Honeypot

Surya Pratap Rao

PROJECT OVERVIEW
Source: The HoneyNet Project
http://www.honeynet.org/
HONEYPOT OVERVIEW
A Honeypot has no functional value.
A Honeypot does not do anything
active. Its value lies in the knowledge
that any access to the Honeypot is
probably malicious.
In a perfectly safe network a Honeypot
should see no traffic at all.
DESCRIPTION
Honeypot as "a security resource who's value lies in
being probed, attacked or compromised". This
means that whatever we designate as a honeypot, it
is our expectation and goal to have the system
probed, attacked, and potentially exploited. Keep in
mind, honeypots are not a solution. They do not 'fix'
anything. Instead, honeypots are a tool. How you
use that tool is up to you and depends on what you
are attempting to achieve. A honeypot may be a
system that merely emulates other systems or
applications, creates a jailed environment, or may be
a standard built system. Regardless of how you build
and
For use
more info the honeypot, it's value lies in the fact that

it is attacked.
http://www.windowsecurity.com/whitepapers/honeypots/Honeypots_Definitions_and_Value_of
DESCRIPTION CONT.
L. Spitzner1 defines the term honeypot as follows:
A honeypot is a resource whose value is being in attacked or
compromised. This means, that honeypot is expected to get probed,
attacked and potentially exploited. Honeypots do not fix anything.
They provide us with additional, valuable
information.

In this paper, a slightly different definition is

proposed:
A honeypot is a resource which pretends to be a real target. A
honeypot is expected to be attacked or compromised. The main
goals are the distraction of an attacker and the gain of information
about an attack and the attacker.

White Paper: Honeypots

Reto Baumann, http://www.rbaumann.net
Christian Plattner, http://www.christianplattner.net
WHY HONEYPOTS
A great deal of the security profession and the
IT world depend on honeypots. Honeypots

Build anti-virus signatures.

Build SPAM signatures and filters.
ISPs identify compromised systems.
Assist law-enforcement to track criminals.
Hunt and shutdown botnets.
Malware collection and analysis.
WHAT ARE HONEYPOTS

Honeypots are real or emulated vulnerable

systems ready to be attacked.
Primary value of honeypots is to collect
information.
This information is used to better identify,
understand and protect against threats.
Honeypots add little direct value to
protecting your network.
TYPES OF HONEYPOT

Other
Proxies
Client
Honeypot initiates
Server and interacts with
servers.
Put the honeypot
on the Internet
and let the bad
guys come to you.
TYPES OF HONEYPOT
Production
Easy to use/deploy
Capture limited information
Mainly used by companies/corporations
Placed inside production network w/other servers
Usually low interaction

Research
Complex to maintain/deploy

Capture extensive information

Primarily used for research, military, or govt. orgs

EXAMPLES OF HONEYPOTS

Commercial Honeypots Low

SPECTER Interaction
KFSensor

ManTrap

Netbait

Open-Source Honeypots
BackOfficer

Friendly
Honeyd High
Interaction
Honeynets

Bigeye

HoneyWeb
VALUE OF HONEYPOTS
Honeypots have certain advantages and
disadvantages as security tools. It is the advantages
that help define the value of a honeypot. The
beauty of a honeypot's lies in its simplicity. It is a
device intended to be compromised, not to provide
production services. This means there is little or no
production traffic going to or from the device. Any
time a connection is sent to the honeypot, this is
most likely a probe, scan, or even attack. Any time a
connection is initiated from the honeypot, this most
likely means the honeypot was compromised.
LEVEL OF INVOLVEMENT

Honeypot is its level of involvement.

The level of involvement does measure
the degree an attacker can interact with
the operating system.
LOW-INVOLVEMENT HONEYPOT
A low-involvement honeypot typically only provides
certain fake services. In a basic form, these services
could be implemented by having a listener on a specific
port.
On a low-involvement honeypot there is no real
operating system that an attacker can operate on. This
will minimize the risk significantly because the
complexity of an operating system is eliminated. On the
other hand, this is also a disadvantage. It is not possible
to watch an attacker interacting with the operating
system, which could be really interesting. A low-
involvement honeypot is like a one-way connection. We
only listen, but we do not ask questions ourselves. The
role of this approach is very passive.
A low-involvement honeypot can be compared to an
passive IDS5, as both do not alter any traffic or interact
with the attacker or the traffic flow. They are used to
generate logs and alerts if incoming packets match
certain patterns.
MID-INVOLVEMENT HONEYPOT
A mid-involvement honeypot provides more
to interact with, but still does not provide a
real underlying operating system. The fake
daemons are more sophisticated and have
deeper knowledge about the specific
services they provide. The probability that
the attacker can find a security hole or a
vulnerability is getting bigger because the
complexity of the honeypot increases.
Through the higher level of interaction,
more complex attacks are possible and can
therefore be logged and analyzed. The
attacker gets a better illusion of a real
operating system. He has more possibilities
to interact and probe the system.
Developing a mid-involvement honeypot
is complex and time consuming. Special care
has to be taken for security checks as all
developed fake daemons need to be as
secure as possible. The knowledge for
HIGH-INVOLVEMENT HONEYPOT
A high-involvement honeypot has a real
underlying operating system. This leads to a
much higher risk as the complexity increases
rapidly. One goal of a hacker is to gain root and
to have access to a machine, which is
connected to the Internet 24/7. A high
involvement honeypot does offer such an
environment.
A high-involvement honeypot is very time
consuming. The system should be constantly
under surveillance. A honeypot which is not
under control is not of much help and can even
become a danger or security hole itself. It is
very important to limit a honeypots access to
the local intranet, as the honeypot can be used
by the blackhats as if it was a real compromised
system.
By providing a full operating system to the
attacker, he has the possibilities to upload and
install new files. This is where a high-
OVERVIEW
Each level of involvement has its advantages and disadvantages. Table 2
summarizes what has been seen so far. Choosing the lowest as possible level
of involvement should reduce the danger and risk as much as possible. The
required maintenance time should also be considered when choosing a
honeypot and its level of involvement.
ADVANTAGE

Honeypots collect small amounts of data, and almost

all of this data reveals real attacks or unauthorized
activities. Because honeypots collect only malicious
activities, they make it much easier for
administrators to analyze and react to the
information they collect.

Honeypots are simple; there are no advanced

algorithms to develop or rule bases to maintain.
DISADVANTAGE
Honeypots also have their disadvantages. This is why they do not
replace existing technologies. Instead, they work with and
complement the existing infrastructure. The two main
disadvantages of honeypots are as follows:

Honeypots only see activity that they interact with. They do not
see or capture any attacks directed against existing systems.

Any time another resource is added with an IP stack, there is a

risk. Different honeypots have
different levels of risk, so it is always an issue that needs to be
addressed.
SUMMARY
Honeypots are a cheap and simple way
to add protection to a network
Honeypots allow the study of attackers
methods of operation. And help
developing new ways for countering
them.
REFERENCES
Edward Amoroso. Intrusion Detection: An Introduction to Internet
Surveillance, Correlation, Trace Back, Traps and Responses.
Intrusion NetBooks, 1999.
Project Honeynet Members. Project Honeynet. Oct 2001.
http://project.honeynet.org.
Patrick Mueller and Greg Shipley. Dragon Claws its way to the top.
Network Computing, Aug 2001.
http://www.networkcomputing.com/1217/1217f2.html.
Stuart McClure, Joel Scambray, and George Kurtz. Hacking
Exposed 2nd Edition. Computing McGraw-Hill, second edition,
2000.
Stephen Northcutt. Network Intrusion Detection: An Analysis
Handbook. New Riders Publishing, 1999.
Lance Spitzner. Honeypots - Definitions and Value of Honeypots.
Oct 2001.
http://www.enteract.com/lspitz/honeypot.html.
THANK YOU