honeyTARG Chapter Status Report For 2011/2012

ORGANIZATION

Current chapter members and their activities:

  • Cristine Hoepers, PhD, Chapter Lead
  • Klaus Steding-Jessen, PhD, Development of Data Capture and Collection Tools
  • Marcelo H. P. C. Chaves, MsC, Development of Data Collection and Visualization Tools
  • Dorgival Olavo Guedes Neto, PhD, Spam Data Mining Research
  • Wagner Meira Jr., PhD, Spam Data Mining Research

Changes in the structure of your chapter:

The Chapter was created in September 2011, although most members of this chapter work with honeypots since 2001 and were part of another chapter in the past.

DEPLOYMENTS

RESEARCH AND DEVELOPMENT

In the Distributed Honeypots Project we developed some tools to emulate the SIP protocol. Regarding data analysis, instead of focusing in the scanning/reconnaissance aspects, the focus was on analyzing only the characteristics of the INVITE messages. Together with a CERT.br staff member we worked in the analysis of all call attempts. The analysis of data collected between September 2011 and September 2012 will be published next December at the Usenix ;login: Magazine.

In the SpamPots Project we finished the restructuring of our data capture and collection infrastructures. This also led to graduate students working on spam analysis to change some data analysis systems to accommodate bigger data volumes. Also, we have deployed two new
sensors in cooperation with the the UK Chapter.

FINDINGS

The 2 most attacked services in our network of 50 honeypots are SSH and SIP.

Regarding abuse of the Internet infrastructure to send spam we are continuously seeing the abuse of SOCKs proxies, a behavior that hasn't changed since we started the project in 2006.

PAPERS, PRESENTATIONS AND COMMUNITY ENGAGEMENTS

Presentations:

Use of honeypots for Network Monitoring and Situational Awareness
Buenos Aires 2012 FIRST Technical Coloquium, August 2012, Buenos
Aires, Argentina

honeyTARG Chapter Activities
2012 Honeynet Project Security Workshop, March 2012, SF Bay Area, US

Article accepted for publication:

Anatomy of SIP Attacks
João Ceron, Klaus Steding-Jessen, Cristine Hoepers
To be published at the December 2012 Usenix ;login: Magazine

Use of our data by the security community:

  • provide data feeds to National CERTs, about attacks coming from their respective constituencies;
  • provide public statistics about attack trends;
  • some data feeds provided to organizations like ShadowServer, Arbor Atlas and Team Cymru, so this can be used by a broader community to detect infected/compromised systems.

GOALS

Past year: review our infrastructure and organize our Projects in our new Chapter.

Next year: focus more on data analysis and visualization of attacks and trends.

Groups: