Honey Pots Seminar Report'11

INTRODUCTION

Honey pot is an Internet-attached server that acts as a decoy, luring in potential hackers in
order to study their activities and monitor how they are able to break into a system. Honey
pots are designed to mimic systems that an intruder would like to break into but limit the
intruder from having access to an entire network. If a honey pot is successful, the intruder
will have no idea that he is being tricked and monitored. Most honey pots are installed
inside firewalls so that they can better be controlled, though it is possible to install them
outside of firewalls. A firewall in a honey pot works in the opposite way that a normal
firewall works: instead of restricting what comes into a system from the Internet, the
honey pot firewall allows all traffic to come in from the Internet and restricts what the
system sends back out. By luring a hacker into a system, a honey pot serves several
purposes:

 The administrator can watch the hacker exploit the vulnerabilities of the system,
thereby learning where the system has weaknesses that need to be redesigned.
 The hacker can be caught and stopped while trying to obtain root access to the
system.
 By studying the activities of hackers, designers can better create more secure
systems that are potentially invulnerable to future hackers.

Over the last years, network-based intrusions have increased exponentially due
to the popularity of scripted or automated attack tools. This increase in intrusions has
rekindled interest in honey pot systems, which can be used to trap and decode the attack
methods used by the black hat community.

School Of Information Science And technology 1

Honey Pots Seminar Report'11

DEFINITION OF HONEY POTS

Honey pots are an exciting new technology with enormous potential for the security
community. The first step to understanding honey pots is defining what a honey pot is
unlike firewalls or Intrusion Detection Systems, honey pots do not solve a specific problem.
Instead, they are a highly flexible tool that comes in many shapes and sizes... It is also this
flexibility that can make them challenging to define and
understand. Honey pots can be defined as

A honey pot is an information system resource whose value lies in

Unauthorized or illicit use of that resource.

This is a general definition covering all the different forms of honey pots. We will be
discussing in this report different examples of honey pots and their value to security. All
will fall under the definition we use above; their value lies in the bad guys interacting with
them. Conceptually almost all honey pots work they same. They are a resource that has no
authorized activity; they do not have any production value. Theoretically, a honey pot
should see no traffic because it has no legitimate activity. This means any interaction with a
honey pot is most likely unauthorized or malicious activity. Any connection attempts to a
honey pot are most likely a probe, attack, or compromise. Honey pots are a highly flexible
security tool with different applications for security. They don't fix a single problem.
Instead they have multiple uses, such as prevention, detection, or information gathering.
Honey pots all share the same concept: a security resource that should not have any
production or authorized activity. In other words, deployment of honey pots in a network
should not affect critical network services and applications. A honey pot is a security
resource whose value lies in being probed, attacked, or compromised.

School Of Information Science And technology 2

Honey Pots Seminar Report'11

There are two general types of honey pots: production and research.

Production honey pots are easy to use, capture only limited information, and are used
primarily by companies or corporations. Research honey pots are complex to
deploy and maintain, capture extensive information, and are used primarily by research,
military, or government organizations.

One example of a honey pot is a system used to simulate one or more network services that
you designate on your computer's ports. An attacker assumes you're running vulnerable
services that can be used to break into the machine. This kind of honey pot can be used to
log access attempts to those ports including the attacker's keystrokes. This could give you
advanced warning of a more concerted attack.

Types of honey pots

Honey pots come in many shapes and sizes. To help us better understand honey pots and
all the different types, we break them down into two general categories,

1. Low-interaction honey pots

2. High-interaction honey pots

School Of Information Science And technology 3

Honey Pots Seminar Report'11

Low-interaction honey pots

These categories help us understand what type of honey pot we are dealing with, its
strengths, and weaknesses. Interaction defines the level of activity a honey pot allows an
attacker. Low-interaction honey pots have limited interaction; they normally work by
emulating services and operating systems. Attacker activity is limited to the level of
emulation by the honey pot. These honey pots tend to be easier to deploy and maintain,
with minimal risk. Usually they involve installing software, selecting the operating systems
and services we want to emulate and monitor, and letting the honey pot go from there. This
plug and play approach makes deploying them very easy for most organizations. Also, the
emulated services mitigate risk by containing the attacker's activity, the attacker never has
access to an operating system to attack or harm others. The main disadvantages with low
interaction honey pots is that they log only limited information and are designed to capture
known activity. The emulated services can only do so much. Also, it’s easier for an attacker
to detect a low-interaction honey pot, no matter how good the emulation is, skilled attacker
can eventually detect their presence. Examples of low-interaction honey pots include
Specter, Honeyd, and KF sensor

Honeyd: Low-interaction honey pot

Honeyd is a low-interaction honey pot. Developed by Niels Provos, Honeyd is Open Source
and designed to run primarily on UNIX systems (though it has been ported to Windows).
Honeyd works on the concept of monitoring unused IP space. Anytime it sees a connection
attempt to an unused IP, it intercepts the connection and then interacts with the attacker,
pretending to be the victim. By default, Honeyd detects and logs any connection to any UDP
or TCP port.

School Of Information Science And technology 4

Honey Pots Seminar Report'11

In addition, you can configure emulated services to monitor specific ports, such as an
emulated FTP server monitoring TCP port 21. When an attacker connects to the emulated
service, not only does the honey pot detect and log the activity, but it captures all of the
attacker's interaction with the emulated service. In the case of the emulated FTP server, we
can potentially capture the attacker's login and password, the commands they issue, and
perhaps even learn what they are looking for or their identity. It all depends on the level of
emulation by the honey pot. Most emulated services work the same way. They expect a
specific type of behavior, and then are programmed to react in a predetermined way. If
attack A does this, then react this way. If attack B does this, then respond this way. The
limitation is if the attacker does something that the emulation does not expect, then it does
not know how to respond. Most low-interaction honey pots, including Honeyd, simply
generate an error message.

High-interaction honey pots

High-interaction honey pots are different; they are usually complex solutions as they
involve real operating systems and applications. Nothing is emulated; we give
attackers the real thing. If you want a Linux honey pot running an FTP server, you build a
real Linux system running a real FTP server. The advantages with such a solution are
twofold. First, you can capture extensive amounts of information... The second advantage is
high interaction honey pots make no assumptions on how an attacker will behave. Instead,
they provide an open environment that captures all activity. This allows high-interaction
solutions to learn behavior we would not expect. An excellent example of this is how a
Honey net). However, this also increases the risk of the honey pot as attackers can use this
real operating system to attack non-honey pot systems. As result, additional technologies
have to be implement that prevent the attacker from harming other non-honey pot
systems. In general, high-interaction honey pots can do everything low-interaction honey
pots can do and much more. However, they can be more complex to deploy and
maintain. Examples of high-interaction honey pots include honeynets.

School Of Information Science And technology 5

Honey Pots Seminar Report'11

Honeynets: High-interaction honey pot

Honeynets are a prime example of high-interaction honey pot. Honeynets are not a product,
they are not a software solution that you install on a computer. Instead, Honeyents are an
architecture, an entire network of computers designed to attacked. The idea is to have an
architecture that creates a highly controlled network, one where all activity is controlled
and captured. Within this network we place our intended victims, real computers running
real applications. The bad guys find, attack, and break into these systems on their own
initiative. When they do, they do not realize they are within a Honey net. All of their
activity, from encrypted SSH sessions to emails and files uploads, are captured without
them knowing it. This is done by inserting kernel modules on the victim systems that
capture all of the attacker's actions. At the same time, the Honeynet controls the attacker's
activity. Honeynets do this using a Honeywall gateway. This gateway allows inbound traffic
to the victim systems, but controls the outbound traffic using intrusion prevention
technologies. This gives the attacker the flexibility to interact with the victim systems, but
prevents the attacker from harming other non-Honeynet computers. An example of such a
deployment can be seen in Figure 1.

School Of Information Science And technology 6

Honey Pots Seminar Report'11

How Honeynet are connected to main server

Figure 1

School Of Information Science And technology 7

Honey Pots Seminar Report'11

Value of Honey pots

Now that we have understanding of two general categories of honeypots, we can focus on
their value. Specifically, how we can use honey pots. Once again, we have two general
categories, honey pots can be used for production purposes or research. When used for
production purposes, honey pots are protecting an organization. This would include
preventing, detecting, or helping organizations respond to an attack. When used for
research purposes, honey pots are being used to collect information. This information has
different value to different organizations. Some may want to be studying trends in attacker
activity, while others are interested in early warning and prediction, or law enforcement. In
general, low-interaction honey pots are often used for production purposes, while high-
interaction honey pots are used for research purposes. However, either type of honey pot
can be used for either purpose. When used for production purposes, honey pots can protect
organizations in one of three ways; prevention, detection, and response. We will take a
more in-depth look at how a honey pot can work in all three.

Now that we discuss different types of honey pots and their value, lets discuss some
examples. The more a honey pot can do and the more an attacker can do to a honey pot, the
more information can be derived from it. However, by the same token, the more an attacker
can do to the honey pot, the more potential damage an attacker can do. For example, a low
interaction honey pot would be one that is easy to install and simply emulates a few
services. Attackers can merely scan, and potentially connect to several ports. Here the
information is limited (mainly who connected to what ports when) however there is little
that the attacker can exploit. On the other extreme would be high interaction honey pots.

School Of Information Science And technology 8

Honey Pots Seminar Report'11

These would be actual systems. We can learn far much more, as there is an actual operating
system for the attacker to compromise and interact with, however there is also a far
greater level of risk, as the attacker has an actual operating system to work with. Neither
solution is a better honey pot. It all depends on what you are attempting to achieve.
Remember, honey pots are not a solution. Instead, they are a tool. Their value depends on
what your goal is, from early warning and detection to research. Based on 'level of
interaction', let’s compare some possible honey pot solutions.

For this report we will discuss three more honey pots. There are a variety of other possible
honey pots; however this selection covers a range of options. We will cover Specter,
Honeyd, homemade honey pots, Mantrap, and Honeynets. This paper is not meant to be a
comprehensive review of these products. I only highlight some of their features. Instead, I
hope to cover the different types of honey pots, how they work, and demonstrate the value
they add and the risks involved. If you wish to learn more about the capabilities of these
solutions, I highly recommend you try them out on your own in a controlled, lab
environment.

Specter
Specter is a commercial product 'low interaction' production honey pot. It can emulate a far
greater range of services and functionality. In addition, not only can it emulate services, but
emulate a variety of operating systems. It is easy to implement and low risk. Specter works
by installing on a Windows system. The risk is reduced as there is no real operating system
for the attacker to interact with. For example, Specter can emulate a web server or telent
server of the operating system of ours choice. When an attacker connects, it is then
prompted with an http header or login banner.

School Of Information Science And technology 9

Honey Pots Seminar Report'11

The attacker can then attempt to gather web pages or login to the system. This activity is
captured and recorded by Specter, however there is little else the attacker can do. There is
no real application for the attacker to interact with, instead just some limited, emulated
functionality. Specters value lies in detection. It can quickly and easily determine who is
looking for what. As a honey pot, it reduces both false positives and false negatives,
simplifying the detection process. Specter also support a variety of alerting and logging
mechanisms. One of the unique features of Specter is that it also allows for information
gathering, or the automated ability to gather more information about the attacker. Some of
this information gathering is relatively passive, such as DNS lookups. However, some of this
research is active, such as port scanning the attacker. While this intelligence functionality
may be of value, many times you do not want the attacker to know he is being watched. Be
careful when implementing any active, automated responses to the attacker.

Homemade Honey pots

Another common honey pot is homemade. These honey pots tend to be low interaction.
Their purpose is usually to capture specific activity, such as Worms or scanning activity.
These can be used as production or research honey pots, depending on their purpose. Once
again, there is not much for the attacker to interact with, however the risk is reduced
because there is less damage the attacker can do. One common example is creating a
service that listens on port 80 (http) capturing all traffic to and from the port. This is
commonly done to capture Worm attacks. One such implementation would be using net cat,
as follows:

School Of Information Science And technology 10

Honey Pots Seminar Report'11

Homemade honey pots can be modified to do (and emulate) much more, requiring a higher
level of invovlement, and incurring a higher level of risk. For example, FreeBSD has a jail
functionality, allowing an administrator to create a controlled environment within the
operating system. The attacker can then interact with this controlled environment. The
value here is the more the attacker can do, the more can be potentially learned. However,
care must be taken, as the more functionality the attacker can interact with, the more can
go wrong, with the honey pot potentially compromised.

Mantrap
Mantrap is a commercial honey pot. Instead of emulating services, Mantrap creates up to
four sub-systems, often called 'jails'. These 'jails' are logically discrete operating systems
separated from a master operating system. This makes the honey pot far more flexible, as it
can do much more. The attacker has a full operating system to interact with, and a variety
of applications to attack. All of this activity is then captured and recorded. Not only can we
detect port scans and telnet logins, but we can capture root kits, application level attacks,
IRC chat session, and a variety of other threats. However, just as far more can be learned, so
can more go wrong. Once compromised, the attacker can use that fully functional operating
system to attack others. Care must be taken to mitigate this risk. As such, I would
categorize this as a mid-high level of interaction. Also, these honey pot can be used as
either a production honey pot (used both in detection and reaction) or a research honey
pot to learn more about threats. There are limitations to this solution. The biggest one is
you are limited to what the vendor supplies you. Currently, Mantrap only exists on
Solaris operating system.

School Of Information Science And technology 11

Honey Pots Seminar Report'11

How honey pots works?

According to the Lance Spitzener definition of the security it lies in
the three regions.

1> Prevention
2 >Detection
3 >Reaction

PREVENTION
Honey pots add little value to prevention, honey pots will not help keep the bad guys out.
What will keep the bad guys out are best practices, such as disabling unneeded or insecure
services, using strong authentication mechanisms. It is the best practices and procedures
such as these that will keep the bad guys out. A honey pot, a system to be compromised,
will not help keep the bad guys out. In fact, if incorrectly implemented, a honey pot may
make it easier for an attacker to get in. Some individuals have discussed the value of
deception as a method to deter attackers. The concept is to have attackers spend time and
resource attacking honey pots, as opposed to attacking production systems. The attacker is
deceived into attacking the honey pot, protecting production resources from attack. While
this may prevent attacks on production systems, most organizations are much better off
spending their limited time and resources on securing their systems, as opposed to
deception. Deception may contribute to prevention, but organization will most likely get
greater prevention putting the same time and effort into security best practices. Also,
deception fails against two of the most common attacks today; automated toolkits and
worms. Today, more and more attacks are automated. These automated tools will probe,
attack, and exploit anything they can find vulnerable. Yes, these tools will attack a honey
pot, but they will also just as quickly attack every other system in our organization.

School Of Information Science And technology 12

Honey Pots Seminar Report'11

If we have a coffee pot with an IP stack, it will be attacked. Deception will not prevent these
attacks, as there is no consciously acting individual to deceive. Organizations are better off
focusing their resources on security best practices.

DETECTION
While honey pots add little value to prevention, for many organizations, it is extremely
difficult to detect attacks. Often organizations are so overwhelmed with production
activity, such as gigabytes of system logging, that it can be extremely difficult to detect
when a system is attacked, or even when successfully compromised. Intrusion Detection
Systems (IDS) are one solution designed for detecting attacks. However, IDS administrators
can be overwhelmed with false positives. False positives are alerts that were generated
when the sensor recognized the configured signature of an "attack", but in reality was just
valid traffic. The problem here is that system administrators may receive so many alerts on
a daily basis that they cannot respond to all of them. Also, they often become conditioned to
ignore these false positive alerts as they come in day after day, similar to the story of "the
boy who cried wolf". The very IDS sensors that they were depending on to alert them to
attacks can become ineffective unless these false positives are reduced. This does not mean
that honey pots will never have false positives, only that they will be dramatically fewer
than with most IDS implementations. Another risk is false negatives, when IDS systems fail
to detect a valid attack. Many IDS systems, whether they are signature based, protocol
verification, etc, can potentially miss new or unknown attacks. It is likely that a new attack
will go undetected by currently IDS methodologies. Also, new IDS evasion methods are
constantly being developed and distributed.

School Of Information Science And technology 13

Honey Pots Seminar Report'11

Honey pots address false negatives as they are not easily evaded or defeated by new
exploits. In fact, one of their primary benefits is that they can most likely detect when a
compromise occurs via a new or unknown attack by virtue of system activity, not
signatures. Administrators also do not have to worry about updating a signature database
or patching anamoly detection engines. Honey pots happily capture any attacks thrown
their way. As discussed earlier though, this only works if the honey pot itself is attacked.
Honey pots can simplify the detection process. Since honey pots have no production
activity, all connections to and from the honey pot are suspect by nature. By definition,
anytime a connection is made to your honey pot, this is most likely an unauthorized probe,
scan, or attack. Anytime the honey pot initiates a connection, this most likely means the
system was successfully compromised. This helps reduce both false positives and false
negatives greatly simplifying the detection process. By no means should honey pots replace
your IDS systems or be your sole method of detection. However, they can be a powerful
tool to complement your detection capabilities.

REACTION
Though not commonly considered, honey pots also add value to reaction. Often when a
system within an organization is compromised, so much production activity has occurred
after the fact that the data has become polluted. Incident response team cannot determine
what happened when users and system activity have polluted the collected data. For
example, I have often come onto sites to assist in incident response, only to discover that
hundreds of users had continued to use the compromised system. Evidence is far more
difficult to gather in such an environment. The second challenge many organizations face
after an incident is that compromised systems frequently cannot be taken off-line. The
production services they offer cannot be eliminated. As such, incident response teams
cannot conduct a proper or full forensic analysis.

School Of Information Science And technology 14

Honey Pots Seminar Report'11

Honey pots can add value by reducing or eliminating both problems. They offer a system
with reduced data pollution, and an expendable system that can be taken off-line. For
example, let’s say an organization had three web servers, all of which were compromised
by an attacker. However, management has only allowed us to go in and clean up specific
holes. As such, we can never learn in detail what failed, what damage was done, is there
attacker still had internal access, and if we were truly successful in cleanup. However, if one
of those three systems was a honey pot, we would now have a system we could take off-
line and conduct a full forensic analysis. Based on that analysis, we could learn not only
how the bad guy got in, but what he did once he was in there. These lessons could then be
applied to the remaining web servers, allowing us to better identify and recover from
the attack.

RESEARCH
As discussed at the beginning, there are two categories for honey pots; production and
research. We have already discussed how production honey pots can add value to an
organization. We will now discuss how research honey pots add value. One of the greatest
challenges the security community faces is lack of information on the enemy. Questions like
who is the threat, why do they attack, how do they attack, what are their tools, and possibly
when will they attack? It is questions like these the security community often cannot
answer. For centuries military organizations have focused on information gathering to
understand and protect against an enemy. To defend against a threat, you have to first
know about it. However, in the information security world we have little such information.
Honey pots can add value in research by giving us a platform to study the threat. What
better way to learn about the bad guys then to watch them in action, to record step-by-step
as they attack and compromise a system. Of even more value is watching what they do after
they compromise a system, such as communicating with other black hats or uploading a
new tool kit. It is this potential of research that is one of the most unique characteristics of
honey pots. Also, research honey pots are excellent tools for capturing

School Of Information Science And technology 15

Honey Pots Seminar Report'11

automated attacks, such as auto rooters or Worms. Since these attacks target entire
network blocks, research honey pots can quickly capture these attacks for analysis.

ADVANTAGES OF HONEYPOTS
There are so many advantages of using honey pots as security agents it will make the
security arrangement strong by the use of various IDS and fire walls. Some of them are very
powerful and strong.

 Small data sets of high value: Honey pots collect small amounts of
information. Instead of logging a one GB of data a day, they can log only one
MB of data a day. Instead of generating 10,000 alerts a day, they can generate
only 10 alerts a day. Remember, honey pots only capture bad activity, any
interaction with a honey pot is most likely unauthorized or malicious activity.
As such, honey pots reduce 'noise' by collection only small data sets, but
Information of high value, as it is only the bad guys . This means it’s much
easier (and cheaper) to analyze the data honey pot collects and derives value
from it.

 New tools and tactics: Honey pots are designed to capture anything thrown
at them, including tools or tactics never seen before.
 Minimal resources: Honey pots require minimal resources, they only
capture bad activity. This means an old Pentium computer with 128MB of
RAM can easily handle an entire class B network sitting off an OC-12
network.
 Encryption or IPv6: Unlike most security technologies (such as IDS systems)
honey pots work fine in encrypted or IPv6 environments. It does not matter
what the bad guys throw at a honey pot, the honey pot will detect and
capture it.

School Of Information Science And technology 16

Honey Pots Seminar Report'11

 Information: Honey pots can collect in-depth information that few, if any
other technologies can match.
 Simplicity: Finally, honey pots are conceptually very simple. There are no
fancy algorithms to develop, state tables to maintain, or signatures to update.
The simpler a technology, the less likely there will be mistakes or
misconfigurations.

DISADVANTAGES OF HONEY POTS

Like any technology, honey pots also have their weaknesses. It is because of this they do
not replace any current technology, but work with existing technologies.

 Limited view: Honey pots can only track and capture activity that directly
interacts with them. Honey pots will not capture attacks against other
systems, unless the attacker or threat interacts with the honey pots also.
 Risk: All security technologies have risk. Firewalls have risk of being
penetrated, encryption has the risk of being broken, IDS sensors have the risk
of failing to detect attacks. Honey pots are no different, they have risk also.
Specifically, honey pots have the risk of being taken over by the bad guy and
being used to harm other systems. This risk varies for different honey pots.
Depending on the type of honey pot, it can have no more risk then an IDS
sensor, while some honey pots have a great deal of risk.

School Of Information Science And technology 17

Honey Pots Seminar Report'11

DIFFERENCES BETWEEN HIGH AND LOW INTERACTION HONEY POTS

There is even an easy deployment of Honeyd on Linux computers. Low-interaction

honey pots have the advantage of being easier to deploy and little risk, as they contain the
activity of the attacker. Once you have had an opportunity to work with low-interaction
solutions, you can take the skills and understanding you have developed and work with
high interaction solutions. To help you better understand honey pots, below is a chart
summarizing what we just covered.

Low-interaction High-interaction
Solution emulates operating systems No emulation, real operating
and services. systems and services are provided.

 Easy to install and deploy. Usually  Can capture far more information,
requires simply installing and including new tools,
configuring 2software on a computer. communications, or attacker
 Minimal risk, as the emulated services keystrokes.
control what attackers can and cannot  Can be complex to install or deploy
do. (commercial versions tend to be
 Captures limited amounts of much simpler).
information, mainly transactional  Increased risk, as attackers are
data and some limited intraction provided real operating systems to
. interact with

School Of Information Science And technology 18

Honey Pots Seminar Report'11

Finally, no paper on honey pots would be complete without a discussion about legal issues.
There are many misconnects about the legal issues of honey pots. Instead of briefly
covering the legal issues in this paper, I will be releasing a new paper at the end of May,
2003 dedicated to the legal issues of honey pot technologies.

What are the legal issues of honey pots?

As a new technology, people often ask what the legal issues of honey pots are. While honey
pots are not specifically addressed in federal statutes or regulation, the following
issues can be seen as a starting point. For specific information, refer to the paper Honey
pots: Are They Illegal?

 Liability: We can potentially be held liable if your honey pot is used to attack
or harm other systems or organizations. This risk is the greatest with high-
interaction honey pots.
 Privacy: Honey pots can capture extensive amounts of information about
attackers, which can potentially violate their privacy, such as IRC chats or
emails. This could violate the privacy of the attacker, or more likely people he
is communicating with. Once again, this risk is primarily with high
interaction honey pots.
 Entrapment: For some odd reason, many people are concerned with the issue
of entrapment. Entrapment is a legal defense used to avoid a conviction, you
cannot be charged with entrapment. Most legal experts believe that
entrapment is not an issue for honey pots

School Of Information Science And technology 19

Honey Pots Seminar Report'11

CONCLUSION

The purpose of this seminar report is to define what honey pots are and their value to the
security community. We identified two different types of honey pots, low-interaction and
high-interaction honey pots. Interaction defines how much activity a honey pot allows an
attacker. The value of these solutions is both for production or research purposes. Honey
pots can be used for production purposes by preventing, detecting, or responding to
attacks. Honey pots can also be used for research, gathering information on threats so we
can better understand and defend against them. If you are interested in learning more
about honey pots, you may want to consider the book, the first and only book dedicated to
honey pot technologies.

School Of Information Science And technology 20

Honey Pots Seminar Report'11

References

http://www.tracking-hackers.com/papers/honeypots.html
http://www.securityfocus.com/infocus/1757
http://www.securitywizardry.com/honeypots.html
http://en.wikipedia.org/wiki/Honeypot
http://www.honeynet.org/papers/honeynet/

School Of Information Science And technology 21