Individual Lab - Distributed Honeypot

Overview

In this lab, you will implement a distributed honeypot. A good amount of the work has already been completed for you, but you will be required to write a userspace application that will read from a kernel module and record the statistics, and have those statistics sent to a central server. We've given you four folders; agg, hp-user, hp-mod, and pkt_gen. The code you need to implement will go in hp-user.

This is a distributed honeypot, which means that you will be expected to run a packet generator that sends packets against a set of predefined IPs that will be running the kernel module. The first thing you'll want to do is make the packet generator and kernel module. The packet generator can be found in the folder called pkt_gen, and the kernel module can be found in hp-mod. There is a config file in pkt_gen, called gen.config, which contains a line-separated list of IPs to send packets to. During testing, you'll need to edit these lines to be the IPs that you want the packet generator to send packets to.

The honeypot works as follows:

• The packet generator sends packets to the kernel module on a host
• The kernel module stores this as a struct hp_pkt (defined in hp_ioctl.h) to be read later
• The honeypi_read program will read this kernel module to get struct hp_pkt in userspace
• The program will process the read hp_pkt
• Occasionally, the program will send these statistics to the aggregation server (agg_server.py)

You'll need to focus on the last three bullet points. In particular, honeypi_read needs to open the device file for the kernel module, call read on it, and process the data.

All of your code will go in honeypi_read. Read through the comments first to figure out what everything should be doing, and only start implementing once you're sure that you have a pretty good grasp of how the honeypot works.

We have written a kernel module that captures incoming packets and extracts certain information from them, notably the source and destination ports, the source and destination IP addresses, the protocol, packet's djb2 hash, and and an updated number of dropped packets. You can see the structure of a packet summary in hp-ioctl.h.

You will be storing the following statistics:

• The number of packets recieved from certain spammer addresses
• The number of packets sent to certain vulnerable ports
• The number of packets with one of the known "evil" hashes, marking them as dangerous
• The number of packets that have been dropped by the kernel
• The number of packets received by protocol
• The total number of packets recieved
• The total number of bytes received
• The average data rate

In addition to data packets, your honeypot will occassionally recieve command packets, telling it to update its internal data structures in the specified manner. The description of each command is as follows:

• HONEYPOT_ADD_SPAMMER: start tracking the specified spammer address
• HONEYPOT_DEL_SPAMMER: stop tracking the specified spammer address
• HONEYPOT_ADD_VULNERABLE: start tracking the specified vulnerable port
• HONEYPOT_DEL_VULNERABLE: stop tracking the specified vulnerable port
• HONEYPOT_ADD_EVIL: start tracking the specified evil hash
• HONEYPOT_DEL_EVIL: stop tracking the specified evil hash
• HONEYPOT_PRINT: print the current statistics stored and send them to the aggregator

You can figure out whether a packet is a command packet or a data packet by checking whether the cmd field of the hp_pkt is zero. Command packets have their own struct also defined in hp-ioctl.h. honeypi_read can determine what server to send its statistics to via the honeypi.config file in hp-user. Keep in mind that honeypi_read always keeps track of the protocol of each packet, and will never delete that information.

The packet generator only sends command packets to a single host, but those command packets should be broadcasted over the network to all other machines running honeypi_read. You can do this by changing the command packet type to have _BE at the end (i.e. HONEYPOT_ADD_SPAMMER_BE) before broadcasting the packet.

agg_server.py expects the following:

• You must send "CLEAR_STATISTICS\n" when honeypi_read is first started to tell the aggregator that it shouldn't used any cached statistics from this host.
• You must send one of "Spammers:\n", "Protocols:\n", "Evil:\n", or "Ports:\n" before sending information about the applicable statistic.
• Each line after one of the above will be followed by "key:count\n", where key is the key for the statistic (so, the source IP, port, protocol, etc), and count is the number of times your program has seen that key.

What to submit

Submit your well-commented honeypi_read.c, net.c file and your honeypi_read binary.

Overview of source files

All of the source files for the kernel module and packet generator are available in the course directory in the CSUG Lab. The top level directory contains the source code and a Makefile for compiling it. You should copy the files to your own directory to work on them:

 $ cp -r /courses/cs3410/lab_honeypot ~/lab_honeypot
 $ cd ~/lab4

If you will be using the VM instead of CSUG then follow the instructions here.

The hp-mod subdirectory contains the kernel module, and a Makefile for compiling it. An example honeypi_read program is in hp-user. It includes the code that reads from the kernel module (but nothing else)

The most relevant files for you are:

• hp_ioctl.h Contains the structs and constants associated with the command packets.
• hp-user/net.c You write this file. It should contain all of your implementation that pertains to the network.
• hp-user/honeypi_read.c This compiles into a executable. When this is correct is should send all the statistics about the packets the kernel module has received

Compiling the Code

cd to the skeleton code directory

$ make

On a different machine (or window)

cd agg && ./agg_server.py

On yet another machine/window

cd pkt_gen && ./pkt_gen [mpbs]

Where mpbs is the desired megabits per second you want to send to each host. Don't forget to edit gen.config!

To install the kernel module :

cd hp-mod

sudo insmod honeypi.ko

ifconfig eth0 promisc

Note that eth0 might need to be swapped with whatever your main network interface is called. You can list your network interfaces by typing `ifconfig -a`, and whatever interface has your main network IP is the one you want to swap out eth0 for.

You need to find out what the major number of the module is, this can be done by running

cat /proc/devices

and finding the entry for honeypi

Once you have the major number. Run:

mknod /dev/honeypi c "major number"

This creates the device file that you'll open in honeypi_read.

To run the local honeypot:

cd hp-user

sudo ./honeypi_read

Help

There are many resources available to help you with Linux network programming.

• Beej's Network Programming Guide