CmpE-220 Honeypots Final

DEPARTMENT OF COMPUTER ENGINEERING
CMPE 220 – System Software Design

(Fall 2007)
Special Topic Report

On
Honeypots
Submitted by
ISHLEEN KOUR SUDAN (2350)

PALAK PANDYA (5902)
Submitted to
Prof. Weider Yu
Table of Contents
0 Abstract...................................................................................................................... 1
1 Background................................................................................................................ 2
1.1 Definition........................................................................................................... 2
1.2 History of Honeypots ....................................................................................... 3
1.3 Classification of Honeypots ............................................................................ 4
1.3.1 Based on deployment .............................................................................. 4
1.3.2 Based on level of interaction................................................................. 4
1.3.3 Physical and Virtual Honeypots ............................................................. 5
1.4 Uses of Honeypots............................................................................................ 6
2 Honeypots.................................................................................................................. 7
2.1 Honeyd ............................................................................................................... 7
2.1.1 Configuring Honeyd: ................................................................................ 8
2.1.2 Honeyd Architecture................................................................................ 9
2.2 Honeynet ......................................................................................................... 11
2.2.1 Honeynet Architecture.......................................................................... 12
2.2.2 Key Requirements .................................................................................. 13
3 Advanced Honeypots ............................................................................................. 15
3.1 Honey Farm ..................................................................................................... 15
3.1.1 Values of Honey Farm ........................................................................... 15
3.1.2 Honey Farm Architecture ..................................................................... 16
3.2 Honeytoken ..................................................................................................... 17
3.2.1 Values of Honeytoken............................................................................ 17
3.2.2 Working of Honeytoken......................................................................... 17
4 Issues with Honeypots ........................................................................................... 19
4.1 Identifying honeypots.................................................................................... 19
4.2 Exploiting honeypots ..................................................................................... 19
4.3 Nature of attack ............................................................................................. 20
5 Current challenges to Honeypots ........................................................................ 21
5.1 Network Issues ................................................................................................ 21
5.2 System Issues .................................................................................................. 22
6 Suggestion for future Honeypots......................................................................... 23
6.1 From Misunderstanding to Acceptance ...................................................... 23
6.2 Suggestions...................................................................................................... 23
6.2.1 Making Easy to Use................................................................................. 23
6.2.2 Integrating with Technologies ............................................................. 23
6.2.3 Studying Advanced Attackers............................................................... 24
6.2.4 Protecting against Honeypot Hunter .................................................. 24
6.2.5 Deploying in Distributed Environment ............................................... 24
7 Schedule .................................................................................................................. 25
8 Lesson Learned ....................................................................................................... 26
9 References............................................................................................................... 27
List of Figures
Figure 1 History of Honeypots ...................................................................................... 3

Figure 2 Honeyd Architecture -1.................................................................................. 7
Figure 3 Honeyd Architecture -2.................................................................................. 9
Figure 4 Architecture of Honeynet ............................................................................ 12
Figure 5 Data Control without any restriction......................................................... 13
Figure 6 Data Control with the Honeywall ............................................................... 14
Figure 7 Concept of redirecting attackers to the Honey Farm............................. 16
Figure 8 Schedule.......................................................................................................... 25
Honeypots Ishleen Kour Sudan/Palak Pandya
0 Abstract
Computer technology and inter-networking has been evolving at a faster pace.

Threats and vulnerabilities have been mounting in the network systems across
the internet. The threats include spam, viruses, phishing and other malicious
activities. Due to an increase in black hat community, need to develop an
efficient and robust system to thwart the unsolicited intrusion, has become
extremely necessary. Intrusion detection and prevention systems (IDS and IPS)
help to manage and prevent these threats in this ever changing environment.
“Intrusion detection is the art of detecting in appropriate, incorrect, or
anomalous activity”[1]. These systems principally work on a host to discover
malicious activities. There are basically two systems, first is a host-based and
second is a network-based system. There are many approaches to intrusion
detection, but most common are statistical anomaly detection and pattern
matching detection. These systems are used to identify and stop intruders.
Then correction is applied to whole computer project to remove all similar
problems. Honeypot is very efficient technology concluded for the intrusion
detection.
However, this vast topic has been the subject of an entire book but here we
have collected some important information. We have discuss the most
important concepts and related issues related to Honeypots. This report
discusses Honeypots intrusion detection system, different types of honeypots,
their working and deployment; issues and challenges to honeypots and some
suggestion for future use. This report also provides references for further
reading.
-1-
1 Background
1.1 Definition
According to Lance Spitzner, founder of the Honeypot project, “a Honeypot is a

security resource whose value lies in being probed, attacked, or compromised”
[7]. Honeypot can be viewed as an Internet-attached server which acts like a
decoy, alluring in potential hackers. It helps to study attacker’s activities and
monitor their ways of breaking into a system. It is designed to simulate systems
that attracts intruder to break into it but limit him from having access to an
entire network. If a honeypot is successful, the intruder will be unaware of the
fact that he is being tricked and monitored.
Honeypots provides following purposes by luring an attacker into a system:
• The system administrator can observe an attacker’s activities; utilize the

vulnerabilities of the system. This will help to learn where the system
has weaknesses and how it can be redesigned.
• The hacker can be prevented or caught, when he tries to access root of
the system.
• By studying the nature of the black-hat community, designers can build
more secure systems that are potentially invulnerable to future hackers.
-2-
1.2 History of Honeypots
The word “honeypot” originally came from an espionage technique which was
used during the Cold War. It was based on sexual entrapment. The term
"honeypot" was used to depict the use of female agent entrapment of a male
official of the other side for the purpose to gain information [11].
Honeypot was a relatively undocumented and misunderstood technology so in

19th of November, 2001 by Security-Focus Inc. has started Honeypot mail list.
It was hoped that this forum will help to create better understanding about
Honeypot and their real value to the network security.
Year Development
First public works documenting honeypot concepts—Clifford Stoll's The

1990/1991
Cuckoo's Egg and Bill Cheswick's "An Evening With Berferd" [4].
Version 0.1 of Fred Cohen's Deception Toolkit was released, one of the first
1997
honeypot solutions available to the security community [4].
Development began on CyberCop Sting, one of the first commercial honeypots

1998 sold to the public. CyberCop Sting introduces the concept of multiple, virtual
systems bound to a single honeypot [4].
Marty Roesch and GTE Internetworking begin development on a honeypot

1998 solution that eventually becomes Net Facade. This work also begins the
concept of Snort [4].
Back Officer Friendly is released—a free, simple-to-use Windows-based
1998 honeypot that introduced many people, including me, to honeypot concepts
[4].
Formation of the Honeynet Project and publication of the "Know Your Enemy"
1999 series of papers [4]. This work helped increase awareness and validate the
value of honeypots and honeypot technologies [4].
Use of honeypots to capture and study worm activity. More organizations

2000/2001 adopting honeypots for both detecting attacks and for researching new threats
[4].
A honeypot is used to detect and capture in the wild a new and unknown
2002
attack, specifically the Solaris dtspcd exploit [4].
Figure 1 History of Honeypots
-3-
1.3 Classification of Honeypots
Honeypots can be classified based on their deployment and their level of

involvement.
1.3.1 Based on deployment

According to Honeypots’ deployment, they can be further classified into
Production Honeypots and Research Honeypot.
1.3.1.1 Production Honeypots

As name suggested Production Honeypots are positioned inside the production
network along with other production servers by organization to improve their
overall state of security. The Production Honeypots describe lesser information
about the attacks or attackers as compare to the Research Honeypots. The
main goal of the Production Honeypot is to help mitigate risk in an organization
[7].
1.3.1.2 Research Honeypots

Volunteers from research, government organizations, or military run the
Research Honeypots [7]. It is a non-profit research organization and an
educational institution. It collects information about the nature and tactics of
the attackers. They concentrate more to learn how to better protect against
threats rather than to research the threats organizations face. The Research
honeypots are more complex to deploy and maintain [5].
1.3.2 Based on level of interaction

Interaction can be described as the level of activity that Honeypots permit an
attacker. Level of interaction provides a scale with which one can measure and
compare the strengths and weaknesses of various types. The more a honeypot
can do and the more an attacker can do to a honeypot, the greater the
information that can be derived from it [4]. Same way, the more an attacker
can do to the honeypot, the more potential damage an attacker can do [4].
Based on this theory, Honeypots can be classified as
1.3.2.1 Low-interaction Honeypots

Low interaction honeypots, as name suggests have low or say limited
interactions. Basically they emulate the operating systems and services. This
causes the hackers activities to be restricted by the level of emulation. An
emulated FTP service listening on port 21 emulating FTP login and variety if
FTP commands, serves as a low – interaction honeypot [19].
Examples: Spector, Honeyd and KFsensor
Features:
• Simplicity: They are easy to install and deploy. It involves plug and play
approach which requires installing software and selecting the operating
systems and services, required to be emulated and monitored.
-4-
• Less Risky: Due to the emulated services control to the attackers it
involves minimum risk. Risk is mitigated by controlling the attacker’s
activity, the attacker never has an access to an operating system to
attack or harm others.
• Captures limited information: This is the main disadvantage as they are
able to capture limited information. According to that they can design to
capture only the known activity, mainly transactional data.
• Easy detection: No matter how keen the emulation is, a skilled hackers/
attackers can easily identify their presence [19].
1.3.2.2 High-interaction Honeypots

High interaction honeypots are complex solutions enabling high level of
interactions. They are not the emulations; instead, they involve real operating
systems and applications. Linux honeypot running an FTP server serves as a
high interaction honeypot as it is built using real Linux system running a real
FTP server [19].
Examples: Symantec Decoy Server and Honeynets.
Features:
• Captures extensive amount of information: By providing attackers a real
system to interact with, full extent of attack behavior can be studied.
Attack behavior including new tools (e.g. Rootkits), communications
(international IRC sessions), keystrokes etc can be captured and
analyzed.
• No assumptions made: They provide an open environment which can
arrest all kind of activities, thus, without any assumptions of how a
hacker will interact. This allows learning unexpected behaviors.
• Increased risk: They increase the risk of honeypots as the attackers can
use real operating system to attack non-honeypot systems.
• Complex: They are more complex to deploy. Maintenance is also one
issue [19].
1.3.3 Physical and Virtual Honeypots
1.3.3.1 Physical Honeypot

A physical honeypot is a real machine on the network with its own IP address.
They are high –interaction honeypots, therefore, allowing the system to
completely compromised. Also, they are expensive to install and maintain. It is
impractical to deploy a physical honeypot for each IP address.
1.3.3.2 Virtual Honeypots

In contrast to physical honeypots which is typically a hardware device, a virtual
honeypot uses software to emulate a network. It is simulated by another
machine that responds to network traffic sent to the virtual honeypots. [6]
-5-
1.4 Uses of Honeypots
1.4.1 Intrusion Detection and Prevention:

As mentioned earlier, honeypots serve as Intrusion detection and prevention
systems. The whole purpose of honeypots is to catch the intruders by observing
their activities and interaction with honeypots; understanding the
vulnerabilities of the organizational networks and thus, taking measures to
improve the security.
1.4.2 Attack Analysis

Honeypots can be used observe adversary’s attack behavior and develop tools
to guard against them in future.
1.4.3 Decoys:
All the unused address space on a particular network is are populated with the
honeypots. This makes attacker waste its time by attacking honeypots. This
slows downs and annoys human attacker. Also, slows down the spread of
worms.
1.4.4 Tarpits:
These are use to slow down the attacker. One of the examples is Labrea Tarpit.
Here an attacker is allowed to open a TCP connection and then the window size
is reduced to zero. By this attacker cannot send the data across and not even
close the connection. Gradually, the connection uses up recourses on the
attackers system. The other example is, Open Mail Relays, where a honeypot
offers an anonymous mail relay to attract the spammer. This mail relay is then
made to respond very slowly to SMTP commands, thus, forcing spammers to
waste time interacting with the honeypot. Here, the honeypot might pretend
to forward the mail but actually drops it.
1.4.5 Burglar Alarms:

When a honeypot is compromised, the network administrator can get to know
that an attack is happening on their network. This acts like a burglar alarm.
The detailed information of the attack can be attained by the logs maintained
by the honeypots. Also based on some abnormal activities going on in the
honeypots, attacks can be predicted few days in advance.
1.4.6 Automatic Signature Generation:

Example is Honeycomb which acts as a plug-in for honeyd. It is employed to
detect patterns in the logged data and creates Snort and signature. It works
quite well with no human input and is much faster than manual signature
generation.
-6-
2 Honeypots
2.1 Honeyd
Honeyd is a type of low-interaction honeypot in which an attacker interacts
with a simulated machine. It runs on a single machine which simulates a
group of virtual machines and physical network between them [13]. Out of
various simulations possible, like, operating system, services and network
stack, only the network stack of each machine is simulated.
The figure below shows the architecture of Honeyd.
Figure 2 Honeyd Architecture -1
Only one real machine can simulate a whole network of honeypots. In the
figure 2 only the router and the honeyd machine (10.0.0.2) are real
computers [13]. A central machine intercepts the network traffic intended
for the IP addresses of the configured honeypots and simulates their
responses. Honeyd receives traffic for its virtual honeypots via a router or
-7-
Proxy ARP [9]. Honeyd can simulate network stack behavior of a different
operating system [9].
According to a standard definition, Honeyd can be defined

• As a small daemon that creates virtual hosts on a network [6].
• The hosts can be configured to run arbitrary services, and their
personality can be adapted so that they appear to be running certain
operating systems [6].
• Honeyd enables a single host to claim multiple addresses - up to
65536 have been tested - on a LAN for network simulation [9].
• Honeyd improves cyber security by providing mechanisms for threat
detection and assessment [9].
• It also deters adversaries by hiding real systems in the middle of
virtual systems [6].
• It is possible to ping the virtual machines, or to trace route them
[9].
• Any type of service on the virtual machine can be simulated
according to a simple configuration file [6].
• Instead of simulating a service, it is also possible to proxy it to
another machine [9].
2.1.1 Configuring Honeyd:
Honeyd is designed in such a way that it is able to reply to all those packets
whose destination IP addresses belongs to one of the simulated honeypot. For
honeyd to receive correct packets, network needs to be configured properly.
Some of the ways to accomplish this are:
• Network Tunneling: In this case, the tunnel network address space to a

honeyd host [9]. For this Generic Routing Encapsulation (GRE) tunneling
protocol is used.
• Adding Routes: The IP addresses of virtual honey pots lie within the local
network range, denoted by v1….vn. If “A” be the IP address of the
Router and B be the IP address of the honeyd host, the entries of
honeypots v1 ---vn are configured in as routing table. The Router “A”
then promotes the packets for virtual honeypots straight to the honeyd
host B.
• Proxy ARP: If no route has been configured, the router ARPs to

determine the MAC address of the virtual honeypot [9]. Since there is no
physical machine, the request does not get a response, the router drops
the packet after a few drops. To solve this, honeyd host is configured to
reply to ARP request for Vi with its own MAC address. This is called Proxy
ARP and allows router to send packets for vi to B’s MAC address.
-8-
2.1.2 Honeyd Architecture
Honeyd is a low-interaction virtual honeypot that simulated TCP and UDP

services and also responds back correctly to ICMP packets [9]. The architecture
consists of following components:
• Configuration database
• Central packet dispatcher
• Protocol handler
• Personality engine
• Optional routing component
Figure 3 Honeyd Architecture -2
• Configuration database:
It is a database which maintains a list linking the virtual machines to IP
addresses. It uses a default template if no specific configuration is
available.
-9-
• Central Packet Dispatcher:
The packets received by Honeyd daemon for one of the virtual honeypots,
are processed by the central packet dispatcher [9]. The dispatcher checks
the length of the IP packet and verifies its checksum [9]. Since, the daemon
knows only three protocols: ICMP, TCP and UDP; packets for other
protocols are discarded. The dispatcher queries the configuration database
for a honeypot configuration that corresponds to the destination IP address,
using a default one if none matches.
• Protocol Handler:
The dispatcher calls the protocol specific handler with the received packet
and the corresponding honeypot configuration [9].
• ICMP Handler:
It supports the packet with the ICMP ECHO request. The daemon answers
with an ICMP ECHO reply packet.
• TCP and UDP Handlers:

For TCP and UDP, the daemon can establish connections to arbitrary
services which are external programs that receive data on stdin and send
their output to stdout. When a connection request is received, the daemon
checks if the packet is part of an established connection [9]. In that case,
any new data is sent to the already started service program. If the packet
contains a connection request, a new process is created to run the
appropriate service [9]. Honeyd contains a simplified TCP state machine,
i.e the three-way handshake for connection establishment and connection
teardown via FIN or RST are fully supported [9]. A UDP packet to a closed
port is correctly answered with an ICMP port unreachable message. This
allows tools like trace route to work correctly. Instead of establishing a
connection with a service program, the daemon also supports dynamic
redirection of the service [9]. This allows user to forward a connection
request for a web server running on a virtual honeypot to a real web server
[9]. It is also possible to redirect connections to the adversary himself, e.g.
a redirected SSH connection might cause an adversary to attempt to
compromise his own SSH server.
• Personality Engine:
Before any packet is sent to the network, it is processed by the personality
engine [9]. It adjusts the packet’s content so that it seems to originate
from the network stack of the configured operating system [9]. Adversaries
commonly run fingerprinting tools like together information about a target
system [16]. It becomes important that honeypots do not stand out when
fingerprinted [9]. To make them appear real to a probe, Honeyd simulates
the network stack behavior of a given operating system [16]. Generally it
is called as the personality of a virtual honeypot. Different personalities
can be assigned to different virtual honeypots [9]. The personality engine
makes a honeypot’s network stack behave as specified by the personality
-10-
by introducing changes into the protocol headers of every outgoing packet
so that they match the characteristics of the configured operating system
[9]. The daemon uses the NMaps fingerprinting for TCP and UDP and Xprobe
for ICMP, as a reference.
• Routing:
Honeyd can also supports virtual routing topologies. The Proxy ARP fails to
route, in this case. The router needs to be configured in order to delegate
a network range to a host. This network range can be split into sub-
networks. The virtual routing topology is implemented by rooted tree, the
root of the tree being point at which packets enter the virtual routing
topology [9]. Each non-terminal node of the tree represents a router and
each edge a link that contains latency and packet loss as attributes [9].
Each terminal node of the tree corresponds to a network. When the
daemon receives a packet, it traverses the tree starting at the root until it
finds a node that contains the destination IP address of the packet [9]. The
packet loss and latency of all edges on the path is accumulated and
determines if the packet is dropped and for how long its delivery should be
delayed [16]. The daemon also decrements time to live (TTL) of the packet
for each traversed router. If the TTL reaches zero, the daemon sends an
ICMP time exceeded message with the source IP address of the router that
causes the TTL to reach zero [9].
2.2 Honeynet
Honeynet is a high-interaction honeypot serves real systems, applications, and

services for attackers to interact with [8]. It is specially designed to capture
extensive information on threats, both external and internal to an organization
[8]. Honeynet is a network which contains one or more than one honeypots.
The honeynet is not productive activity on its own and does not provide any
authorized services. Only the malicious interaction and unauthorized activity
with honeynet, is of value. As with any other security technologies, one needs
to sift through gigabytes of data, or thousands of alerts. Since a honeynet is
nothing more than a network of honeypots, all captured activity is assumed to
be unauthorized or malicious [8].
Honeynet is an architecture which constructs a highly controlled network. With

help of this architecture one can control and monitor all activity that happens
within it [8]. In some paths a honeynet is like a fishbowl. One can generate an
environment which is totally transparent. However, this different kind of a
fishbowl contains Linux DNS servers, HP printers, and Juniper routers in
honeynet architecture [8]. Same as a fish interacts with the elements of a
fishbowl; intruders interact with the honeypots [8].
A crucial advantage of the Honeynets is their ability to gather extensive

information. With help of this type of architecture one can set up any type of
-11-
system or desired application luring the attackers to use them, thus gathering
enough data and information.
In addition to being useful, honeynets have some negative points though.

Firstly, honeynets are more difficult to set up. Secondly, they are too
expensive to set up as well as to maintain. Sometimes the honeynets put other
machines in danger which are connected along with them. Moreover, they need
continuous monitoring so that they are more time-intensive.
2.2.1 Honeynet Architecture
As explained earlier, the honeynets are nothing more than architecture. The
main key of this architecture is a honeywall. The honeywall can be defined as a
gateway device which separates the honeypots from the rest of the world. Any
traffic going to or from the honeypots must go through the honeywall [8]. The
honeywall is traditionally a layer-2 bridging device [8]. The concept of layer-2
bridging device is that the device should be hidden from anyone who interacts
with the honeypots [8].
Figure 4 Architecture of Honeynet

-12-
Figure 4 demonstrates architecture of the Honeynets. As shown in Figure 4, in

honeynet architecture, there are three honeypot systems, three production
systems and a router connected along with a honeywall system. Practically,
one can add multiple systems but for basic understanding only three systems
are shown. Basically, a honeywall has three interfaces. Interfaces eth0 and
eth1 (indicated with red-lines) separate the honeypots from the rest world.
These are bridged interfaces and these types of bridges don’t have any IP
stack. The third interface is eth2. This interface consists of an IP stack which
allows remote administration. Interface eth2 is optional. This architecture
provides a highly controlled network. With help of it one can control and
monitor all activity that happens within it.
2.2.2 Key Requirements
There are some key requirements which must be implemented by a honeywall.

Some of the key requirements must be implemented like Data Control, Data
Capture, Data Analysis, and Data Collection. Of all these requirements, data
Control is essential. Data Control has always highest priority as its role is to
mitigate risk [8].
2.2.2.1 Data Control
Data control explains how malicious activity is contained within the honeynet
without an attacker’s knowledge. The Data control mitigates risk. It is
necessary to ensure that once attacker comes within the Honeynet system, he
cannot accidentally or purposefully damage the non-Honeynet systems. For
that first system has to allow the attackers some degree of freedom and it will
help to learn characteristics of the attackers. Most important is the balance,
how much freedom to offer vs. how much restriction to place. Data Control
should operate in a fail closed manner. If there is any failure in any
mechanism, the honeynet architecture should block all outbound activity, as
opposed to allowing it, thus, minimizing risks [8]. The Honeypots with no
restrictions and with the Honeywall are illustrated by Figure 5 and Figure 6.
No Restrictions
Honeypot
Internet
No Restrictions
Honeypot
Figure 5 Data Control without any restriction
-13-
No Restrictions
Honeypot
Internet
Honeywall
Connections Limited Packet Scrubbed Honeypot
Figure 6 Data Control with the Honeywall
2.2.2.2 Data Capture

As name suggests, data capture monitors all of the attacker's activity without
the attacker knowing it, within the Honeynets [8]. This captured data helps to
investigate the tools, tactics and motives of the intruders. It is very important
to understand the use of layers in Data Captures. If captured information has
more of the layer information, at both the network and the host level then
characteristics of the attackers can be studied and discovered very easily. One
more challenge with Data Capture is that large portion of the attacker
activities happen over encrypted channels such as IPSec, SSH, SSL, etc.; so it
must take encryption into consideration[8].
Moreover, the captured data must not be stored on the local honeypots
because if it is detected by the attacker then it could be easily modified or
deleted by the attackers. One more possibility is that the attackers may
identify the ways of Data Capture mechanism. Then the black-hat community
could develop some methods which bypass or disable the mechanism [8].
2.2.2.3 Data Analysis

Data Analysis is the ability to analyze the captured data and that is the whole
purpose of the Honeynets. A Honeynet is useless if it doesn’t have ability to
translate captured data to information.
2.2.2.4 Data Collection

A function of the Data Collection is to collect data from multiple Honeynets to
a single source. It applies only those organizations which have multiple
Honeynets in distributed environment [8]. Organizations which have multiple
Honeynets are logically or physically distributed all over the world [8]. They
have to collect all of the captured data and store them to some central
location [8]. The captured data can be combined and thus, can exponentially
increase the value of honeynets.
-14-
3 Advanced Honeypots
3.1 Honey Farm
Honey Farm is an extended technology of the Honeypots which works on the

concept of farming. Instead of installing large numbers of honeypots, or
honeypots on every network, the Honey Farm simply deploy the honeypots in a
single, consolidated location [12]. This single network of honeypots becomes
your honeypot farm, a dedicated security resource [12]. With help of this type
of network the attackers are forwarded to the farm, regardless of what
network they are on or investigating. Honey farm is very new concept with
tremendous potential [12]. It serves one of the excellent methods for large
deployments of distributed honeypots, especially high interaction honeypots
like Honeynets [12].
3.1.1 Values of Honey Farm
The potential advantages of the Honey Farm are enormous. With help of this
technology, deployments of the Honeypots become an extremely easy concern.
The Honey Farm could develop into any SOC (Security Operations Center)
where the manpower and resources have been already dedicated to build such
a solution[12]. Once redirectors are physically placed on a network then they
redirect all attackers or unauthorized activity to the centralized honeypot
farms and at the same time SOC personnel monitors and analyzes all of the
captured data[12].
The Honey Farm is also easier for high-interaction honeypots. Instead of

maintaining multiple Honeynets distributed around the world, they have only
one physical Honeynet to maintain [12]. It saves lots of maintenance cost and a
great deal of time. The Honey Farm exponentially increases the effectiveness
high-interaction honeypots like the Honeynets.
The concept of honeypot farms is exceptionally powerful, however few off the
shelf solutions exist as well as it is really challenging to implement it. Many
other Honeypot Farm solutions are still under active development and some
solutions have already been released [12]. One of the simplest commercial
solutions that implements Honey Farm is NetBait. It is also called Server-Farms.
Within these farms one can set any desired systems. It has redirectors which
will capture an attacker's activity. Then it redirects this activity to pre-
determined systems within the ServerFarm. An attacker tries to probe or attack
a specific IP and that attacker continues to interact with that same IP. During
this redirection, the attacker does not realize the system he is working.
NetBait maintains a farm for an organization. All the organization have to
deploy redirectors on their networks and which ultimately direct all
unauthorized activity to NetBait's farms. The Honey Farm works as a service
-15-
rather than a tool. So now Organizations don’t need to maintain or analyze the
data from the Honeypots. Additionally, they don’t have to worry about liability
or risk. They have gained the power and advantages of the Honeypots, without
resource or risk issues [12].
3.1.2 Honey Farm Architecture
The main function of the Honey Farm is, deploying redirectors. A redirector
acts as a proxy or 'worm hole'[10]. It transports an attacker's probes to a
honeypot within the Honey Farm, without the attacker ever knowing it [12].
The attacker thinks they are interacting with a victim on a local network, when
in reality they have been transported to the Honeypot Farm [12]. Figure 7
shows the concept of redirecting attackers to the Honey Farms.
Figure 7 Concept of redirecting attackers to the Honey Farm
-16-
3.2 Honeytoken
It is not always necessary that a honeypot has to be a computer or just a

resource with that one can interact with black-hat community. A Honeytoken is
a honeypot but not a computer. It is simply digital entity like a credit card
number, Excel spreadsheet, PowerPoint presentation, a database entry, or
even a bogus login [10]. Honeytokens come in many shapes and sizes but they
all have same basic concept; a digital or information system resource whose
value lies in the unauthorized use of that resource [17]. Same as a honeypot
computer has no authorized value it has not any authorized use too [17].
3.2.1 Values of Honeytoken
Identical to traditional honeypots, honeytokens can not solve any problem.

Specifically, they are not designed to detect attackers or prevent attacks.
However, they are very efficient and a tool with multiple applications for
security has strength to detect or identify who are threat as well as their
motives. Due to the simplicity of the Honeytoken they are widely used. The
Honeytokens are influenced the fact that the insider attacker might be aware
with the internal environment of the same system and has access to files,
information and records including the Honeytokens. A real truth for any
technology, their dynamic value is when they are merged with other solutions.
For an example, in many cases honeytokens may not prove unauthorized
activity [10]. Instead, they may simply specify about any unauthorized
behavior. Again other tools are required to confirm hacker’s malicious intent.
For an example, an employee may access a honeytoken that is a Microsoft

Word file posing as some X company's Research and Development plans on
which he is working on. If an employee attempts to copy and transfer the file,
the company X identified a problem. Regardless, once the company X has
identified this activity, it can use other measures to prove the individuals goal.
3.2.2 Working of Honeytoken
As discussed above, a honeytoken techonology is just like a honeypot, but only

difference is no one should interact with it. If any interaction with a
honeytoken is done then it represents unauthorized or malicious activity [10].
The Honeytokens have broad flexibility. Way one can use as a Honeytoken and
how, all these are up to imaginations of the users. A model example of a
working of the honeytoken could work is the "John F. Kennedy" medical records
example [17]. Under HIPAA, it is necessary that hospitals are required to
enforce patient privacy and for that only certain authorized people have access
to patient data such as doctors, nurses, etc. If a hospital be unsuccessful to
protect patient data then that hospital have not only face civil liability, but
also chances of criminal liability. To solve this problem they found very simple
solution. A bogus medical record called "John F. Kennedy” was generated and
loaded into their database. Due to there is no real patient with that name this
-17-
medical record has no real value. With help of this hospital gets two major
advantages. One is if any employee is trying to look for interesting patient data
then record will definitely stand out and second is if the employee is trying to
attempt to access this record, hospital probably has an employee violating
patient privacy.
Now days there are numerous incidents happened of large databases

compromised with millions of SSNs or credit card numbers. Honeytokens can
resolve this problem by embedding a bogus number in a database. If someone
accesses this bogus number then the system indicates a violation of security.
For an example, the credit card number 960329790458425 could be embedded

into database, file server, or some other type of repository. The number is
unique enough that there will be minimal, if any, false positives [10]. An IDS
signature, such as Snort, could be used to detect when that honeytoken is
accessed. Such a simple signature could look as follows [10].
alert ip any -> any (msg:"Honeytoken Access Unauthorized Activity";

content:" 960329790458425 ";)
Honeytokens surpass as a detection mechanism. It is used to not only to detect

an attacker, but potentially to identify who that attacker is and what they are
after [10]. Let's assume a company-I is fretful about internal employees
attempting to find company secrets for an example a senior management’s
letter. Honeytokens can be used to identify who they are [10]. To track such
unauthorized activity the company-I can create a bogus email, or honeytoken,
and plant that in management's email. The email could look like this:
To: Chief Financial Director

From: Security help desk
Subject: Access to financial database
Sir,
The security team has updated your account to the company's financial records. Your new login and
password to the system are as below.
If you need any help or assistance, do not hesitate to contact us.
https://finance.sjsucompany.com
login: calI0 password: H0n3y_t0k3n
Security Help Desk
Honeytoken doesn’t need fancy algorithms, signatures to update, rules to

configure. It doesn’t need any technology to deploy, no vendors to contact, no
licenses to update. Generally, one has to generate fake documents, create a
unique PowerPoint file, an image, or bogus record. As compare with other
security technologies, it provides simplest and most cost effective solution.
-18-
4 Issues with Honeypots
Honeypots offer tremendous potential to the security community,

accomplishing the goal it is intended for. Like any other new technology, they
have some challenges that need to be overcome to make honeypots a stronger
technology. The problems can be categorized into three points-
4.1 Identifying honeypots

All types of honeypots share a common trait - there values diminish upon
detection [18]. The detection helps attacker know the systems to avoid, even
worse, to feed false and spurious information to the honeypot. There are
already many tools and techniques being devised to counter and detect
honeypots. One of the examples is Honeypot Hunter, used by spamming
industry to identify honeypots [18]. There are other tools to detect the virtual
honeypots. It implies that, if the adversary has necessary skills and proper
tools, any kind of honeypot can eventually be detected.
The problem can be addressed in two steps. First, determining how does
detection affect the value of honeypot and how long it needs to remain
undetected. For example, honeypot employed as burglar alarm to detect
unauthorized access, upon detection does not lose its value as does its job by
alerting the threat. But for other honeypots, like honeynets employed to gather
information, the case is different as the detection compromises the ability to
collect accurate data. Here the honeypot needs to work for days together
before detection.
The second step is to customize the honeypot by changing its behavior or
appearance so as it does not look like any other honeypot in the network and
defeat tools like Nmap that remotely fingerprints the idiosyncrasies of each
IPstack. Advanced users can modify the source code altering the ways packets
are created. Chances of detection are minimized if the honeypot behaves and
reacts in a way unexpected by the attacker.
4.2 Exploiting honeypots
For every honeypot released it needs to be assumed the known and unknown
vulnerabilities and thus, steps should be taken to protect against unknown
attacks.
For low interaction honey pots the risk is low as the attacker has only the
emulated services to interact with and have limited ability to exploit the real
applications and real operating systems to gain an access into[18]. But it should
be assumed that the attacker can bypass the controlled emulated service and
steps should be taken to secure the application [18]. For example, for win32
honeypots like KFsensors secure base OS with latest patches can be build, host
based firewalls installed that blocks inbound connections to ports other than
-19-
those protected by honeypots . For UNIX, Chroot() improves containment
against attacked processes , Jail(), restricts what could be seen by processes.
Low level kernel patches like Systrace, Grsecurity, SE Linux should be used to
protect against low –level honeypots against known and unknown attacks [18].
High-interaction honeypots run a greater risk as they offer real operating
systems and applications to be interacted. Since attackers can gain privileged
control of the honeypots, external data control measures such as IPS and
bandwidth limiting must be applied. The problem can be dealt in two ways,
first being, implementing several layers of control to prevent having the risk of
single point of failure, second being human intervention and monitor. Any
anomalous activity should then be controlled by the human and appropriate
steps be taken.
4.3 Nature of attack
One of the greatest challenges of honeypots is their proper deployment to

detect, identify and capture the activity specific to the kind of the threat, both
internal and external to the company. Traditionally, the honeypot deployment
has not been specific to the threat, instead they are common systems
employed external to the networks where they can very easily capture the
highly active attacks of opportunity. But unfortunately, there are more
advanced attackers targeting the organization’s critical systems or employees
steeling their confidential information. For honeypots to capture such threats,
they need to be customized for individual threat and at proper location and
time [18]. For example, high value targets, such as, CVS honeypots should be
deployed instead of Red Hat 7.3 honeypot on the external network to prevent
external threats. For internal threats, honeypot that has an appearance of
interest, such as databases, should deployed and tuned to the specific threat
from specific individual.
-20-
5 Current challenges to Honeypots
In order to delude the attackers and to improve network security, engineers

deploy honeypots and in response to that black hats devise ways to defeat
these tools. They behave in some typical ways in an attempt to identify and
defeat the honey pots. This is exemplified with the help of following practical
issues relating to both networks and system.
5.1 Network Issues
Tarpits, as discussed earlier, is a computer entity designed to intentionally

respond slowly to the incoming requests, with the goal to trap the attacker so
that unauthorized use of services (fake) be logged and slowed down. These can
operate both at layer 7, for example to fight off spammer by responding slowly
to SMTP commands, and in layer 4, where incoming client’s socket is
maintained open while forbidding any data to be received. Labrea Tarpit deals
with TCP/IP stack and is used to slow down worms in the internet.
From an attacker point of view, for layer 7 tarpit, the latency from the service
after multiple attempts, hints him that he is dealing with the fake system.
For layer 4 tarpit, TCP window size is reduced to zero and still the tarpit
continues to acknowledge incoming packets [14]. This signature is enough to
alert a vigilant attacker.
Labrea can also answer the ARP requests send for non –existant computers. It
can be configured to simulate unused IP addresses. If the attacker is on the
same network segment as labrea, fingerprinting can be done at layer 2 as it
always answers with the unique MAC address, 0:0:f:ff:ff:ff. The attacker can
detect the honeypot easily.
VMware, a virtual machine software, allows multiple instances of different

operating systems on a single hardware and is used by honeypot operators as it
allows for easy deployment [14]. But a look at MAC addresses (specific to
VMware) shows that a system is running on top of VMware, thus making the
attacker suspicious of honeypots.
-21-
5.2 System Issues
UML, user mode Linux, is a way to have Linux system (host OS) running inside
another Linux system (guest OS) and can be used as a honeypot [15]. By
default, UML executes in Tracing Thread mode where one main thread will
ptrace() every process spawned in guest OS. On the host OS, this tracing can be
viewed using ps command.
Thus, by default UML is not designed to be hidden. Also, the network device 0,
uses TUN/TAP which is not common in real systems, thus, giving attacker the
clue of honeynet system. Another issue is that UML does not use real hard disk
instead, it used a fake IDE device called ubd, which can easily be viewed and
UML detected. UML can also be found at the address space of a process. On
host , the top most address is 0Xc0000000 and on UML is 0xbefff000 and the
space between the two being the mapping of UML kernel, imply that any
process can access and/or change UML kernel.
-22-
6 Suggestion for future Honeypots
As discussed earlier, Honeypots technology fulfils security purposes and has

been adopted slowly by the security community. First time the concept of the
Honeypots was introduced in 1990 so a question is, why has it taken so long era
to become popular and recognized as a justifiable security solution? Reasons
and solutions for this question are addressed in this section.
6.1 From Misunderstanding to Acceptance
Many people or organizations have different understanding and definitions of

the Honeypots. As stated before, documentation of this technology was not
proper so some believe that it is a device to lure and deceive an attacker, at
the same time some consider that a technology which detects an attacker.
Honeypots are exceptionally flexible technology. They can be developed from a
simple Windows system providing a many services to a full-fledge network of
any organization. Now days more and more people are recognizing the
definition, values and uses of Honeypots. Due to it Honeypots have a very
growing and exciting future ahead.
6.2 Suggestions
6.2.1 Making Easy to Use
Honeypots technologies like Honeynets or Deception Toolkit (not discussed in
this report) are very thorny to maintain. Extensive knowledge of the operating
system is required to play with this type of technology. By making user-friendly
technology, it would provide easier access to administrator. Graphical user
interface (GUI) is very popular to make things user-friendly and these straight-
forward GUIs will formulate Honeypots technology simpler to access. It will also
help to reduce mistake and help to reduce the risk.
6.2.2 Integrating with Technologies

Current Honeypots technology works standalone and just collects information
but doesn’t collaborate with other technologies. By combining other security
services like IDS sensors or firewall it will be more efficient. Firewall blocks all
suspicious activities. If Firewall will be integrated with Honeypots then all
dropped traffic from the Firewall will interact with Honeypots. Honeypots can
easily identify characteristic of an attacker. An integration these two
technologies fulfils both the purposes, block incredible amount of activity as
well as recognize an attacker.
-23-
6.2.3 Studying Advanced Attackers
Basically, the research honeypots are installed on used system. The used
systems are generally Windows, Linux, or Solaris so an attacker can easily
capture information. By this the research honeypots provide nature of an
attacker. To get information of advanced attackers it is necessary to set goal of
the research honeypots high. The high value of the research honeypots will
help to protect e-commerce sites, government confidential information as well
as military’s strategies and secrets.
6.2.4 Protecting against Honeypot Hunter

A spammer always tries to scan open proxy relays. The spammer uses these
open relays to obscure his original IP address and remains unidentified.
Whenever this spammer arrives across the honeypots, the honeypots collect
important information about this spammer's true identity. It helps to unmask
the spammer. In response to this, an anti-honeypot technology has been
discovered which is Send-Safe's Honeypot Hunter (www.send-safe.com)
attempts to detect "safe" proxies for use with bulk-mailing tools. Future
Honeypots should be sufficient enough for these types of hunters. Honeypots
should also detect the Send-Safe’s Honeypot Hunter.
6.2.5 Deploying in Distributed Environment

As discussed earlier, Honeypot is very efficient technology to capture valid
information of an attacker. The research honeypots can gather excellent
information about threats of the internet. The internet is very complex
structure so large number of research honeypots, more valid information is
collected. The Honeynet Research Alliance demonstrates the tremendous
potential of honeypots in distributed environments [4]. Right now, it has
various members located in India, Mexico, and other places. These distributed
Honeypots are gathering information and recording in to a central database.
Since collected information comes from different source so it has a high
significant value. Same way distributed honeypots can be established all over
the world and collected information can be analyzed at a single point.
-24-
7 Schedule
Figure 8 shows schedule for development of this report. Tasks were distributed
among both of us and integrated later. However, we both have involved in each
and every topic of this report.
ID Task Task Lead Start End Days 27-Aug 3-Sep 10-Sep 17-Sep 24-Sep 1-Oct 8-Oct 15-Oct 22-Oct 29-Oct 5-Nov 12-Nov
1 Topic Selection Ishleen,Palak 8/29/07 9/08/07 11

2 Honeypot Research Ishleen,Palak 9/09/07 9/17/07 9
3 Background Ishleen,Palak 9/18/07 9/22/07 5
3.1 Definition
3.2 History
3.3 Classification
3.4 Uses
4 Honeyd Ishleen 9/23/07 10/03/07 11
4.1 Configuring Honeyd
4.2 Honeyd Architecture
5 Honeynet Palak 9/23/07 10/04/07 12
5.1 Honeynet Architecture
5.2 Key Requirements
6 Advanced Topic Palak 10/05/07 10/14/07 10
6.1 HoneyFarm
6.2 HoneyToken
7 Current Problems & Issues Ishleen 10/04/07 10/15/07 12
8 Suggestions for future Ishleen,Palak 10/16/07 10/26/07 10
9 Lesson Learned Ishleen,Palak 11/08/07 11/11/07 5
Figure 8 Schedule
-25-
8 Lesson Learned
After accomplishing our research on honeypots, we have gained a thorough
knowledge about this security technology. We now know about the concept,
deployment, implementation and the mechanics of honeypots. By researching
the different kinds of honeypots in the market, how they are deployed and how
they help in achieving what they are designed for; has helped us in envisioning
how various security tools and technologies( honeypots in particular)help
combat the unwanted and malicious activities doing rounds in our networks.
There are several issues and risks being posed to honeypots though, which we
have come to know through our study. We have listed some of the challenges
that have been observed (by various workers) and the solutions to overcome
them. Overall, it was a good learning experience. With this basic and in-depth
knowledge about this security technology, we are now prepared (and
inquisitive) to have a hands on – experience with honeypots.
To conclude, we would mention that co-operatively working on a research

topic of our choice, has benefited both of us.
-26-
9 References
[1] www.honeypots.net/
[2] Honeypots FAQ 2004
[3] www.webopedia.com
[4] Honeypots: Tracking Hackers by Lance Spitzner
[5] www.wikipedia.com
[6] www.honeyd.org/background
[7] http://students.kennesaw.edu/~hmm5659/formal%20report.htm
[8] www.honeynet.org/papers/honeynet
[9] www.citi.umich.edu/techreports/reports/citi-tr-03-1.pdf
[10] www.securityfocus.com/infocus/1713
[11] http://honeynet.ca/
[13] www.cs.unc.edu/~jeffay/courses/nidsS05/slides/12-Honeypots.pdf
[15] www.securityfocus.com/infocus/1826#ref1
[16]www.usenix.org/publications/library/proceedings/sec04/tech/full_papers/
provos/provos_html/index.html
[17] www.eurecom.fr/util/publidownload.fr.htm?id=1275
[19] www.spitzner.net/honeypots.html
-27-

CmpE-220 Honeypots Final

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CmpE-220 Honeypots Final

Uploaded by

Copyright:

Available Formats

DEPARTMENT OF COMPUTER ENGINEERING

CMPE 220 – System Software Design

Special Topic Report

ISHLEEN KOUR SUDAN (2350)

Figure 1 History of Honeypots ...................................................................................... 3

Computer technology and inter-networking has been evolving at a faster pace.

According to Lance Spitzner, founder of the Honeypot project, “a Honeypot is a

Honeypots provides following purposes by luring an attacker into a system:

• The system administrator can observe an attacker’s activities; utilize the

Honeypot was a relatively undocumented and misunderstood technology so in

First public works documenting honeypot concepts—Clifford Stoll's The

Development began on CyberCop Sting, one of the first commercial honeypots

Marty Roesch and GTE Internetworking begin development on a honeypot

Use of honeypots to capture and study worm activity. More organizations

Honeypots can be classified based on their deployment and their level of

1.3.1 Based on deployment

1.3.1.1 Production Honeypots

1.3.1.2 Research Honeypots

1.3.2 Based on level of interaction

1.3.2.1 Low-interaction Honeypots

1.3.2.2 High-interaction Honeypots

1.3.3 Physical and Virtual Honeypots

1.3.3.1 Physical Honeypot

1.3.3.2 Virtual Honeypots

1.4.1 Intrusion Detection and Prevention:

1.4.2 Attack Analysis

1.4.5 Burglar Alarms:

1.4.6 Automatic Signature Generation:

Figure 2 Honeyd Architecture -1

According to a standard definition, Honeyd can be defined

2.1.1 Configuring Honeyd:

• Network Tunneling: In this case, the tunnel network address space to a

• Proxy ARP: If no route has been configured, the router ARPs to

Honeyd is a low-interaction virtual honeypot that simulated TCP and UDP

Figure 3 Honeyd Architecture -2

• TCP and UDP Handlers:

Honeynet is a high-interaction honeypot serves real systems, applications, and

Honeynet is an architecture which constructs a highly controlled network. With

A crucial advantage of the Honeynets is their ability to gather extensive

In addition to being useful, honeynets have some negative points though.

2.2.1 Honeynet Architecture

Figure 4 Architecture of Honeynet

Figure 4 demonstrates architecture of the Honeynets. As shown in Figure 4, in

2.2.2 Key Requirements

There are some key requirements which must be implemented by a honeywall.

2.2.2.1 Data Control

Figure 5 Data Control without any restriction

Connections Limited Packet Scrubbed Honeypot

Figure 6 Data Control with the Honeywall

2.2.2.2 Data Capture

2.2.2.3 Data Analysis

2.2.2.4 Data Collection

Honey Farm is an extended technology of the Honeypots which works on the

3.1.1 Values of Honey Farm

The Honey Farm is also easier for high-interaction honeypots. Instead of

3.1.2 Honey Farm Architecture

Figure 7 Concept of redirecting attackers to the Honey Farm

It is not always necessary that a honeypot has to be a computer or just a

3.2.1 Values of Honeytoken

Identical to traditional honeypots, honeytokens can not solve any problem.

For an example, an employee may access a honeytoken that is a Microsoft

3.2.2 Working of Honeytoken

As discussed above, a honeytoken techonology is just like a honeypot, but only