An Introduction to

The Honeypots

Princy cc
 Content

 Definition
 Three Architectures
 Applications
 Advantages and disadvantages
 Future Work

2
 Definition

 Honeypot

 Honeypot is a trap set to detect, deflect or in

some manner counteract attempts at
unauthorized use of information systems..

3
 How it works

 Theoretically, a honeypot should see no

traffic because it has no legitimate
activity. This means any interaction with a
honeypot is most likely unauthorized or
malicious activity

4
 Type of Honeypot

 Purposes
 Production / Research

 Characteristics
 Low / High Interactivity

5
 Low-Interaction vs. High-Interaction

Low-Interaction High-Interaction

Installation Easy More difficult

Maintenance Easy Time consuming

Risk Low High

Need Control No Yes

Data gathering Limited Extensive

Interaction Emulated services Full control

6
 Value of Honeypots

 Prevention
 Detection
 Response
 Research Purpose

7
 Prevention

 Honeypots can help prevent attacks in

several ways. The first is against
automated attacks, such as worms or
auto-rooters. These attacks are based on
tools that randomly scan entire networks
looking for vulnerable systems. If
vulnerable systems are found, these
automated tools will then attack and take
over the system

8
 Detection

 Detection is critical, its purpose is to

identify a failure or breakdown in
prevention. Regardless of how secure an
organization is, there will always be
failures, if for no other reasons then
humans are involved in the process. By
detecting an attacker, we can quickly react
to them, stopping or mitigating the
damage they do.

9
 Response

 Response can often be one of the greatest

challenges an organization faces. There is
often little information on who the attacker
is, how they got in, or how much damage
they have done. In these situations
detailed information on the attacker's
activity are critical

10
 Three Architectures

 Honeyd

 Gen I Honeynet

 Gen II Honeynet

11
 Honeyd Overview

Honeyd is a low-interaction
virtual honeypot
 Simulate arbitrary TCP/UDP service
• IIS, Telnet, pop3…
 Supports multiple IP addresses
• Test up to 65536 addresses
simultaneously
 Supports ICMP
• Virtual machines answer to ping and
traceroute
 Supports subsystem
12
 Honeyd Architecture

13
 Honeyd Architecture

 Configuration database
 Store the personalities of the
configured network stack.
 Central packet
dispatcher
 Dispatch Incoming packets to the
correct protocol handler.

 Protocol handles
 Personality engine
 Option routing
component

14
 GEN I Honeynet

 Simple Methodology, Limited Capability

 Highly effective at detecting automated
attacks
 Use Reverse Firewall for Data Control
 Can be fingerprinted by a skilled hacker
 Runs at OSI Layer 3

15
 Gen I Honeynet

16
 GEN II Honeynet

 More Complex to Deploy and Maintain

 Examine Outbound Data and make
determination to block,pass, or modify
data
 Runs at OSI Layer 2

17
 Gen II Honeynet

18
 Application

 Detecting and countering worms

 Spam prevention

19
 How effective it is !

20
 Advantages

 One can learn about incident response; setting up

a system that intruders can break into will
provide knowledge on detecting hacker break-ins
and cleaning-up after them.
 Knowledge of hacking techniques can protect the
real system from similar attacks.
 The honeypot can be used as an early warning
system; setting it up will alert administrators of
any hostile intent long before the real system
gets compromised.

21
 Disadvantages

 Honeypots add complexity to the network.

Increased complexity may lead to increased
exposure to exploits.
 Honeypots must be maintained just like any other
networking equipment and services.
 Requires just as much use of resources as a real
system.
 Building a honeypot requires at least a whole
system dedicated to it, and this may be an
expensive resource

22
 Future Work

 Ease of use: In future Honeypots will most probably

appear in prepackaged solutions, which will be easier to
administer and maintain. People will be able to install and
develop Honeypots at home and without difficulty.
 Closer integration: Currently Honeypots are used along
with other technologies such as firewall, tripwire, IDS etc.
As technologies are developing, in future Honeypots will be
used in closer integration with them.
 Specific purpose: Already certain features such as
honeytokens are under development to target Honeypots
only for a specific purpose. Eg: catching only those
attempting credit card fraud etc.

23
24