(IJCNS) International Journal of Computer and Network Security, 27

Vol. 2, No. 8, August 2010

Low Budget Honeynet Creation and Implementation

for Nids and Nips
Aathira K. S1, Hiran V. Nath2, Thulasi N. Kutty3, Gireesh Kumar T4
1
TIFAC CORE in Cyber Security Centre,
Amrita Vishwa Vidyapeetham, Coimbatore, India
aathiramanikutty@gmail.com
2
TIFAC CORE in Cyber Security Centre,
Amrita Vishwa Vidyapeetham, Coimbatore, India
hiranvnath@gmail.com
3
TIFAC CORE in Cyber Security Centre,
Amrita Vishwa Vidyapeetham, Coimbatore, India
thulasi.nk@gmail.com
4
TIFAC CORE in Cyber Security Centre,
Amrita Vishwa Vidyapeetham, Coimbatore, India
gireeshkumart@gmail.com

set up for the purpose of monitoring and logging activities

Abstract: This paper describes Honeynet, a system for
automated generation of attack signatures for network intrusion
detection and prevention systems. A honeypot is a security
resource whose value lies in being probed, attacked or
compromised. We examine different kinds of honeypots,
honeypot concepts, and approaches to their implementation.
Our system applies pattern detection techniques and protocol
based classification on the traffic captured on a honeypot
system. Softwares like Sun virtual box-VMware were used for
this purpose so that it was not required to buy large number of
high end systems for implementing this setup and thereby cost
was reduced in a great extend. While running Honeynet on a
WAN environment, the system successfully created precise
traffic signatures and updates the firewall that otherwise would
have required the skills and time of a security officer.
Keywords: IDS, IPS, Honeypot, Honeynet, Snort.
1. Introduction
A honeypot is tough to define because it is a new and
changing technology, and it can be involved in different
aspects of security such as prevention, detection, and
information gathering. It is unique in that it is more general
technology, not a solution, and does not solve a specific
security problem. Instead, a honeypot is a highly flexible
tool with applications in such areas as network forensics,
vulnerability analysis and intrusion detection. A honeypot is
a security resource, whose value lies in being probed,
attacked, or compromised. Currently, the creation of NIDS
signatures is a tedious manual process that requires detailed
knowledge of the traffic characteristics of any phenomenon
that is supposed to be detected by a new signature.
Simplistic signatures tend to generate large numbers of false
positives; overly specific ones cause false negatives. To
address these issues, we present Honeynet, a system that
generates signatures for malicious network traffic
automatically. Our system applies pattern detection
techniques and protocol based classification on the traffic
captured on honeypots. Honeypots are computer resources
of entities that probe, attack or compromise them.
Honeypots are closely monitored network decoys serving
several purposes. They can distract attackers from more
valuable machines on a network; they can provide early
warning about new attack and exploitation trends; and they
allow in-depth examination of adversaries during and after
exploitation of a honeypot. Honeypots are a technology
whose value depends on the "bad guys" interacting with it.
All honeypots work on the same concept: nobody should be
using or interacting with them, therefore any transactions or
interactions with a honeypot are, by definition,
unauthorized. “Honeynet” is a term that is frequently used
where honeypots are concerned. A honeynet is simply a
network that contains many honeypots and the traffic to
each honeypots is controlled using honeywall. More
precisely, it is a high-interaction honeypot that is designed
to capture extensive information on threats and provides real
systems, applications, and services for attackers to interact
with.
Redhat Linux machine is used for routing packets between
honeypots and actual servers. It is really expensive to buy an
actual router. A firewall had been built to filter packets in
the gateway using Linux machine so that its rules could be
updated and its not required to buy more number of
firewalls. VMware software which serves the purpose of
virtual machine is used so that there is no need to buy large
server configuration machines. Even a single machine
resource can be shared by many hosts which are used for
making honeypots.
This paper is organized as follows: In Section 2 we examine
different types of honeypots and honeywall. In Section 3 we
provide an overview of the system architecture. Section 4
presents implementation part. Section 5 shows our findings.
We then conclude and provide our opinion on the future of
honeypots in section 6.
28
Figure 1. Honeypot Setup using Virtualization
2. Types of Honeypots
Honeypots can be classified based on their purpose
(production, research) and level of interaction (low,
medium, and high). We examine each type in more detail
below.
2.1. Purpose of Honeypots
2.1.1. Research Honeypot
A research honeypot is designed to gain information about
the blackhat community and does not add any direct value to
an organization [4]. They are used to gather intelligence on
the general threats organizations may face, allowing the
organization to better protect against those threats. Its
primary function is to study the way in which the attackers
progress and establish their lines of attack, it helps
understand their motives, behavior and organization
Research honeypots are complex to both deploy and
maintain and capture extensive amounts of data. They can
be very time extensive. Very little is contributed by a
research honeypot to the direct security of an organization,
although the lessons learned from one can be applied to
improve attack prevention, detection, or response. They are
typically used by organizations such as universities,
governments, the military or large corporations interested in
learning more about threats research. Research honeypots
add tremendous value to research by providing a platform to
study cyberthreats. Attackers can be watched in action and
recorded step by step as they attack and compromise the
system. This intelligence gathering is one of the most
unique and exciting characteristics of honeypots [7]. It is
also a beneficial tool in aiding in the development of
analysis and forensic skills. Sometimes they can even be
instrumental in discovering new worms.
Figure 2. Honeypots in a production environment
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 8, August 2010
2.1.2. Production Honeypot
A production honeypot is what most people think of when
discussing honeypots. A production honeypot is one used
within an organization’s environment to protect the
organization and help mitigate risk [4]. It has value because
it provides immediate security to a site’s production
resources. Since they require less functionality then a
research honeypot, they are typically easier to build and
deploy. Although they identify attack patterns, they give less
information about the attackers than research honeypots.
You may learn from which system attackers are coming
from and what exploits are being launched, but may be not
who they are, how they are organized, or what tools they are
using. Production honeypots tend to mirror the production
network of the company (or specific services), inviting
attackers to interact with them in order to expose current
vulnerabilities of the network. Uncovering these
vulnerabilities and alerting administrators of attacks can
provide early warning of attacks and help reduce the risk of
intrusion [3]. The data provided by the honeypot can be used
to build better defenses and counter measures against future
threats.
It should be pointed out that as a prevention mechanism,
production honeypots have minimal value. Best practices
should be implemented involving the use of Firewalls,
IDS’s, and the locking down and patching of systems. The
most common attacks are done using scripts and automated
tools. Honeypots may not work well against these since
these attacks focus on many targets of opportunity, not a
single system. Their main benefit is in the area of detection.
Due to its simplicity it addresses the challenges of IDS’s –
there are minimal false positives and false negatives. There
are several situations where an IDS may not issue an alert:
the attack is too recent for your vendor, the rule matching it
caused too many false positives or it’s seeing too much
traffic and is dropping packets. False Positives occur when
an untuned IDS alerts way too much on normal network
traffic. These alerts soon get ignored or the rules triggering
them are modified, but then real attacks may be missed. In
addition, there is a serious problem with the volume of data
to analyze with IDS’s. They can’t cope with the network
traffic on a large system. Honeypots address these
challenges because since honeypots have no production
activity, all the traffic sent to a honeypot is almost certainly
unauthorized – meaning no false positives, false negatives
or large data sets to analyze. Also, once an attack has been
detected the machine can be pulled offline and thorough
forensics performed something that is often difficult if not
impossible with a production system. In general,
commercial organizations derive the most direct benefit
from production honeypots. These categorizations of
honeypots are simply a guideline to identify their purpose,
the distinction is not absolute. Sometimes the same
honeypot may be either a production or research honeypot.
It is not as much how it is built but how it is used [6].
2.2. Level of Interaction
In addition to being either production or research honeypots,
 (IJCNS) International Journal of Computer and Network Security, 29
honeypots can also be categorized based on the level of
involvement allowed between the intruder and the system.
These categories are: low-interaction, medium-interaction
and high interaction. What you want to do with your
honeypot will determine the level of interaction that is right
for you.
2.2.1. Low-interaction Honeypots
A low-interaction honeypot simulates only services that
cannot be exploited to gain total access to the honeypot [5].
On a lowinteraction honeypot, there is no operating system
for the attacker to interact with [2] (pp. 19). They can be
compared to passive IDS since they do not modify network
traffic in any way, and do not interact with the attacker.
Although this minimizes the risk associated with honeypots,
it also makes low interaction honeypots very limited.
However, they can still be used to analyze spammers and
can also be uses as active countermeasures against worms
[5]. Low-interaction honeypots are easy to deploy and
maintain. An example of a commercial low-interaction
honeypot is honeyd. Honeyd is a licensed daemon that is
able to simulate large network structures on a single
network host [3, 13]. Honeyd works by imitating computers
on the unused IP address of a network, and provides the
attacker with only a façade to attack. Another example of a
low-interaction honeypot is Specter, which is developed and
sold by NetSec. Specter has functionality like an enterprise
version of BOF and only affects the application layer.
2.2.2. Medium-Interaction Honeypots
Medium-interaction honeypots are slightly more
sophisticated than low interaction honeypots, but less
sophisticated than high interaction honeypots [8]. Like low-
interaction honeypots they do not have an operating system
installed, but the simulated services are more complicated
technically. Although the probability that the attacker
finding a security vulnerability increases, it is still unlikely
that the system will be compromised [2] (pp. 20). Medium-
interaction honeypots provide the attacker with a better
illusion of an operating system since there is more for the
attacker to interact with. More complex attacks can
therefore be logged and analyzed. Some examples of
medium-interaction honeypots include mwcollect, nepenthes
and honeytrap. Mwcollect and nepenthes can be used to
collect autonomously spreading malware. These daemons
can log automated attacks, and extract information on how
to obtain the malware binaries so that they can automatically
download the malware. Honeytrap dynamically creates port
listeners based on TCP connection attempts extracted from a
network interface stream, which allows the handling of
some unknown attacks.
2.2.3. High-interaction honeypots
These are the most advanced honeypots. They are the most
complex and time-consuming to design, and involve the
highest amount of risk because they involve an actual
operating system [2] (pp. 20 – 21). The goal of a high-
interaction honeypot is to provide the attacker with a real
operating system to interact with, where nothing is
simulated or restricted [8]. The possibilities for collecting
large amounts of information are therefore greater with this
Vol. 2, No. 8, August 2010
type of honeypot, as all actions can be logged and analyzed.
Because the attacker has more resources at his disposal, a
high interaction honeypot should be constantly monitored to
ensure that it does not become a danger or a security hole
[2]. A honeynet is an example of a high-interaction
honeypot, and it is typically used for research purposes.
2.3. Free and commercial honeypot solutions
2.3.1 Nepenthes Honeypot
Nepenthes Honeypot is developed by SPARSA's for its
ongoing viral research project. It is freely available for
download and use as VM from
http://www.sparsa.org/node/23
2.3.1.1. Features
Nepenthes Ampullaria acts like a honeypot to feign
vulnerability to, and download viruses / worms /Intrusions
into hexdumps which can be reversed. A collection of
30,000 attacks is growing each day the nepenthes computer
is online, gathering data to submit to anti-virus companies
about what is in the wild. Currently SPARSA operates a
centralized Nepenthes server out of their office in RIT's
CIMS building. A Virtual Machine running Nepenthes is
available here for download and use by public. We need
VMware Player, VMware Server, or VMware workstation in
order to run these Virtual Machines. VMware Player and
VMware Server are free to all. RIT also has a site license for
VMware workstation you may inquire about. The Virtual
Machines are to be used either on their own unprotected box
serving VMware images, or placed on the DMZ of a
firewalled environment. This gives the best opportunity to
catch attack and exploits in the wild. It is SPARSA's goal to
set up a centralized submission and analysis cluster with
help from folks like you. All VMs submit to the SPARSA
server where results will be analyzed and submitted to major
AV companies and the Norman Sandbox. A copy is also
kept for the local user to tinker with. Using this tactic the
Security Practices and Research Student Association hopes
to analyze viruses and malware in the wild by allowing
everyone to participate in collection and analysis. Future
versions will pare down the known malware on the vm-
clients so submission to the server is only unknown
malware.
2.3.2. BackOfficer Friendly:
A free win32 based honeypot solution by NFR Security (a
separate Unix port is available but has restricted
functionality). It is able to emulate single services such as
telnet, ftp, smtp and to rudimentary
log connection attempts.
2.3.3. Deception toolkit (DTK):
A free and programmable solution intending to make it
appear to attackers as if the system running DTK has a large
number of widely known vulnerabilities
(http://www.all.net/dtk/dtk.html).
2.3.4. HOACD:
This is a ready-to-run honeyd+OpenBSD+arpd on a
bootable CD (http://www.honeynet.org.br/tools)
2.3.5. Honeyd
In Honeyd, They expect adversaries to interact with
honeypots only at the network level. Instead of simulating
30
every aspect of an operating system, they decided to
simulate only its network stack. The main drawback of this
approach is that an adversary never gains access to a
complete system even if he compromises a simulated
service. On the other hand, we are still able to capture
connection and compromise attempts. For that reason,
Honeyd is a low-interaction virtual honeypot that simulates
TCP and UDP services. Honeyd must be able to handle
virtual honeypots on multiple IP addresses simultaneously.
This allows us to populate the network with a number of
virtual honeypots that can simulate different operating
systems and services. Furthermore, Honeyd must be able to
simulate different network topologies.
Figure 3. Honeyd receives traffic for its virtual honeypots
via a router or Proxy ARP. For each honeypot, Honeyd can
simulate the network stack behavior of a different operating
system.
2.3.5.1. Architecture
When the Honeyd daemon receives a packet for one of the
virtual honeypots, it is processed by a central packet
dispatcher. The dispatcher checks the length of the IP
packet and verifies its checksum. The daemon knows only
three protocols: ICMP, TCP and UDP Packets for other
protocols are discarded.
Figure 4. Overview of Honeyd’s architecture.
Incoming packets are dispatched to the
correct protocol handler. For TCP and UDP, the
configuredservices receive new data and send responses if
necessary.All outgoing packets are modified by the
personality engine to mimic the behavior of the configured
(IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 8, August 2010
network stack.
2.3.6. HYW – Honeyweb
An in-depth simulation of an IIS 6.0 webserver that enables
you to use your web content (perfect choice for capturing
worms).
2.3.7. Mantrap / Decoy Server (commercial)
Symantec Decoy Server sensors deliver holistic detection
and response as well as provide detailed information
through its system of data collection modules.
2.3.8. Specter
SPECTER offers common Internet services such as SMTP,
FTP, POP3, HTTP and TELNET. They appear to be normal
to the attackers but are in fact traps for them to mess around
and leave traces without even knowing they are connected to
a decoy system. It does none of the things it appears to but
instead logs everything and notifies the appropriate people.
2.4. Installing your own honeypot
Depending on the type of technology used there are different
things to consider when installing and deploying a
honeypot.
2.4.1. Low-interaction honeypot:
Make sure an attacker can’t access the underlying operating
system (especially when using plugins). If possible make use
of the honeypot’s features to emulate a more realistic
environment (e.g. traffic shaping).Make sure to use the
latest versions available.
2.4.2. Medium-interaction honeypot:
Make sure an attacker can’t escape the jailed environment.
Be aware of SUID or SGID files.
2.4.3. High-interaction honeypot:
Use advanced network techniques to control the honeypot
(e.g. firewalls, intrusion detection systems) and make sure it
can’t be used to harm third parties (e.g. legal issues of an
open relay). If possible, poison the honeypot. Use software
that actually has vulnerabilities or your honeypot might
never be exploited successfully. Use tripwire or AIDE to get
a snapshot of the system.
2.5. Virtual Honeywall
It's implemented in a virtual machine which has 3 network
cards. One is for the connection to the firewall, the second
to the internal network and the third is for remote
management of the honeywall itself.
2.6. Honeynet
A honeynet is made by networking these honeypots
(explained above) and the traffic to each honeypots will be
controlled with help of honeywall.
3. System Architecture
Figure 5. Small Model of our Architecture

Here the traffic will be entering the Network through the
Linux firewall. Then all the traffic will be going through the
honeywall. From there, honeywall will redirect the traffic
from each section to each honeywall. This is done since
there can be tremendous connections which comes to the
web server. Some of these may be an attack and some may
be normal ones. Here the redirected traffic which reaches
the honeywall will be examined separately and those found
to be malicious would be spotted, their source IP address is
send to the firewall by which the rules stored in the firewall
can be updated. The outer firewall will be initially setup in a
Redhat Linux machine, by updating its IPTables via
network messages. Some groups of Honeypots were created
inside a single machine using virtualisation techniques.
Softwares like Sun virtual box-VMWare were used for this
purpose so that it was not required to buy large number of
high end systems for implementing this setup and thereby
cost was reduced in a great extend.
4. Implementation
NoRestrictions
Internet
Honeywall
Connections Limited Packet Scrubbed
Figure 6. Communication Architecture
FORWARD
CHAIN
INPUT OUTPUT
CHAIN CHAIN
IPTABLES FIREWALL
Figure 7. Implemented Routing of packets
We are using two types of attack detection techniques – one
is Threshold based classification and another one is protocol
based classification. The first one mainly monitors the
traffic and if the traffic exceeds the defined threshold for a
particular Source IP address. The occurrence of each source
IP in a flow is determined and the total number of unique
destinations and unique ports accessed by the IP is
determined. The ratio of the number of destination IPs to the
number of destination ports is determined (IP/Port ratio).
This IP/Port ratio is compared with the threshold value and
if the value is far greater than or far less than the threshold
(IJCNS) International Journal of Computer and Network Security, 31
Vol. 2, No. 8, August 2010
value then the source IP is tagged as a suspicious. The same
process above is then done in multiple time intervals and if
the same source IP shows a similar behaviour, it will be
confirmed as a suspicious IP. The IP address would be
updated in the iptables in the Linux firewall so that further
communication from the same IP Address would be blocked.
In the second module, the monitored traffic is classified
based on protocol. Some features have been done with help
of honeyd. Here the whole traffic would be classified based
on protocols and will be logged for further analysis. Here
using the dynamically generated signatures, the snort
database is updated in a real-time basis.
5. Findings
By implementing this system, we could implement a cost
effective Intrusion detection and prevention system. Here,
since the signatures for snort database is updated in a real
time basis, it would also work as a prevention system. Since
these VMware’s are running on a single hardware, we were
able to setup different honeypots with different interaction.
So that some would be good in capturing network attacks
and some others could be used for preventing the spread of
worms in the network.
Honeypot
6. Conclusions and Future Outlook
In this paper we have provided a brief overview of what
honeynet are, and they are useful in NIDS and NIPS. We
have discussed the different types of honeypots, honeywall
Honeypot
and how to combine and set up a honeynet. We also looked
at factors that should be considered when implementing a
honeypot. Here we have used it along with a firewall and an
IPS module which updates the rules in firewall. VMware
software which serves the purpose of virtual machine is used
so that there is no need to buy large server configuration
machines. Even a single machine resource can be shared by
many hosts which are used for making honeypots thereby
bringing out cost effectiveness.
We are planning to use the honeypots or honeynet for
vulnerability analysis in a network to find out both host
based vulnerability and network based vulnerability. Also
these honeynets could be used to find out the spread of
worm in a network and prevent it from spreading to the
entire network by creating and updating the signature
automatically.
References
[1] I. Mokube, M. Adams. “White paper: Honeypots:
Concepts, Approaches, and Challenges,” ACMSE 2007,
March 23-24, 2007,Winston-Salem, North Carolina,
USA
[2] R. Baumann, C. Plattner, “White Paper: Honeypots,
Swiss,” Federal Institute of Technology, Zurich, 2002.
[3] K. Gubbels “Hands in the Honeypot,” GIAC Security
Essentials Certification (GSEC), 2002.
[4] Karthik S, Samudrala B, Yang AT. “Design of Network
Security Projects Using Honeypots,” Journal of
32 (IJCNS) International Journal of Computer and Network Security,
Vol. 2, No. 8, August 2010

Computing Sciences in Colleges, 20(4), pp. 282-293.

2005
[5] N. Provos, “Honeypot Background, ”
http://www.honeyd.org/background.php.
[6] L. Spitzner, “Honeypots: Tracking Hackers,” Addison-
Wesley Pearson Education, Boston, MA, 2002.
[7] L. Spitzner, “The Value of Honeypots, Part One:
Definitions and Values of Honeypots,” Security Focus,
2001.
[8] Jr, Sutton, R.E. DTEC 6873 “Section 01: How to Build
and Use a Honeypot.”.

Authors Profile

Aathira K S received B.Tech in

Computer Science and Engineering from
Kerala University. Currently pursuing
M.Tech. in Cyber Security from Amrita
School of Engineering Coimbatore. Her
research interests are Intrusion Detection
and Prevention Systems, Malware
detection.

Hiran V Nath received B.Tech in

Information Technology from Kerala
University. During 2007-2009, he worked in
VSSC/ISRO, Govt of India, on contract
basis through Hi-Rel Fabs, Trivandrum.
Currently pursuing M.Tech. in Cyber
Security from Amrita School of Engineering
Coimbatore. His research interests are
Intrusion Detection and Prevention Systems,
Malware detection.

Thulasi N. Kutty received B.Tech in

Computer Science and Engineering from
Kerala University. Currently pursuing
M.Tech. in Cyber Security from Amrita
School of Engineering Coimbatore. Her
research interests are Intrusion Detection
and Prevention Systems, Malware
detection.

Gireesh Kumar T received B.Tech degree

in Mechanical Engineering from
N.S.S.college, Palghat,Kerala in 1998 .He
attained his MTech degree in Computer and
Information Science from Cochin University
of Science and Technology, Cochin, Kerala
in 2002. He is currently pursuing PhD.in
Artificial Intelligence at Anna University,
Chennai. He was Senior Lecturer with
Department of Computer Science and
Engineering at VLB Janakiammal College of Engineering,
Coimbatore, Tamilnadu from 2004 to 2008.He is now an Assistant
Professor (Sr.Grade) with Centre for Cyber at Amrita Vishwa
Vidyapeetham, Ettimadai, Tamilnadu. His research interests are in
the field of artificial Intelligence, Machine. Learning and
Algorithms. He has about 20 publications to his credit.