Professional Documents
Culture Documents
CmpE-220 Honeypots Final
CmpE-220 Honeypots Final
Submitted by
Submitted to
Prof. Weider Yu
Table of Contents
0 Abstract...................................................................................................................... 1
1 Background................................................................................................................ 2
1.1 Definition........................................................................................................... 2
1.2 History of Honeypots ....................................................................................... 3
1.3 Classification of Honeypots ............................................................................ 4
1.3.1 Based on deployment .............................................................................. 4
1.3.2 Based on level of interaction................................................................. 4
1.3.3 Physical and Virtual Honeypots ............................................................. 5
1.4 Uses of Honeypots............................................................................................ 6
2 Honeypots.................................................................................................................. 7
2.1 Honeyd ............................................................................................................... 7
2.1.1 Configuring Honeyd: ................................................................................ 8
2.1.2 Honeyd Architecture................................................................................ 9
2.2 Honeynet ......................................................................................................... 11
2.2.1 Honeynet Architecture.......................................................................... 12
2.2.2 Key Requirements .................................................................................. 13
3 Advanced Honeypots ............................................................................................. 15
3.1 Honey Farm ..................................................................................................... 15
3.1.1 Values of Honey Farm ........................................................................... 15
3.1.2 Honey Farm Architecture ..................................................................... 16
3.2 Honeytoken ..................................................................................................... 17
3.2.1 Values of Honeytoken............................................................................ 17
3.2.2 Working of Honeytoken......................................................................... 17
4 Issues with Honeypots ........................................................................................... 19
4.1 Identifying honeypots.................................................................................... 19
4.2 Exploiting honeypots ..................................................................................... 19
4.3 Nature of attack ............................................................................................. 20
5 Current challenges to Honeypots ........................................................................ 21
5.1 Network Issues ................................................................................................ 21
5.2 System Issues .................................................................................................. 22
6 Suggestion for future Honeypots......................................................................... 23
6.1 From Misunderstanding to Acceptance ...................................................... 23
6.2 Suggestions...................................................................................................... 23
6.2.1 Making Easy to Use................................................................................. 23
6.2.2 Integrating with Technologies ............................................................. 23
6.2.3 Studying Advanced Attackers............................................................... 24
6.2.4 Protecting against Honeypot Hunter .................................................. 24
6.2.5 Deploying in Distributed Environment ............................................... 24
7 Schedule .................................................................................................................. 25
8 Lesson Learned ....................................................................................................... 26
9 References............................................................................................................... 27
List of Figures
0 Abstract
However, this vast topic has been the subject of an entire book but here we
have collected some important information. We have discuss the most
important concepts and related issues related to Honeypots. This report
discusses Honeypots intrusion detection system, different types of honeypots,
their working and deployment; issues and challenges to honeypots and some
suggestion for future use. This report also provides references for further
reading.
-1-
Honeypots Ishleen Kour Sudan/Palak Pandya
1 Background
1.1 Definition
-2-
Honeypots Ishleen Kour Sudan/Palak Pandya
1.2 History of Honeypots
The word “honeypot” originally came from an espionage technique which was
used during the Cold War. It was based on sexual entrapment. The term
"honeypot" was used to depict the use of female agent entrapment of a male
official of the other side for the purpose to gain information [11].
Year Development
Version 0.1 of Fred Cohen's Deception Toolkit was released, one of the first
1997
honeypot solutions available to the security community [4].
Formation of the Honeynet Project and publication of the "Know Your Enemy"
1999 series of papers [4]. This work helped increase awareness and validate the
value of honeypots and honeypot technologies [4].
A honeypot is used to detect and capture in the wild a new and unknown
2002
attack, specifically the Solaris dtspcd exploit [4].
Figure 1 History of Honeypots
-3-
Honeypots Ishleen Kour Sudan/Palak Pandya
1.3 Classification of Honeypots
-4-
Honeypots Ishleen Kour Sudan/Palak Pandya
• Less Risky: Due to the emulated services control to the attackers it
involves minimum risk. Risk is mitigated by controlling the attacker’s
activity, the attacker never has an access to an operating system to
attack or harm others.
• Captures limited information: This is the main disadvantage as they are
able to capture limited information. According to that they can design to
capture only the known activity, mainly transactional data.
• Easy detection: No matter how keen the emulation is, a skilled hackers/
attackers can easily identify their presence [19].
-5-
Honeypots Ishleen Kour Sudan/Palak Pandya
1.4 Uses of Honeypots
1.4.3 Decoys:
All the unused address space on a particular network is are populated with the
honeypots. This makes attacker waste its time by attacking honeypots. This
slows downs and annoys human attacker. Also, slows down the spread of
worms.
1.4.4 Tarpits:
These are use to slow down the attacker. One of the examples is Labrea Tarpit.
Here an attacker is allowed to open a TCP connection and then the window size
is reduced to zero. By this attacker cannot send the data across and not even
close the connection. Gradually, the connection uses up recourses on the
attackers system. The other example is, Open Mail Relays, where a honeypot
offers an anonymous mail relay to attract the spammer. This mail relay is then
made to respond very slowly to SMTP commands, thus, forcing spammers to
waste time interacting with the honeypot. Here, the honeypot might pretend
to forward the mail but actually drops it.
-6-
Honeypots Ishleen Kour Sudan/Palak Pandya
2 Honeypots
2.1 Honeyd
Honeyd is a type of low-interaction honeypot in which an attacker interacts
with a simulated machine. It runs on a single machine which simulates a
group of virtual machines and physical network between them [13]. Out of
various simulations possible, like, operating system, services and network
stack, only the network stack of each machine is simulated.
The figure below shows the architecture of Honeyd.
Only one real machine can simulate a whole network of honeypots. In the
figure 2 only the router and the honeyd machine (10.0.0.2) are real
computers [13]. A central machine intercepts the network traffic intended
for the IP addresses of the configured honeypots and simulates their
responses. Honeyd receives traffic for its virtual honeypots via a router or
-7-
Honeypots Ishleen Kour Sudan/Palak Pandya
Proxy ARP [9]. Honeyd can simulate network stack behavior of a different
operating system [9].
Honeyd is designed in such a way that it is able to reply to all those packets
whose destination IP addresses belongs to one of the simulated honeypot. For
honeyd to receive correct packets, network needs to be configured properly.
Some of the ways to accomplish this are:
• Adding Routes: The IP addresses of virtual honey pots lie within the local
network range, denoted by v1….vn. If “A” be the IP address of the
Router and B be the IP address of the honeyd host, the entries of
honeypots v1 ---vn are configured in as routing table. The Router “A”
then promotes the packets for virtual honeypots straight to the honeyd
host B.
-8-
Honeypots Ishleen Kour Sudan/Palak Pandya
2.1.2 Honeyd Architecture
• Configuration database
• Central packet dispatcher
• Protocol handler
• Personality engine
• Optional routing component
• Configuration database:
It is a database which maintains a list linking the virtual machines to IP
addresses. It uses a default template if no specific configuration is
available.
-9-
Honeypots Ishleen Kour Sudan/Palak Pandya
• Central Packet Dispatcher:
The packets received by Honeyd daemon for one of the virtual honeypots,
are processed by the central packet dispatcher [9]. The dispatcher checks
the length of the IP packet and verifies its checksum [9]. Since, the daemon
knows only three protocols: ICMP, TCP and UDP; packets for other
protocols are discarded. The dispatcher queries the configuration database
for a honeypot configuration that corresponds to the destination IP address,
using a default one if none matches.
• Protocol Handler:
The dispatcher calls the protocol specific handler with the received packet
and the corresponding honeypot configuration [9].
• ICMP Handler:
It supports the packet with the ICMP ECHO request. The daemon answers
with an ICMP ECHO reply packet.
• Personality Engine:
Before any packet is sent to the network, it is processed by the personality
engine [9]. It adjusts the packet’s content so that it seems to originate
from the network stack of the configured operating system [9]. Adversaries
commonly run fingerprinting tools like together information about a target
system [16]. It becomes important that honeypots do not stand out when
fingerprinted [9]. To make them appear real to a probe, Honeyd simulates
the network stack behavior of a given operating system [16]. Generally it
is called as the personality of a virtual honeypot. Different personalities
can be assigned to different virtual honeypots [9]. The personality engine
makes a honeypot’s network stack behave as specified by the personality
-10-
Honeypots Ishleen Kour Sudan/Palak Pandya
by introducing changes into the protocol headers of every outgoing packet
so that they match the characteristics of the configured operating system
[9]. The daemon uses the NMaps fingerprinting for TCP and UDP and Xprobe
for ICMP, as a reference.
• Routing:
Honeyd can also supports virtual routing topologies. The Proxy ARP fails to
route, in this case. The router needs to be configured in order to delegate
a network range to a host. This network range can be split into sub-
networks. The virtual routing topology is implemented by rooted tree, the
root of the tree being point at which packets enter the virtual routing
topology [9]. Each non-terminal node of the tree represents a router and
each edge a link that contains latency and packet loss as attributes [9].
Each terminal node of the tree corresponds to a network. When the
daemon receives a packet, it traverses the tree starting at the root until it
finds a node that contains the destination IP address of the packet [9]. The
packet loss and latency of all edges on the path is accumulated and
determines if the packet is dropped and for how long its delivery should be
delayed [16]. The daemon also decrements time to live (TTL) of the packet
for each traversed router. If the TTL reaches zero, the daemon sends an
ICMP time exceeded message with the source IP address of the router that
causes the TTL to reach zero [9].
2.2 Honeynet
As explained earlier, the honeynets are nothing more than architecture. The
main key of this architecture is a honeywall. The honeywall can be defined as a
gateway device which separates the honeypots from the rest of the world. Any
traffic going to or from the honeypots must go through the honeywall [8]. The
honeywall is traditionally a layer-2 bridging device [8]. The concept of layer-2
bridging device is that the device should be hidden from anyone who interacts
with the honeypots [8].
Data control explains how malicious activity is contained within the honeynet
without an attacker’s knowledge. The Data control mitigates risk. It is
necessary to ensure that once attacker comes within the Honeynet system, he
cannot accidentally or purposefully damage the non-Honeynet systems. For
that first system has to allow the attackers some degree of freedom and it will
help to learn characteristics of the attackers. Most important is the balance,
how much freedom to offer vs. how much restriction to place. Data Control
should operate in a fail closed manner. If there is any failure in any
mechanism, the honeynet architecture should block all outbound activity, as
opposed to allowing it, thus, minimizing risks [8]. The Honeypots with no
restrictions and with the Honeywall are illustrated by Figure 5 and Figure 6.
No Restrictions
Honeypot
Internet
No Restrictions
Honeypot
-13-
Honeypots Ishleen Kour Sudan/Palak Pandya
No Restrictions
Honeypot
Internet
Honeywall
Moreover, the captured data must not be stored on the local honeypots
because if it is detected by the attacker then it could be easily modified or
deleted by the attackers. One more possibility is that the attackers may
identify the ways of Data Capture mechanism. Then the black-hat community
could develop some methods which bypass or disable the mechanism [8].
-14-
Honeypots Ishleen Kour Sudan/Palak Pandya
3 Advanced Honeypots
3.1 Honey Farm
The potential advantages of the Honey Farm are enormous. With help of this
technology, deployments of the Honeypots become an extremely easy concern.
The Honey Farm could develop into any SOC (Security Operations Center)
where the manpower and resources have been already dedicated to build such
a solution[12]. Once redirectors are physically placed on a network then they
redirect all attackers or unauthorized activity to the centralized honeypot
farms and at the same time SOC personnel monitors and analyzes all of the
captured data[12].
The concept of honeypot farms is exceptionally powerful, however few off the
shelf solutions exist as well as it is really challenging to implement it. Many
other Honeypot Farm solutions are still under active development and some
solutions have already been released [12]. One of the simplest commercial
solutions that implements Honey Farm is NetBait. It is also called Server-Farms.
Within these farms one can set any desired systems. It has redirectors which
will capture an attacker's activity. Then it redirects this activity to pre-
determined systems within the ServerFarm. An attacker tries to probe or attack
a specific IP and that attacker continues to interact with that same IP. During
this redirection, the attacker does not realize the system he is working.
NetBait maintains a farm for an organization. All the organization have to
deploy redirectors on their networks and which ultimately direct all
unauthorized activity to NetBait's farms. The Honey Farm works as a service
-15-
Honeypots Ishleen Kour Sudan/Palak Pandya
rather than a tool. So now Organizations don’t need to maintain or analyze the
data from the Honeypots. Additionally, they don’t have to worry about liability
or risk. They have gained the power and advantages of the Honeypots, without
resource or risk issues [12].
The main function of the Honey Farm is, deploying redirectors. A redirector
acts as a proxy or 'worm hole'[10]. It transports an attacker's probes to a
honeypot within the Honey Farm, without the attacker ever knowing it [12].
The attacker thinks they are interacting with a victim on a local network, when
in reality they have been transported to the Honeypot Farm [12]. Figure 7
shows the concept of redirecting attackers to the Honey Farms.
-16-
Honeypots Ishleen Kour Sudan/Palak Pandya
3.2 Honeytoken
Sir,
The security team has updated your account to the company's financial records. Your new login and
password to the system are as below.
If you need any help or assistance, do not hesitate to contact us.
https://finance.sjsucompany.com
login: calI0 password: H0n3y_t0k3n
-18-
Honeypots Ishleen Kour Sudan/Palak Pandya
For every honeypot released it needs to be assumed the known and unknown
vulnerabilities and thus, steps should be taken to protect against unknown
attacks.
For low interaction honey pots the risk is low as the attacker has only the
emulated services to interact with and have limited ability to exploit the real
applications and real operating systems to gain an access into[18]. But it should
be assumed that the attacker can bypass the controlled emulated service and
steps should be taken to secure the application [18]. For example, for win32
honeypots like KFsensors secure base OS with latest patches can be build, host
based firewalls installed that blocks inbound connections to ports other than
-19-
Honeypots Ishleen Kour Sudan/Palak Pandya
those protected by honeypots . For UNIX, Chroot() improves containment
against attacked processes , Jail(), restricts what could be seen by processes.
Low level kernel patches like Systrace, Grsecurity, SE Linux should be used to
protect against low –level honeypots against known and unknown attacks [18].
High-interaction honeypots run a greater risk as they offer real operating
systems and applications to be interacted. Since attackers can gain privileged
control of the honeypots, external data control measures such as IPS and
bandwidth limiting must be applied. The problem can be dealt in two ways,
first being, implementing several layers of control to prevent having the risk of
single point of failure, second being human intervention and monitor. Any
anomalous activity should then be controlled by the human and appropriate
steps be taken.
-20-
Honeypots Ishleen Kour Sudan/Palak Pandya
From an attacker point of view, for layer 7 tarpit, the latency from the service
after multiple attempts, hints him that he is dealing with the fake system.
For layer 4 tarpit, TCP window size is reduced to zero and still the tarpit
continues to acknowledge incoming packets [14]. This signature is enough to
alert a vigilant attacker.
Labrea can also answer the ARP requests send for non –existant computers. It
can be configured to simulate unused IP addresses. If the attacker is on the
same network segment as labrea, fingerprinting can be done at layer 2 as it
always answers with the unique MAC address, 0:0:f:ff:ff:ff. The attacker can
detect the honeypot easily.
-21-
Honeypots Ishleen Kour Sudan/Palak Pandya
5.2 System Issues
UML, user mode Linux, is a way to have Linux system (host OS) running inside
another Linux system (guest OS) and can be used as a honeypot [15]. By
default, UML executes in Tracing Thread mode where one main thread will
ptrace() every process spawned in guest OS. On the host OS, this tracing can be
viewed using ps command.
Thus, by default UML is not designed to be hidden. Also, the network device 0,
uses TUN/TAP which is not common in real systems, thus, giving attacker the
clue of honeynet system. Another issue is that UML does not use real hard disk
instead, it used a fake IDE device called ubd, which can easily be viewed and
UML detected. UML can also be found at the address space of a process. On
host , the top most address is 0Xc0000000 and on UML is 0xbefff000 and the
space between the two being the mapping of UML kernel, imply that any
process can access and/or change UML kernel.
-22-
Honeypots Ishleen Kour Sudan/Palak Pandya
6.2 Suggestions
6.2.1 Making Easy to Use
Honeypots technologies like Honeynets or Deception Toolkit (not discussed in
this report) are very thorny to maintain. Extensive knowledge of the operating
system is required to play with this type of technology. By making user-friendly
technology, it would provide easier access to administrator. Graphical user
interface (GUI) is very popular to make things user-friendly and these straight-
forward GUIs will formulate Honeypots technology simpler to access. It will also
help to reduce mistake and help to reduce the risk.
-23-
Honeypots Ishleen Kour Sudan/Palak Pandya
6.2.3 Studying Advanced Attackers
Basically, the research honeypots are installed on used system. The used
systems are generally Windows, Linux, or Solaris so an attacker can easily
capture information. By this the research honeypots provide nature of an
attacker. To get information of advanced attackers it is necessary to set goal of
the research honeypots high. The high value of the research honeypots will
help to protect e-commerce sites, government confidential information as well
as military’s strategies and secrets.
-24-
Honeypots Ishleen Kour Sudan/Palak Pandya
7 Schedule
Figure 8 shows schedule for development of this report. Tasks were distributed
among both of us and integrated later. However, we both have involved in each
and every topic of this report.
ID Task Task Lead Start End Days 27-Aug 3-Sep 10-Sep 17-Sep 24-Sep 1-Oct 8-Oct 15-Oct 22-Oct 29-Oct 5-Nov 12-Nov
Figure 8 Schedule
-25-
Honeypots Ishleen Kour Sudan/Palak Pandya
8 Lesson Learned
After accomplishing our research on honeypots, we have gained a thorough
knowledge about this security technology. We now know about the concept,
deployment, implementation and the mechanics of honeypots. By researching
the different kinds of honeypots in the market, how they are deployed and how
they help in achieving what they are designed for; has helped us in envisioning
how various security tools and technologies( honeypots in particular)help
combat the unwanted and malicious activities doing rounds in our networks.
There are several issues and risks being posed to honeypots though, which we
have come to know through our study. We have listed some of the challenges
that have been observed (by various workers) and the solutions to overcome
them. Overall, it was a good learning experience. With this basic and in-depth
knowledge about this security technology, we are now prepared (and
inquisitive) to have a hands on – experience with honeypots.
-26-
Honeypots Ishleen Kour Sudan/Palak Pandya
9 References
[1] www.honeypots.net/
[2] Honeypots FAQ 2004
[3] www.webopedia.com
[4] Honeypots: Tracking Hackers by Lance Spitzner
[5] www.wikipedia.com
[6] www.honeyd.org/background
[7] http://students.kennesaw.edu/~hmm5659/formal%20report.htm
[8] www.honeynet.org/papers/honeynet
[9] www.citi.umich.edu/techreports/reports/citi-tr-03-1.pdf
[10] www.securityfocus.com/infocus/1713
[11] http://honeynet.ca/
[12] www.securityfocus.com/infocus/1720
[13] www.cs.unc.edu/~jeffay/courses/nidsS05/slides/12-Honeypots.pdf
[14] www.securityfocus.com/infocus/1803
[15] www.securityfocus.com/infocus/1826#ref1
[16]www.usenix.org/publications/library/proceedings/sec04/tech/full_papers/
provos/provos_html/index.html
[17] www.eurecom.fr/util/publidownload.fr.htm?id=1275
[18] www.securityfocus.com/infocus/1757
[19] www.spitzner.net/honeypots.html
-27-