Professional Documents
Culture Documents
HONEYPOTS Pres
HONEYPOTS Pres
1. Introduction
1.1 Background
1.2 Relation to Information Security
1.3 Honeypot Basics
We have to make sure that the likelihood of any There are several ways to set up a
individual intelligence probe encountering a real honeypot. It can be set in front of a
vulnerability low. Increasing the total size of the firewall, in the DMZ or behind a firewall.
space to be searched by the attacker, and It is best to deploy the honeypot closer to
making the vulnerabilities small in that space the server, as it is more tempting for the
can do this. attacker.
Time to defeat a deception should be as high as
Another way to deploy a honeypot would
possible, which requires the deceptions are
be to place it in between servers, but this
realistic and defeating a deception does not
method is not very effective. It would only
reveal any additional paths.
prove use mostly against sweep scans.
2.4 Sample Honeynet Deployment 2.4 Sample Honeynet Deployment
We will now try to deploy a sample honeynet. We will also use Arpd, which is a daemon that
For this we will use a Linux box, a daemon listens to ARP requests and answers for IP
called Honeyd, and Arpd. addresses that are unallocated.
Honeyd is a daemon that works under UNIX Using Arpd in conjunction with Honeyd, it is
systems that creates virtual hosts on the
network. possible to populate the unallocated address
space in a production network with virtual
Virtual networks require less hardware and thus
cost much less. A single host can maintain up to honeypots.
65535 hosts. After installing both daemons on a valid Linux
All hosts can be individually configured for machine (IP 155.246.23.69), we run Arpd to
requested services to show as running. force unused IP’s to resolve to the MAC that the
daemon is on.
Using the configuration file for Honeyd Sample Configureation File Used For Honeyd
three virtual machines are created
(237,238 and 239), of which seem to have [root@twister Honeyd]# more config
different operating systems of which were # Amiga Box
configured as AmigaOS, DEC OpenVMS create amigabox
and MS NT 4.0 respectively. (Machines set amigabox personality "AmigaOS Miami 3.0"
are referred with their last octets.) add amigabox tcp port 80 "sh scripts/web.sh"
After set up, fingerprinting and scans were add amigabox tcp port 23 proxy155.246.23.238:23
run from a MS Windows 2000 operating set amigabox default tcp action reset
system. bind 155.246.23.237 amigabox
Scan Results for 155.246.23.237 Scan Results for 155.246.23.238
Figure 1 Figure 2
Figure 3
3. Conclusion and Future Work 3. Conclusion and Future Work
It can be seen that honeypots that are Since all traffic through the honeypot is
configured correctly can increase our chances to considered suspicious, activity should be logged
secure our production servers, as well as and viewed.
maintain information about the black hat Legal concerns should also be addressed.
community. Information obtained through honeypots might or
Once again, the deceptive network whether might not be able to be used in court, due to
virtual or not should try to reflect a real network other laws.
in all aspects. This is why honeypots and honeynets should not
Building extensive virtual honeynets are not as be advertised. Legal perspective of the issue
easy as they seem, and require extensive should be discussed and clarified.
planning and deployment.