John Syers

Since vpnc is already up

I might as well take advantage and try to capture some of the stuff that's already oozing out of my grey matter. My partner and I talked about the project at length, and at the beginning, another classmate gave some suggestions. We came to the conclusion that NAT is not needed at all in the configuration that my partner is working towards because there will be a one-to-one ratio of IP addresses to virtual machines. If that changes, we need...something. Maybe NAT, maybe something else.

My partner defined 'dynamic instantiation' for the time being as basically turning a VM on and off. We also all agreed that there has to be some mechanism to capture state. Our classmate pointed out that the controller needs to know which VMs it needs to be acting on and when, and neither iptables nor Click as they are have the ability to pass on that type of information. So I was looking at netlink sockets, but now I'm looking at libipq, which I'm thinking is even better. It basically routes a packet from kernel space to user space. You can then make a decision on the packet and send it back to kernel space. I'm thinking I can make some additional network devices and have initial traffic routed to the devices associated with my libipq stuff, a type of first packet reader, then accepted packets are routed to whatever we use to route traffic, click or iptables or whatever.

I'm also looking at malware collection. That looks like it won't be so hard. There's information out there on how to save binaries in MySQL databases. Oh, and my classmate talked about VM introspection type stuff. He mentioned RegMon, FileMon and some other utility. They're for Windows, which we haven't really been using, but we will eventually, and I hadn't even thought about registry data. My partner's idea about mounting a vmdk file is something that I've actually been able to test on my laptop, unlike most VMware stuff. It didn't take long to perform a diff on the two mounted filesystems--I was working on a script to automate that process.

I'm sure that I've forgotten something, but oh well.

Midday head clearing

So far its been a productive day, except for the fact that I haven't done anything school related. I got up and ran two miles. I was able to get the Thanksgiving cards out with the help of my spouse. I submitted my application for passport. We had a meeting with the pastor to try to get some help on what to do with our teenage daughter. We had lunch.

So...what to do on the project? My partner and I had a talk last night which was much needed. I'd come up with this great idea for a funky version of dynamic NAT, but he didn't see why we would need such a thing. I realized that was because his vision for the honeyfarm is such that at endstate there is no practical limit on the number of honeypots that could be instantiated at one time. In my idea you have a pool of internal honeypot addresses, organized as a queue, and the next available honeypot gets its internal address mapped to whatever external address that's coming in. If the queue is empty, then you have to drop the traffic. In his world, dropping traffic would never happen. A developing question is whether his idea can be done with iptables? The question I'm thinking of is whether iptables are smart enough to assign the incoming connection to the *next available* internal IP. I know you can assign ranges, so that would only make sense, but I dunno.

I think we also agreed that regardless of whether NAT is needed or not, it is something that isn't essential to the basic structure we're working on now. So what I'm supposed to be focusing on is some type of collection mechanism, namely automating the process of getting malware from a high-interaction honeypot (though it wouldn't be a bad idea to take the info from the low-interaction honeypots too, just so everything is in the same place), and putting it in some type of database or something. I think that VM introspection and MySQL are the things I need to look at. So I guess I better get to it.

I am happy

I have not accomplished anything thesis specific today, but nevertheless I am happy. Last night my project partner and I submitted our project status update. We didn't have any real data until my partner got fed up with Nepenthes and installed Amun. I am glad he did, because before the day was over he collected a significant amount of malware. I am going to try Amun too, even though my ISP blocks problem ports, who knows? I also want to run tcpdump on my target machine to see what ports attackers are scanning.

While I was working on the report, Fedora crashed on me twice. I decided that I'd had enough and installed Kubuntu. To my relief, it really does "just work." I had none of the problems I had with Fedora trying to get audio and wireless to work. To my dismay, however, I learned that the data DVD backups I made with k3b left out some significant data. While all the hidden folders in my home directory got copied, none of the files in these folders got copied. I checked my previous backup, and its the same thing. So I'm wondering if this is a bug in k3b or whether I just screwed up. The only thing I really was upset about was the Thingamablog database. I just installed Thingamablog today, which is running *very* slow for some reason, and when I was trying to figure out what to do I realized the database did get copied after all, because it wasn't in the .thinga folder, it was under documents/html/thingamablog. So that's why I am happy. I figured the only way out of this would have been to copy all the html files and then sift through them for content and put the data back into Thingamablog. I wouldn't have had to start from the beginning though, since my windows backup had the database on it.

I finally

sent an update to my committee. Since I'm feeling particularly lazy, I'm going to paste it here and count that as a blog entry.

***

To my advisory committee:

I figured that now was as good as a time as any to give an update on my thesis.  For many weeks I have planned to give an update, and later decided against it because I didn't feel like I had accomplished anything significant.  I now realize that if I continue at this rate, I could go all the way to defense without having communicated with you.

Since a significant amount of time has passed since I spoke with most of you, there actually are very significant things to report.

During the summer my goal was to write an intrusion prevention module.  I later decided against this for several reasons, with one of the more significant ones being that I was not sure that I could actually accomplish this task.

I am taking one course this fall, a special topics course (CPSC 689-609) taught by Dr. Guofei Gu on Network Security.  The first topics in the class were botnets and honeypots, which I've also been interested in.  Based on this, I decided to change the project.  My goal is to create a small honeynet similar to ones I've read about in certain academic papers, and then compare the results to my own.  My expectation is that the vulnerabilities that were used to attract attackers two years ago will be less effective today.  The next step would be to modify/improve the techniques in order to make them more effective in attracting current botnets.  I am also submitting a variation of the project to the 689 class.

While on the surface this is a simpler project, getting it off the ground has been challenging.  The principal obstacle is gaining access to a network to place the honeynet in.  My current ISP blocks the ports that cause security risks, leaving my honeypots untouched.  I also need multiple IP addresses.  

Commercially, the service that would meet my requirements would require me to purchase business connections, and sign contracts that would cost around $1000 for six months of service.  I saw this as a last ditch effort.

Dr. Gu talked to Mr. Willis Marti, and he agreed to allocate IP space for use with this and subsequent projects, contingent upon us showing how we plan to mitigate the risk of attack within the campus network.  Dr. Gu has also allocated me a single server, and from reading on CSnet I understand that it is possible to bring in personal equipment.  Unfortunately, I am not sure when the IP space will be available, so in the mean time I am trying to be as productive as possible, continuing my research and trying to create a sound architecture.

My goal from here on out is to provide an update to you at the end of each week.  I appreciate any and all feedback.

Respectfully,

John Syers

Let's see. Yesterday I talked to the network head and he agreed to give me the address space I need for the project. I sent him my configuration file so that he could be sure that I wouldn't be attacking the network.

Today I figured out how to do some very basic things in click. What I'm trying to do now is how to do something like NAT with click. I've been having a lot more trouble trying to just print out basic stuff than I thought I would. Most of my problem is trying to do things the way I think they should work rather than the way the examples show.

Also shot off an email to my advisor asking for some additional hardware resources.

I'm embracing reality

Normally I get depressed when its time to blog because I feel like I haven't accomplished anything, or haven't accomplished enough. But I hadn't realized that even though I daily fail to meet my own expectations, I do accomplish things, and they do add up over time.

What I just finished doing was getting the USB ethernet adapter I bought to work. I was just looking into what to do with my new multi-homed host. I'd been thinking 'router', but then, what do I want it to route? I guess I'm thinking about it more closely now. I'd lost sight of what this thing is for--the project. And for the project, what I need is a honeywall. My understanding of a honeywall is that its a reverse firewall--it only lets certain traffic out.

Now for just everyday use...well, I guess I really don't need it for everyday use, do I? I need to take the time and figure out what I want the home network to look like, what services I'm going to run, and what network appliances I need to run them.

I talked to Verizon and Suddenlink about the addresses I need. Suddenlink charges around $90 for service with 5 IP addresses, with $15 for each IP over that. Verizon charges $80 for 1 IP address, and each block of 5 IP addresses cost $20. For some reason I'd forgotten that Suddenlink charged per IP for over 5 until just now, so I was thinking Suddenlink was the way to go. And they still are, if I want to stick with 5 IPs. But I was thinking to start with 5, and eventually work my way up to 15. With Suddenlink that would cost me $150 extra, while with Verizon it would cost $40 extra. Darn it. I'd better call them back and ask about fees. Verizon charges a $99 setup fee and $99 for the modem, so that has to factor in too.

....

Just got off the phone with Suddenlink. The fees depend on the contract. If I go with a 1 year contact, installation and modem are $170. With the two year, installation is $60 and the modem is 'free.' With a three year contract, installation is $10.

I hate myself

for having so little to report here. Last night I was thinking about the possibility of using dynamic IP addresses. This morning I added wireless to thei list of possibilities, especially since most of the ISPs in town seem to be WISPs. I contacted Cybercom *again*, this time by email, and looked at a few alternatives. However, some internet searching revealed that most people have some antenna setup on top of their house to get the WISP signals, whereas if I went with Cybercom I wouldn't have to deal with that.

And...that's about it. I'm working on my mini-review now--and it seems I've been doing that for hours. Or rather, I should have been working on it...

As for the rest...

...what can I say. I set up my reminder, and I still failed to post like I should have last week. Sometimes I felt like I didn't have anything significant to post, even when sometimes's that's the point. Hopefully I'll do better this week.

I heard you

God got a hold of me at church today. I don't remember why, but I think somebody was praying and it made me think about a verse that I'd read in Acts earlier in the week. I began to search for the verse to read the complete thing. I had a hard time finding it and almost gave up, but didn't. The verse was Acts 12:2, where the Holy Spirit tells the believers to separate Paul and Barnabas for His work. I was wondering how you get to the point where you can sense God speaking something like this. As I read again, I saw in verse 1 and 2 that there were a small group of men that were 'ministering unto the Lord.' This included fasting. Then, during the next prayer, somebody quoted a passage of scripture. I don't know exactly where it was--I think it was Avery reading--but the passage definitely mentioned fasting (though I just did a bible search and couldn't find it). Anyway, then when the Pastor started preaching, he talked about moving forward with God by stopping. The passage was Nehemiah 9, and he talked about how the people came to God with fasting. So I got it. If I want to hear from God, I need to be fasting.

Insignificant?

It doesn't seem like I accomplished much today. We turned in our proposal for CPSC 689, but some of the conversation that went on with the project proposal was enlightening. The professor is saying that hardware is available but not IP addresses. He did not give any definite timetable and mentioned me using equipment at the other institution. This tells me that I need to work on my own setup for the thesis. I'm thinking that I may look at the local ISP for bandwidth before I talk to the phone provider. This also further cements my thinking that there may be a bigger difference between the project and the thesis than I originally thought, but now I find that I don't really have a problem with that.