grids

Our global communication infrastructures are powered by large numbers of legacy embedded devices. Recent advances in offensive technologies targeting embedded systems have shown that the stealthy exploitation of high-value embedded devices such as router and firewalls is indeed feasible. However, little to no host-based defensive technology is available to monitor and protect these devices, leaving large numbers of critical devices defenseless against exploitation. We devised a method of augmenting legacy embedded devices, like Cisco routers, with host-based defenses in order to create a stealthy, embedded sensor-grid capable of monitoring and capturing real-world attacks against the devices which constitute the bulk of the Internet substrate. Using a software mechanism which we call the Symbiote, a white-list based code modification detector is automatically injected in situ into Cisco IOS, producing a fully functional router firmware capable of detecting and capturing successful attacks against itself for analysis. Using the Symbiote-protected router as the main component, we designed a sensor system which requires no modification to existing hardware, fully preserves the functionality of the original firmware, and detects unauthorized modification of memory within 450 ms. We believe that it is feasible to use the techniques described in this paper to inject monitoring and defensive capability into existing routers to create an early attack warning system to protect the Internet substrate

On modeling and mitigating new breed of dos attacks

Denial of Service (DoS) attacks pose serious threats to the Internet, exerting in tremendous impact on our daily lives that are heavily dependent on the good health of the Internet. This dissertation aims to achieve two objectives:1) to model new possibilities of the low rate DoS attacks; 2) to develop effective mitigation mechanisms to counter the threat from low rate DoS attacks. A new stealthy DDoS attack model referred to as the quiet attack is proposed in this dissertation. The attack traffic consists of TCP traffic only. Widely used botnets in today\u27s various attacks and newly introduced network feedback control are integral part of the quiet attack model. The quiet attack shows that short-lived TCP flows used as attack flows can be intentionally misused. This dissertation proposes another attack model referred to as the perfect storm which uses a combination of UDP and TCP. Better CAPTCHAs are highlighted as current defense against botnets to mitigate the quiet attack and the perfect storm. A novel time domain technique is proposed that relies on the time difference between subsequent packets of each flow to detect periodicity of the low rate DoS attack flow. An attacker can easily use different IP address spoofing techniques or botnets to launch a low rate DoS attack and fool the detection system. To mitigate such a threat, this dissertation proposes a second detection algorithm that detects the sudden increase in the traffic load of all the expired flows within a short period. In a network rate DoS attacks, it is shown that the traffic load of all the expired flows is less than certain thresholds, which are derived from real Internet traffic analysis. A novel filtering scheme is proposed to drop the low rate DoS attack packets. The simulation results confirm attack mitigation by using proposed technique. Future research directions will be briefly discussed

SIEM Optimization using Honeypots

Στην εποχή μας, τα συστήματα Information and Event Management (SIEM) αποτελούν αναπόσπαστο μέρος της υποδομής ασφάλειας ενός οργανισμού. Παρά το γεγονός ότι τα συστήματα SIEM είναι ένας ισχυρός μηχανισμός, μπορεί να είναι όσο αποτελεσματικός όσο πολύτιμες είναι οι πληροφορίες με τις οποίες τροφοδοτείται. Δεδομένου ότι η αύξηση της απόδοσης ενός SIEM περιορίζεται στην αύξηση του αριθμού των συσκευών ασφαλείας που στέλνουν τις καταγραφές (logs) τους σε αυτό και την βελτιστοποίηση του μηχανισμού συσχέτιστης (correlation engine), ο μόνος τρόπος για να ενισχυθεί πραγματικά η απόδοσή του είναι η τροφοδοτησή του με εξωτερικές ως προς τον οργανισμό πληροφορίες. Προτείνουμε τη χρήση honeypots υψηλής αλληλεπίδρασης για την δημιουργία τοπικής νοημοσύνης και τον συσχετισμό τους με γεγονότα που παράγονται στο περιβάλλον ενός πραγματικού οργανισμού. Με τη χρήση εκτενών καταγραφών είμαστε σε θέση να αναγνωρίσουμε τη μη φυσιολογική συμπεριφορά που παράγεται από μη αναγνωρισμένες ως τώρα απειλές σε ποικίλες συσκευές ασφαλείας (security devices) στο δίκτυο του οργανισμού.Nowadays, Security Information and Event Management (SIEM) systems are an integral part of an organization’s security infrastructure. Although SIEM is a powerful mechanism, it can be as effective as valuable the information fed into. Given that a SIEM’s optimization is limited to the increase of the number of security devices reporting to it and fine-tune the correlation engine, the only way to truly enhance its performance is the use of external intelligence. We propose the use of high interaction Honeypots to create domestic intelligence and correlate events produced in a real organization's environment. By using extensive logging we are able to identify abnormal behavior produced by ignored threats in multiple devices in the organization's network

Enabling an Anatomic View to Investigate Honeypot Systems: A Survey

A honeypot is a type of security facility deliberately created to be probed, attacked, and compromised. It is often used for protecting production systems by detecting and deflecting unauthorized accesses. It is also useful for investigating the behavior of attackers, and in particular, unknown attacks. For the past 17 years plenty of effort has been invested in the research and development of honeypot techniques, and they have evolved to be an increasingly powerful means of defending against the creations of the blackhat community. In this paper, by studying a wide set of honeypots, the two essential elements of honeypots—the decoy and the captor—are captured and presented, together with two abstract organizational forms—independent and cooperative—where these two elements can be integrated. A novel decoy and captor (D-C) based taxonomy is proposed for the purpose of studying and classifying the various honeypot techniques. An extensive set of independent and cooperative honeypot projects and research that cover these techniques is surveyed under the taxonomy framework. Furthermore, two subsets of features from the taxonomy are identified, which can greatly influence the honeypot performances. These two subsets of features are applied to a number of typical independent and cooperative honeypots separately in order to validate the taxonomy and predict the honeypot development trends

Campus Communications Systems: Converging Technologies

This book is a rewrite of Campus Telecommunications Systems: Managing Change, a book that was written by ACUTA in 1995. In the past decade, our industry has experienced a thousand-fold increase in data rates as we migrated from 10 megabit links (10 million bits per second) to 10 gigabit links (10 billion bits per second), we have seen the National Telecommunications Policy completely revamped; we have seen the combination of voice, data, and video onto one network; and we have seen many of our service providers merge into larger corporations able to offer more diverse services. When this book was last written, A CUT A meant telecommunications, convergence was a mathematical term, triple play was a baseball term, and terms such as iPod, DoS, and QoS did not exist. This book is designed to be a communications primer to be used by new entrants into the field of communications in higher education and by veteran communications professionals who want additional information in areas other than their field of expertise. There are reference books and text books available on every topic discussed in this book if a more in-depth explanation is desired. Individual chapters were authored by communications professionals from various member campuses. This allowed the authors to share their years of experience (more years than many of us would care to admit to) with the community at large. Foreword Walt Magnussen, Ph.D. Preface Ron Kovac, Ph.D. 1 The Technology Landscape: Historical Overview . Walt Magnussen, Ph.D. 2 Emerging Trends and Technologies . Joanne Kossuth 3 Network Security . Beth Chancellor 4 Security and Disaster Planning and Management Marjorie Windelberg, Ph.D. 5 Student Services in a University Setting . Walt Magnussen, Ph.D. 6 Administrative Services David E. O\u27Neill 7 The Business Side of Information Technology George Denbow 8 The Role of Consultants . David C. Metz Glossary Michelle Narcavag

Voip Honeypot Architecture

http://www.comsoc.orgInternational audienceVoice Over IP (VoIP) or telephony services over Internet announces a new revolution in the telecommunication world for its management simplicity and cost reduction. VoIP security extends the existent risk range of IP protocols and infrastructures and introduces new attacks as well. Threats identification and standardization, secure signaling and media architectures, as well as intrusion detection and prevention mechanisms are currently under debate in the research community. We propose in this article a SIP (Session Initiation Protocol) specific honeypot. We describe its design and implementation. We detail the inference mechanism which classifies the received messages. We show how the model investigates about a received call and raises an appropriate conclusion