OUTLINE

1. Introduction

1.1 Background
1.2 Relation to Information Security
1.3 Honeypot Basics

Deception Techniques, Methods, 2. Deceptive Networks, Honeypots and Honeynets

Honeypots, Honeynets and Usage 2.1 Honeypot/Deception Objectives
2.2 Honeypot/Deception Design Goals
2.3 Honeypot/Deception Deployment
CMPT 495 2.4 Sample Honeypot Deployment

Ilker Tanli 3. Conclusion and Future Work

Turgut Kolcalar

PART I 1.1 Background

Deception is an important tool and technique for

success when efficiently used in all kinds of
Introduction warfare.
It is the art of making the enemy believe in what
we want to believe.
1.1 Background
Deception can be seen used even by animals
1.2 Relation to Information Security like octopus that change colors to look like a
1.3 Honeypot Basics rock when scared.
It wasn’t until early 1990s when deception was
thought to be used in IT for defensive purposes.
 1.1 Background
Example of these types of defense are:
Noise Injection
False Information Feeding
Spread Spectrums Traps
Steganography
1.2 Relation to Information Security
Deception has several other advantages:
It increases the attackers workload because the
attacker cannot tell which of the attack attempts
work and which fail.
It exhausts attacker resources, increases the
sophistication for an attack.
1.2 Relation to Information Security
Honeynets are networks consisting of
honeypots. Honeypots are eventually
monitored resources of which its value lies
in being attacked, compromised or probed,
that rely on deception heavily.
In any kind of warfare, having the most
information about the enemy or attacker
increases the chance of being successful.
This tends to give the defender an early
warning of new attacks.
1.3 Honeypot Basics
There are two types of honeypots,
research and production. Research
honeypots require a lot of work, but in
return keystrokes, tools, conversations,
and methods can be learned.
On the other hand production honeypots
are more similar to IDS’s where they
identify hostile activity, generate alerts and
capture minimum amount of data.
 PART II
2. Deceptive Networks, Honeypots and Honeynets
2.1 Honeypot/Deception Objectives
2.2 Honeypot/Deception Design Goals
2.3 Honeypot/Deception Deployment
2.4 Sample Honeypot Deployment
2.2 Honeypot/Deception Design
Goals
We have to make sure that the likelihood of any
individual intelligence probe encountering a real
vulnerability low. Increasing the total size of the
space to be searched by the attacker, and
making the vulnerabilities small in that space
can do this.
Time to defeat a deception should be as high as
possible, which requires the deceptions are
realistic and defeating a deception does not
reveal any additional paths.
2.1 Honeypot/Deception Objectives
Honeypots collect little data of high value.
All traffic that leaves and enters the
honeypot is suspect by nature and should
be analyzed.
The honeypot systems should appear as
generic as possible.
One detail that needs to be looked into is
to make sure that the attacker should not
be able to use the honeypot as a lunch
point for further attacks.
2.3 Honeypot/Deception Deployment
There are several ways to set up a
honeypot. It can be set in front of a
firewall, in the DMZ or behind a firewall.
It is best to deploy the honeypot closer to
the server, as it is more tempting for the
attacker.
Another way to deploy a honeypot would
be to place it in between servers, but this
method is not very effective. It would only
prove use mostly against sweep scans.
 2.4 Sample Honeynet Deployment
We will now try to deploy a sample honeynet.
For this we will use a Linux box, a daemon
called Honeyd, and Arpd.
Honeyd is a daemon that works under UNIX
systems that creates virtual hosts on the
network.
Virtual networks require less hardware and thus
cost much less. A single host can maintain up to
65535 hosts.
All hosts can be individually configured for
requested services to show as running.
2.4 Sample Honeynet Deployment
Using the configuration file for Honeyd
three virtual machines are created
(237,238 and 239), of which seem to have
different operating systems of which were
configured as AmigaOS, DEC OpenVMS
and MS NT 4.0 respectively. (Machines
are referred with their last octets.)
After set up, fingerprinting and scans were
run from a MS Windows 2000 operating
system.
2.4 Sample Honeynet Deployment
We will also use Arpd, which is a daemon that
listens to ARP requests and answers for IP
addresses that are unallocated.
Using Arpd in conjunction with Honeyd, it is
possible to populate the unallocated address
space in a production network with virtual
honeypots.
After installing both daemons on a valid Linux
machine (IP 155.246.23.69), we run Arpd to
force unused IP’s to resolve to the MAC that the
daemon is on.
Sample Honeyd Configuration File
Sample Configureation File Used For Honeyd
[root@twister Honeyd]# more config
# Amiga Box
create amigabox
set amigabox personality "AmigaOS Miami 3.0"
add amigabox tcp port 80 "sh scripts/web.sh"
add amigabox tcp port 23 proxy155.246.23.238:23
set amigabox default tcp action reset
bind 155.246.23.237 amigabox
Scan Results for 155.246.23.237 Scan Results for 155.246.23.238

Figure 1 Figure 2

Scan Results for 155.246.23.239 PART III

3. Conclusion and Future Work

Figure 3
 3. Conclusion and Future Work
It can be seen that honeypots that are
configured correctly can increase our chances to
secure our production servers, as well as
maintain information about the black hat
community.
Once again, the deceptive network whether
virtual or not should try to reflect a real network
in all aspects.
Building extensive virtual honeynets are not as
easy as they seem, and require extensive
planning and deployment.
3. Conclusion and Future Work
Since all traffic through the honeypot is
considered suspicious, activity should be logged
and viewed.
Legal concerns should also be addressed.
Information obtained through honeypots might or
might not be able to be used in court, due to
other laws.
This is why honeypots and honeynets should not
be advertised. Legal perspective of the issue
should be discussed and clarified.