Project 7 - Network Sinkhole

Primary mentor: Shaun Vlassis (AU)
Student: Adam

Project Overview:
The act of mitigating botnets, both in the wild as well as on internal networks, by sink-holing malicious domains to protect users and deny bot herders the ability to perform criminal acts through victim machines has steadily increased in frequency over the past several years. Conficker, Mariposa are just a few examples of recent success in using sink-holes to take control of a botnet from the bot herder.

While there are a number of private groups focussed on the mitigation/tracking of botnets in the wild with their own tool sets to perform these tasks there is no opportunity
for network/security owners/admins to leverage such technology as the current groups are all using custom set-ups.

By the end of this years Gsoc this project will provide the first open source Network sink-hole application capable of emulating HTTP, FTP, DNS and IRC protocols with the level of emulation for each domain/protocol completely configurable as well as the level of logging to be performed.

This will allow the operator to make decisions on the level of information to gather v.s. the network/processing overhead associated with increased logging capability on a case by case basis.

HoneySink can be downloaded from here: http://redmine.honeynet.org/projects/sinkhole

Project Plan:
24. May - 13. June:
- overall scoping of the solution.
- configuration framework design/coding.
14. June - 04. July:
- dns emulation/logging framework
05. July - 15. July:
- IRC emulation/logging
16. July - 30. July:
- HTTP/FTP emulation/logging
31. July - 07. August:
- troubleshooting/testing.
- bug fixes
08. August - 22. August:
- documentation

Updates:

Week 1, May 23-30 2010

Last week was getting most of the core done including the autotools build system.
I am also looking into p0f support for it to gather information on the clients connecting like operating system and version.
Next week starts the logging support and the actual protocol emulations.

Week 2, May 31-Jun 6

Logging system is done with MySQL support, working on normal flatfile and possibly syslog logging currently.
p0f works.
IRC protocol emulation is done

Week 3, Jun 7 - 13

Logging system should be all done.
HTTP protocol emulation is mostly done.

Week 4, Jun 14-20

All of the core systems are done now.
HTTP protocol emulation is finished.
FTP is mosty done.

Week 5, Jun 20-27

FTP is done.

Week 6, Jun 28-Jul 4

DNS support has been started.

Week 7, Jul 5-11

DNS finished, ready for Alpha release.

Week 8, Jul 12-18

Alpha release released!

Week 9, Jul 31-Aug 6

Added mqueue logging support.