Professional Documents
Culture Documents
100804
100804
100804
honeypots can also be categorized based on the level of type of honeypot, as all actions can be logged and analyzed.
involvement allowed between the intruder and the system. Because the attacker has more resources at his disposal, a
These categories are: low-interaction, medium-interaction high interaction honeypot should be constantly monitored to
and high interaction. What you want to do with your ensure that it does not become a danger or a security hole
honeypot will determine the level of interaction that is right [2]. A honeynet is an example of a high-interaction
for you. honeypot, and it is typically used for research purposes.
2.2.1. Low-interaction Honeypots 2.3. Free and commercial honeypot solutions
A low-interaction honeypot simulates only services that 2.3.1 Nepenthes Honeypot
cannot be exploited to gain total access to the honeypot [5]. Nepenthes Honeypot is developed by SPARSA's for its
On a lowinteraction honeypot, there is no operating system ongoing viral research project. It is freely available for
for the attacker to interact with [2] (pp. 19). They can be download and use as VM from
compared to passive IDS since they do not modify network http://www.sparsa.org/node/23
traffic in any way, and do not interact with the attacker. 2.3.1.1. Features
Although this minimizes the risk associated with honeypots, Nepenthes Ampullaria acts like a honeypot to feign
it also makes low interaction honeypots very limited. vulnerability to, and download viruses / worms /Intrusions
However, they can still be used to analyze spammers and into hexdumps which can be reversed. A collection of
can also be uses as active countermeasures against worms 30,000 attacks is growing each day the nepenthes computer
[5]. Low-interaction honeypots are easy to deploy and is online, gathering data to submit to anti-virus companies
maintain. An example of a commercial low-interaction about what is in the wild. Currently SPARSA operates a
honeypot is honeyd. Honeyd is a licensed daemon that is centralized Nepenthes server out of their office in RIT's
able to simulate large network structures on a single CIMS building. A Virtual Machine running Nepenthes is
network host [3, 13]. Honeyd works by imitating computers available here for download and use by public. We need
on the unused IP address of a network, and provides the VMware Player, VMware Server, or VMware workstation in
attacker with only a façade to attack. Another example of a order to run these Virtual Machines. VMware Player and
low-interaction honeypot is Specter, which is developed and VMware Server are free to all. RIT also has a site license for
sold by NetSec. Specter has functionality like an enterprise VMware workstation you may inquire about. The Virtual
version of BOF and only affects the application layer. Machines are to be used either on their own unprotected box
2.2.2. Medium-Interaction Honeypots serving VMware images, or placed on the DMZ of a
Medium-interaction honeypots are slightly more firewalled environment. This gives the best opportunity to
sophisticated than low interaction honeypots, but less catch attack and exploits in the wild. It is SPARSA's goal to
sophisticated than high interaction honeypots [8]. Like low- set up a centralized submission and analysis cluster with
interaction honeypots they do not have an operating system help from folks like you. All VMs submit to the SPARSA
installed, but the simulated services are more complicated server where results will be analyzed and submitted to major
technically. Although the probability that the attacker AV companies and the Norman Sandbox. A copy is also
finding a security vulnerability increases, it is still unlikely kept for the local user to tinker with. Using this tactic the
that the system will be compromised [2] (pp. 20). Medium- Security Practices and Research Student Association hopes
interaction honeypots provide the attacker with a better to analyze viruses and malware in the wild by allowing
illusion of an operating system since there is more for the everyone to participate in collection and analysis. Future
attacker to interact with. More complex attacks can versions will pare down the known malware on the vm-
therefore be logged and analyzed. Some examples of clients so submission to the server is only unknown
medium-interaction honeypots include mwcollect, nepenthes malware.
and honeytrap. Mwcollect and nepenthes can be used to 2.3.2. BackOfficer Friendly:
collect autonomously spreading malware. These daemons A free win32 based honeypot solution by NFR Security (a
can log automated attacks, and extract information on how separate Unix port is available but has restricted
to obtain the malware binaries so that they can automatically functionality). It is able to emulate single services such as
download the malware. Honeytrap dynamically creates port telnet, ftp, smtp and to rudimentary
listeners based on TCP connection attempts extracted from a log connection attempts.
network interface stream, which allows the handling of 2.3.3. Deception toolkit (DTK):
some unknown attacks. A free and programmable solution intending to make it
2.2.3. High-interaction honeypots appear to attackers as if the system running DTK has a large
These are the most advanced honeypots. They are the most number of widely known vulnerabilities
complex and time-consuming to design, and involve the (http://www.all.net/dtk/dtk.html).
highest amount of risk because they involve an actual 2.3.4. HOACD:
operating system [2] (pp. 20 – 21). The goal of a high- This is a ready-to-run honeyd+OpenBSD+arpd on a
interaction honeypot is to provide the attacker with a real bootable CD (http://www.honeynet.org.br/tools)
operating system to interact with, where nothing is 2.3.5. Honeyd
simulated or restricted [8]. The possibilities for collecting In Honeyd, They expect adversaries to interact with
large amounts of information are therefore greater with this honeypots only at the network level. Instead of simulating
30 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 8, August 2010
3. System Architecture
Here the traffic will be entering the Network through the value then the source IP is tagged as a suspicious. The same
Linux firewall. Then all the traffic will be going through the process above is then done in multiple time intervals and if
honeywall. From there, honeywall will redirect the traffic the same source IP shows a similar behaviour, it will be
from each section to each honeywall. This is done since confirmed as a suspicious IP. The IP address would be
there can be tremendous connections which comes to the updated in the iptables in the Linux firewall so that further
web server. Some of these may be an attack and some may communication from the same IP Address would be blocked.
be normal ones. Here the redirected traffic which reaches In the second module, the monitored traffic is classified
the honeywall will be examined separately and those found based on protocol. Some features have been done with help
to be malicious would be spotted, their source IP address is of honeyd. Here the whole traffic would be classified based
send to the firewall by which the rules stored in the firewall on protocols and will be logged for further analysis. Here
can be updated. The outer firewall will be initially setup in a using the dynamically generated signatures, the snort
Redhat Linux machine, by updating its IPTables via database is updated in a real-time basis.
network messages. Some groups of Honeypots were created
inside a single machine using virtualisation techniques. 5. Findings
Softwares like Sun virtual box-VMWare were used for this
By implementing this system, we could implement a cost
purpose so that it was not required to buy large number of
effective Intrusion detection and prevention system. Here,
high end systems for implementing this setup and thereby
since the signatures for snort database is updated in a real
cost was reduced in a great extend.
time basis, it would also work as a prevention system. Since
these VMware’s are running on a single hardware, we were
4. Implementation able to setup different honeypots with different interaction.
So that some would be good in capturing network attacks
and some others could be used for preventing the spread of
NoRestrictions
worms in the network.
Honeypot
6. Conclusions and Future Outlook
Internet
In this paper we have provided a brief overview of what
Honeywall honeynet are, and they are useful in NIDS and NIPS. We
have discussed the different types of honeypots, honeywall
Connections Limited Packet Scrubbed Honeypot
and how to combine and set up a honeynet. We also looked
at factors that should be considered when implementing a
honeypot. Here we have used it along with a firewall and an
Figure 6. Communication Architecture IPS module which updates the rules in firewall. VMware
software which serves the purpose of virtual machine is used
so that there is no need to buy large server configuration
FORWARD machines. Even a single machine resource can be shared by
CHAIN many hosts which are used for making honeypots thereby
bringing out cost effectiveness.
We are planning to use the honeypots or honeynet for
INPUT OUTPUT vulnerability analysis in a network to find out both host
CHAIN CHAIN based vulnerability and network based vulnerability. Also
these honeynets could be used to find out the spread of
IPTABLES FIREWALL worm in a network and prevent it from spreading to the
entire network by creating and updating the signature
automatically.
Figure 7. Implemented Routing of packets
We are using two types of attack detection techniques – one References
is Threshold based classification and another one is protocol [1] I. Mokube, M. Adams. “White paper: Honeypots:
based classification. The first one mainly monitors the Concepts, Approaches, and Challenges,” ACMSE 2007,
traffic and if the traffic exceeds the defined threshold for a March 23-24, 2007,Winston-Salem, North Carolina,
particular Source IP address. The occurrence of each source USA
IP in a flow is determined and the total number of unique [2] R. Baumann, C. Plattner, “White Paper: Honeypots,
destinations and unique ports accessed by the IP is Swiss,” Federal Institute of Technology, Zurich, 2002.
determined. The ratio of the number of destination IPs to the [3] K. Gubbels “Hands in the Honeypot,” GIAC Security
number of destination ports is determined (IP/Port ratio). Essentials Certification (GSEC), 2002.
This IP/Port ratio is compared with the threshold value and [4] Karthik S, Samudrala B, Yang AT. “Design of Network
if the value is far greater than or far less than the threshold Security Projects Using Honeypots,” Journal of
32 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 8, August 2010
Authors Profile