SEMINAR REPORT

ON
HONEY POT

SUBMITTED TO:
SUBMITTED BY:
Ms. Poonam Kshatriya Shubha Joshi
M.Tech (CS)
Sem II, 2007
2
 CONTENTS
S.NO. TOPICS PAGE NO
1. What are Honey-pots 3
2. Etymology 4
3. History of Honeypot 5
4. Classification of Honeypot 7
5. Level of Interaction 8
6. Difference between Low interaction & High Interaction 10
7. Physical vs Virtual Honeypot 11
8. Production vs Research Honeypot 12
9. Advantages of Honeypot 17
10. Disadvantages of Honeypot 18
11. Honeyd 19
12. Honeynets 20
13. Honeynet Architecture 21
14. Advantages of Honeynet 24
15. Disadvantages of Honeynet 25
16. Difference between Honeypot & Honeynet 26
17. Google Hack Honeypot 27
18. References 28

3
What is Honeypot

A honeypot is an information system resource whose value lies in

unauthorized or illicit use of that resource. They are closely monitored
network decoys serving several purposes: they can distract adversaries
from more valuable machines on a network, they can provide early
warning about new attack and exploitation trends and they allow in-depth
examination of adversaries during and after exploitation of a honeypot.
• Has no production value; anything going to/from a
honeypot is likely a probe, attack or compromise
• Used for monitoring, detecting and analyzing attacks
• Does not solve a specific problem. Instead, they are a
highly flexible tool with different applications to security
• A trap set to detect and deflect attempts at unauthorized
use of information systems.
• It consist of a computer, data or a network site that
appears to be part of a network but which is actually isolated &
protected.
• Whatever they capture is supposed to be malicious &
unauthorized.
An example of a honeypot is a system used to simulate one or more
network services that you designate on your computer's ports. An
attacker assumes you're running vulnerable services that can be used
to break into the machine. This kind of honeypot can be used to log
access attempts to those ports including the attacker's keystrokes. This
could give you advanced warning of a more concerted attack

4
Etymology

The term "honeypot" is often understood to refer to the English children's

character Winnie-the-Pooh, a stuffed bear who was lured into various
predicaments by his desire for pots of honey.
During the Cold War it was an espionage technique, which inspired spy
fiction. The term "honeypot" was used to describe the use of female to gain
secret information. In a common scenario, a pretty female Communist
agent would trick a male Western official into handing over secret
information.
An alternative explanation for the term is a reflection of the sarcastic term
for outhouses and other methods of collecting feces and other human
waste in places that lack indoor plumbing. Honey is a euphemism for such
waste, which is kept in a honeypot until it is picked up by a honey wagon
and taken to a disposal area. In this usage, attackers are the equivalent of
flies, drawn by the stench of sewage

5
History of Honeypot

The concept of the honeypot is not new. In fact as early as 1991, a number
of publications expounded on concepts that were to be foundations of
today’s honeypot development. Two publications in particular stood out:
 1990/1991 The Cuckoo’s Egg and Evening with Berferd

Clifford Stoll was an astrophysicist turned systems manager at

Lawrence Berkeley Lab. Due to a 75 percent accounting error was
able to track down a hacker that was using their computers as a
launching pad to hack hundreds of military, industrial, and
academic computers in search of secrets. His book “The Cuckoo's
Egg”, published in 1988, detailed his experiences through this 3
year incident where he observed the hacker and subsequently
gathered information that led to the hackers arrest.
The other publication that was of particular note during this period
was “An Evening with Berferd” by the well respected Internet
Security expert, Bill Cheswick. In the paper, Mr. Cheswick
describes how he and his colleagues set up their jail machine, also
known as roach motel2 in which they chronicled a hackers
movements and the bait and traps they used to lure and detect
him.
 1997 - Deception Toolkit

The Deception Toolkit is one of the original and landmark

Honeypots. It is generally a collection of PERL scripts designed
for UNIX systems that emulate a variety of known vulnerabilities.
The concept put forward by the DTK is “deceptive defense” which
now central in Honeypot concepts and implementations
 1998 - CyberCop Sting

CyberCop Sting is a component of the CyberCop intrusion

protection software family which runs on NT. Cybercop Sting has
also been referred to as a “decoy server” for it can simulate a
network containing several different types of network devices,
including Windows NT servers, Unix servers and routers. Each of
these decoys had the ability to track, record, and report intrusive
activity to network and security administrators. As with the DTK,
each of these decoys can run simulated services. However, as with
the problem with most simulated or low-interaction Honeypots, you
can only only simulate limited functionality with Cybercop sting

6
 such as telnet logins or SMTP banners thus limiting its ability to
deceive and to study hackers in the long term.
 1998 - NetFacade (and Snort)

As with Cybercop Sting, it creates a simulated network of hosts,

with simulated IP addresses, running seemingly vulnerable
services but in a much larger scale. NetFacade can simulate an
entire class C network up to 254 systems. It can also simulate 7
different operating systems with a variety of different services.
 1998 - BackOfficer Friendly

Back Officer Friendly runs in Windows and was free thus giving
more people access to Honeypot technology. Though It didn’t give
much functionality it was still a very useful piece of software which
demonstrated the concepts of the Honeypot to a lot of people that
who were not familiar to Honeypot concepts at that time.
 1999 - Formation of the Honeynet Project 9

A group of people led by Lance Spitzner decided to form the

Honeynet Project 9. The honeynet project is a non-profit group
dedicated to researching the blackhat community and to share
their work to others. Their primary tool for research is the
honeynet, an advanced form of Honeypot.
 2003- Some Honeypot Tools

In 2003, several important Honeypot tools were introduced through

these organizations such as Snort-Inline12, Sebek13, and
advanced virtual honeynets14.
 Snort- Inline augmented Snort to block and disable attacks
instead of just detecting them.
 Sebek provided a means to capture hacker activities in
Honeypots by logging their keystrokes.
 Virtual honeynets provided a means to deploy multiple
honeynets with just one computer.

7
 Classification of Honetpot

• By level of interaction

 High

 Low

• By Implementation

 Virtual

 Physical

• By purpose

 Production

 Research

8
 1). Level of Interaction
Interaction defines the level of activity a honeypot allows an attacker.
There are two categories of interaction “Low Level “ & “High Level
Interaction” which helps us understand what type of honeypot you are
dealing with, its strengths, and weaknesses.

Low Interaction: Low-interaction honeypots have limited interaction, they

normally work by emulating services and operating systems. Attacker
activity is limited to the level of emulation by the honeypot.
 Simulates some aspects of the system
 Easy to deploy, minimal risk
 Limited Information
Advantages
 Its simplicity.
 These honeypots tend to be easier to deploy and maintain, with
minimal risk.
 Usually they involve installing software, selecting the operating
systems and services you want to emulate and monitor, and letting
the honeypot go from there. This plug and play approach makes
deploying them very easy for most organizations.
 The emulated services mitigate risk by containing the attacker's
activity, the attacker never has access to an operating system to
attack or harm others.
Disadvantages
 They log only limited information and are designed to capture known
activity.
 It’s easier for an attacker to detect a low-interaction honeypot, no
matter how good the emulation is, skilled attacker can eventually
detect their presence.
Examples of low-interaction honeypots include Specter, Honeyd, and
KFSensor.

9
 High Interaction: High-interaction honeypots are different; they are
usually complex solutions as they involve real operating systems and
applications. Nothing is emulated; we give attackers the real thing. If you
want a Linux honeypot running an FTP server, you build a real Linux
system running a real FTP server.
 Simulates all aspects of the OS: real systems
 Can be compromised completely, higher risk
 More Information
 Honey-net

Advantages
 Extensive amounts of information can be captured. By
giving attackers real systems to interact with, you can learn the full
extent of their behavior, everything from new rootkits to international
IRC sessions.
 They make no assumptions on how an attacker will
behave. Instead, they provide an open environment that captures all
activity. This allows high-interaction solutions to learn behavior we
would not expect.

Disadvantages
 It increases the risk of the honeypot as attackers can
use these real operating system to attack non-honeypot systems.
As result, additional technologies have to be implement that prevent the
attacker from harming other non-honeypot systems

10
Difference between high level interaction and low level
interaction

Low-interaction
Solution emulates operating No emulation,
systems and services.
 Easy to install and deploy.
Usually requires simply
installing and configuring
software on a computer.
 Minimal risk, as the emulated
services control what
attackers can and cannot do.
 Captures limited amounts of
information, mainly trans-
actional data and some
limited interaction.
High-interaction
real operating
systems and services are provided.
 Can capture far more
information, including new
tools, communications, or
attacker keystrokes.
 Can be complex to install or
deploy (commercial versions
tend to be much simpler).
 Increased risk, as attackers
are provided real operating
systems to interact with

Low
Fake Daemon

Operating
system

Disk

High
Other local
resource

11
 2). Physical vs Virtual Honeypots

 A “Physical Honeypot” is a real machine on the network with

its own IP address.
• Real machines
• Own IP Addresses
• Often high-interactive
 A “Virtual Honeypot” is simulated by another machine that
responds to network traffic sent to the virtual honeypot
• Simulated by other machines that:
– Respond to the traffic sent to the honeypots
– May simulate a lot of (different) virtual honeypots at the
same time.
A software program that is designed to appear to be a real
functioning network but is actually a decoy built specifically to be
probed and attacked by malicious users. In contrast to a honeypot,
which is typically a hardware device that lures users into its trap, a
virtual honeypot uses software to emulate a network.
Physical honeypots are often high-interaction, so allowing the system to be
compromised completely, they are expensive to install and maintain. For
large address spaces, it is impractical or impossible to deploy a physical
honeypot for each IP address. In that case, we need to deploy virtual
honeypots.

12
3). Production vs Research honeypot
Production honeypots are systems that help mitigate risk in your
organization or environment. They provide specific value to securing your
systems and networks. Their job is to take care of the bad guys. How do
they accomplish this? To answer that question, we are going to break
down security into three categories and then review how honeypots can or
cannot add value to each one of them. The three categories are as:
Prevention:

In terms of security, prevention means keeping the bad guys out. If you
were to secure your house, prevention would be similar to placing deadbolt
locks on your doors, locking your windows, and perhaps installing a
chainlink fence around your yard. You are doing everything possible to
keep out the threat. The security community uses a variety of tools to
prevent unauthorized activity. Examples include firewalls that control what
traffic can enter or leave a network or authentication, such as strong
passwords, digital certificates, or two-factor authentication that requires
individuals or resources to properly identify themselves. Based on this
authentication, one can determine who is authorized to access resources.
Mechanisms such as encryption prevent attackers from reading or
accessing critical information, such as passwords or confidential
documents.
What role do honeypots play here? How do honeypots keep out the bad
guys?
Honeypots adds little value to prevention, since they do not deter the
enemy. In fact, if incorrectly implemented, a honeypot may introduce risk,
providing an attacker a window into an organization. The deception
concept is used to have attackers’ waste time and resources in attacking
honeypots, as opposed to attacking production systems. The deterrence
concept is that if attackers know there are honeypots in an organization,
they may be scared off as they do not want to be detected or they do not
want to waste their time or resources attacking the honeypots.
Both concepts are psychological weapons used to confuse a human
attacker but most attacks are usually performed by automated tools, such
as auto-rooters or worms so deception or deterrence will not be able to
prevent these attacks because there is no conscious individual to deter or
deceive.
Both concepts fail to prevent the most common of attacks: targets of
opportunity. The attacker use automated tools that hack into systems for
them. These attackers do not spend time analyzing the systems they

13
target. They merely take a shotgun approach, hitting as many computers
as possible and seeing what they get into.
However, the time and resources involved in deploying honeypots for
preventing attacks, especially prevention based on deception or
deterrence is time better spent on security best practices. As long as you
have vulnerable systems, you will be hacked. No honeypot can prevent
that.
Detection:

The second tier of security is detection, the act of detecting and alerting
unauthorized activity. If you were to secure your house, detection would be
the installation of burglar alarms and motion detectors. These alarms go off
when someone breaks in. In case the window was left open or the lock on
the front door was picked, we want to detect the burglar if they get into our
house. Within the world of information security, we have the same
challenge. Sooner or later, prevention will fail, and the attacker will get in.
There are a variety of reasons why this failure can happen: A firewall rule
base may be misconfigured, an employee uses an easy-to-guess
password, and a new vulnerability is discovered in an application. There
are numerous methods for penetrating an organization. Prevention can
only mitigate risk; it will never eliminate it.

Within the security community, Network Intrusion Detection Systems, are

designed to monitor networks and detect any malicious activity. However,
they do not keep out the bad guys, but they alert us if someone is trying to
get in and if they are successful.

How do honeypots help detect unauthorized or suspicious activity? While

honeypots add limited value to prevention, they add extensive value to
detection. For many organizations, detection is extremely difficult. Three
common challenges of detection are :

 False positives are when systems falsely alert suspicious or

malicious activity. What a system thought was an attack or exploit
attempt was actually valid production traffic.

 False negatives are the exact opposite: They are when an

organization fails to detect an attack.

 The third challenge is Data aggregation, centrally collecting all the

data used for detection and then corroborating that data into
valuable information.

14
A single false positive is not a problem. The problem occurs when these
false alerts happen hundreds or even thousands of times a day. System
administrators may receive so many alerts in one day that they cannot
respond to all of them and hence start ignoring these false positive alerts
as they come in day after day. Network Intrusion Detection Systems are
very familar with false positives. The only solution to false positives is to
modify the system to not alert about valid, production traffic. This is an
extremely time-consuming process, requiring highly skilled individuals who
understand network traffic, system logs, and application activity.
A false negative is when a system fails to detect a valid attack. The risk is
that a successful attack may occur, but the systems fail to detect and alert
to the activity. NIDS not only face the challenge of false positives but also
have problems with false negatives.
The third challenge to detection is data aggregation. Modern technology is
extremely effective at capturing extensive amounts of data. NIDS, system
logs, application logs—all of these resources are very good at capturing
and generating gigabytes of data. The challenge becomes how to
aggregate all this data so it has value in detecting and confirming an
attack.
Due to their simplicity, honeypots effectively address the three challenges
of detection: false positives, false negatives, and data aggregation. Most
honeypots have no production traffic, so there is little activity to generate
false positives.
Honeypots address false negatives because they are not easily defeated
by new exploits. In fact, one of their primary benefits is they can detect a
new attack by virtue of system activity, not signatures. It works on the
concept that anything sent its way is suspect.
The simplicity of honeypots also addresses the third issue: data
aggregation. Honeypots address this issue by creating very little data.
There is no valid production traffic to be logged, collected, or aggregated.
Honeypots generate only several megabytes of data a day, most of which
is of high value. This makes it extremely easy to diagnose useful
information from honeypots.
Response

Once we detect a successful attack, we need the ability to respond. When

securing our house, we want to be sure someone can protect us in case of
a break-in. Often house burglar alarms are wired to monitoring stations or
the local police department. When an alarm goes off, the proper authorities
are alerted and can quickly react, protecting your house. The same logic

15
applies to securing your organization. Honeypots add value to the
response aspect of security.
When an attacker breaks into a system, their actions leave evidence,
evidence that can be used to determine how the attacker got in, what they
did once they gained control of the system, and who were they. It is this
evidence that is critical to capture. Without it, organizations cannot
effectively respond to the incident.
Honeypots can help address these challenges to reaction capability.
Remember, a honeypot has no production activity, so this helps the
problem of data pollution. When a honeypot is compromised, the only real
activity on the system is the activity of the attacker, helping to maintain its
integrity. If we look at our train station analogy, imagine a crime at a train
station where there are no people or trains coming or going. Evidence
such as fingerprints or hair samples are far more likely to remain intact.
The same case is true for honeypots. Honeypots can also easily be taken
offline for further analysis. Since honeypots provide no production
services, organizations can easily take them down for analysis without
impacting business activity.

How do HPs work?

Prevent
Detect Attackers

Response
Monitor
Attack Data

HoneyPot A
No Connection
Gateway

16
Research Honeypots are complex to deploy and maintain, capture
extensive information and are used primarily by research, military or
government organization. They can be used for the following:
 To capture automated threats, such as worms or auto-rooters.
By quickly capturing these weapons and analyzing their malicious
payload, organizations can better react to and neutralize the threat.
 As an early warning mechanism, predicting when future
attacks will happen. This works by deploying multiple honeypots in
different locations and organizations. The data collected from these
research honeypots can then be used for statistical modeling,
predicting future attacks. Attacks can then be identified and stopped
before they happen.
 To capture unknown tools or techniques
 To better understand attackers' motives and organization. By
capturing their activity after they break into a system, such as
communications among each other, we can better understand who
our threat is and why they operate.
 To gain information on advanced blackhats

17
Advantages of Honeypot

Honeypots are a tremendously simply concept, which gives them some

very powerful strengths.

 Small data sets of high value: Honeypots collect small

amounts of information. Instead of logging a one GB of data a day,
they can log only one MB of data a day. Instead of generating
10,000 alerts a day, they can generate only 10 alerts a day.
Remember, honeypots only capture bad activity; any interaction with
a honeypot is most likely unauthorized or malicious activity. As such,
honeypots reduce 'noise' by collectin only small data sets, but
information of high value, as it is only the bad guys. This means its
much easier (and cheaper) to analyze the data a honeypot collects
and derive value from it.
 New tools and tactics: Honeypots are designed to capture
anything thrown at them, including tools or tactics never seen
before.
 Minimal resources: Honeypots require minimal resources,
they only capture bad activity. This means an old Pentium computer
with 128MB of RAM can easily handle an entire class B network
sitting off an OC-12 network.
 Encryption or IPv6: Unlike most security technologies (such
as IDS systems) honeypots work fine in encrypted or IPv6
environments. It does not matter what the bad guys throw at a
honeypot, the honeypot will detect and capture it.
 Information: Honeypots can collect in-depth information that
few, if any other technologies can match.
 Simplicty: Finally, honeypots are conceptually very simple.
There are no fancy algorithms to develop, state tables to maintain,
or signatures to update. The simpler a technology, the less likely
there will be mistakes or misconfigurations.

18
Disadvantages of Honeypot

Like any technology, honeypots also have their weaknesses. It is because

of this they do not replace any current technology, but work with existing
technologies.

 Limited view: Honeypots can only track and capture activity

that directly interacts with them. Honeypots will not capture attacks
against other systems, unless the attacker or threat interacts with
the honeypots also.
 Risk: All security technologies have risk. Firewalls have risk of
being penetrated, encryption has the risk of being broken, IDS
sensors have the risk of failing to detect attacks. Honeypots are no
different, they have risk also. Specifically, honeypots have the risk of
being taken over by the bad guy and being used to harm other
systems. These risk various for different honeypots. Depending on
the type of honeypot, it can have no more risk then an IDS sensor,
while some honeypots have a great deal of risk.

19
Honeyd
Honeyd is a low-interaction honeypot. Developed by Niels Provos, A virtual
honey pot application, which allows us to create thousands
of IP addresses with virtual machines and corresponding
network services. It is open source software released
under GNU General Public License.
• It is able to simulate big network on a single host.
• It provides simple functionality.
• It gives an attacker to façade to attack

How Honeyd Works

Honeyd works on the concept of monitoring unused IP space. Anytime it
sees a connection attempt to an
unused IP, it intercepts the
connection and then interacts with
the attacker, pretending to be the
victim. By default, Honeyd detects
and logs any connection to any UDP
or TCP port. In addition, you can
configure emulated services to
monitor specific ports, such as an
emulated FTP server monitoring TCP
port 21. When an attacker connects
to the emulated service, not only
does the honeypot detect and log the
activity, but it captures all of the
attacker's interaction with the
emulated service. In the case of the
emulated FTP server, we can
potentially capture the attacker's
login and password, the commands
they issue, and perhaps even learn
what they are looking for or their
identity. It all depends on the level of
emulation by the honeypot. Most emulated services work the same way.

20
 Know Your Enemy:
Honeynets
Honeynet
Tradationally information security has been primarily defensive. Firewalls,
Intrusion detection system, encryption; all of these mechanism are used
defensively to protect one’s resource. The strategy is to defend one’s
organization as best as possible, detect any failures in the defense, and
then react to those failures. The problem with this approach is it purely
defensive, the enemy has the initiative. Honeypots attempts to change
that. The primary purpose of honeypot is to gather information on threats.
This information has defferent value for different organization.
Eg.
• Academic research institution may use honeypot
to gather data for research, such as worm activity.
• Security organization may use honeypot to
capture and analyze malware for anti-virus.
• Government organization use them to learn more
about who is targetting them and why???
Honeynets are a prime example of high-interaction honeypot.
Honeynets are not a product; they are not a software solution that you
install on a computer. Instead, Honeyents are an architecture, an entire
network of computers designed to attacked. The idea is to have an
architecture that creates a highly controlled network, one where all activity
is controlled and captured. Within this network we place our intended
victims, real computers running real applications. The bad guys find,
attack, and break into these systems on their own initiative. When they do,
they do not realize they are within a Honeynet. All of their activity, from
encrypted sessions to emails and files uploads, are captured without them
knowing it. This is done by inserting kernel modules on the victim systems
that capture all of the attacker's actions. At the same time, the Honeynet
controls the attacker's activity. Honeynets do this using a Honeywall
gateway. This gateway allows inbound traffic to the victim systems, but
controls the outbound traffic using intrusion prevention technologies. This
gives the attacker the flexibility to interact with the victim systems, but
prevents the attacker from harming other non-Honeynet computers.

21
Honeynet Architecture

Honeynets are nothing more than an architecture. To succesfully deploy a

honeynet; the honeynet architecture should be correctly deployed. The key
to the honeynet architecture is what we call a “honeywall”. This is a
gateway device that seperates your honeypots from the rest of the world.
Any traffic going to or from the honeypots must go through the honeywall.
This gateway is traditionally a layer 2 bridging device, meaning the device
should be invisible to anyone interacting with the honeypots. Below we see
a diagram of this architecture. The Honeywall has 3 interfaces. The first 2

interfaces (eth0 and eth1) are what seperate our honeypots from
everything else, these are bridged interfaces that have no IP stack. The
3rd interface (eth2, which is optional) has an IP stack allowing for remote
administration.

There are several key requirements that a honeywall must implement;

Data Control, Data Capture, Data Analysis, Data Collection. Data
Control defines how activity is contained with the honeynet without an
attacker knowing it. Its purpose is to minimize risk. Data Capture is
capturing all of the attacker's activity without the attacker knowing it. Data

22
Analysis is the ability to analyze this data. Data Collection is the ability to
collect data from multiple honeynets to a single source. Of all these
requirements, Data Control is the more important. Data Control always
takes priority as its role is to mitigate risk. We describe each in more detail
below.

 Data Control is the containment of activity, it is what mitigates risk.

By risk, we mean there is always the potential of an attacker or
malicious code using a honeynet to attack or harm non-honeynet
systems, or abusing the honeynet in some un-expected way. We
want to make every effort possible to ensure that once an attacker is
within our honeynet or a system is compromised, they cannot
accidentally or purposefully harm other non-honeynet systems. The
challenge is implementing data control while minimizing the
attacker's or malcious's code chance of detecting it. This is more
challenging then it seems. First, we have to allow the attackers
some degree of freedom to act. The more activity we allow the
attackers to perform, the more we can potentially learn about them.
However, the more freedom you allow an attacker, the more risk
there is they will circumvent Data Control and harm other non-
honeynet systems. The balance of how much freedom to give the
attacker vs. how much you restrict their activity is a decision every
organization has to make themselves.

 Data Capture is the monitoring and logging of all of the

threat's activities within the honeynet. It is this captured data that is
then analyzed to learn the tools, tactics, and motives of attackers.
The challenge is to capture as much data as possible without the
threat detecting the process. As with Data Control, one of the
primary lessons learned for Data Capture has been the use of
layers. It is critical to use multiple mechanisms for capturing activity.
Not only does the combination of layers help piece together all of the
attacker's actions, but it prevents having a single point of failure. The
more layers of information that are captured, at both the network and
host level, the more that can be learned. To minimize the ability of
attackers to detect our capture mechanisms, there are two ways:
First, make as few modifications to the honeypots as possible. The
more modifications you make, the greater the chance of detection.
Second it is best that captured data not be stored locally on the
honeypots themselves. Not only could this data be detected by
attackers, but it could also be modified or deleted. As such, captured
data must be logged and stored on a seperate, secured system.

23
  Data Analysis is the third requirement. Remember, the entire
purpose of a honeynet is information. A honeynet is worthless if you
have no ability to convert the data it collect to information, you must
have some ability to analyze the data. Different organizations have
different needs, and as such will have different data analysis
requirements.

 Data Collection applies only to organizations that have

multiple honeynets in distributed environments. Most organizations
will have only one single honeynet, what we call a standalone
deployment. As such they do not need to worry about Data
Collection. However, organizations that have multiple honeynets
logically or physically distributed around the world have to collect all
of the captured data and store it in a central location. This way the
captured data can be combined, exponentially increasing its value.
The Data Collection requirement provides the secure means of
centrally collecting all of the captured information from distributed
honeynets.

Implementing all of these requirements is extremely difficult, complex, and

time consuming. In the past it took a great deal of time and effort to deploy
such an architecture. However, today the Honeynet Project has developed
a rapid and simple way for an organization to deploy such functionality, its
call the Honeywall CDROM. The purpose of this bootable CDROM is to
make it simple to rapidly build and deploy a honeywall, the critical
component to honeynet architecture. You simply install the Honeywall
CDROM into a computer with multiple NICs, and it automates the build
process of a honeywall, implementing all of the requirements we just
discussed above.

24
 Advantages of Honeynet

• High Data Value

 Small Data
• Low Resource Cost
 Weak or Retired system
• Simple Concept, Flexible Implementation
• Return on Investment
 Proof of Effectiveness
• Catch new attacks

25
Disadvantages of honeynet
• In reference to risk, there are four general areas we will cover;
 Harm: when a honey net is used to attack or or harm other,
non-honey net systems.
Eg. An attacker may break into a honeynet, and then launch
an outbound attack never seen before, successfully harming
or compromising its intended victim.
 Detection: Once the true identity of a honey net has been
identified, its value is dramatically reduced. Attacker can
ignore or bypass the honeynet, eliminating its capability for
capturing information.
 Disabling: Attackers may want to not only detect a honey
net's identity, but disable its Data Control or Data Capture
capabilities, potentially without the honeynet administrator
knowing that functionality has been disabled (feed the
honeypot with bogus activity, making administrator think that
data capture is still functioning and recording activity when it is
not.)
 Violation: Attackers may attempt criminal activity from your
compromised honey net without actually attacking anyone
outside your honey net
Eg. Attackers using a honeypot to upload then distribute illegal
material. Remember, this individual broke into your system on
their own initiative. If detected, this illegal activity would be
attributed to you by way of it being on your system. You may
then have to prove that it was in fact not you who was
responsible for this activity.

26
Difference between Honeypot & Honeynet

• Honeypots use known vulnerabilities to lure attack.

– Configure a single system with special software or system

emulations

– Want to find out actively who is attacking the system

• Honeynets are networks open to attack

– Often use default installations of system software

– Behind a firewall

– Rather they mess up the Honeynet than your production

system.

27
Google Hack Honeypot
GHH is the reaction to a new type of malicious web traffic: search engine hackers. GHH
is a “Google Hack” honeypot. It is designed to provide reconaissance against attackers
that use search engines as a hacking tool against your resources. GHH implements
honeypot theory to provide additional security to your web presence.
Google has developed a powerful tool. The search engine that Google has implemented
allows for searching on an immense amount of information. The Google index has
swelled past 8 billion pages [February 2005] and continues to grow daily. Mirroring the
growth of the Google index, the spread of web-based applications such as message
boards and remote administrative tools has resulted in an increase in the number of
misconfigured and vulnerable web apps available on the Internet.
These insecure tools, when combined with the power of a search engine and index
which Google provides, results in a convenient attack vector for malicious users. GHH is
a tool to combat this threat.
GHH emulates a vulnerable web
application by allowing itself to be
indexed by search engines. It's
hidden from casual page viewers,
but is found through the use of a
crawler or search engine. It does
this through the use of a
transparent link which isn't
detected by casual browsing but is
found when a search engine
crawler indexes a site. The
transparent link (when well crafted)
will reduce false positives and
avoid a fingerprint of the honeypot.
The honeypot connects to a
configuration file, and the
configuration file writes to a log file
which is chosen during
configuration. The log file contains
information about the host, including IP address, referral information, and user agent.

Using the information gathered in the log file, an administrator can learn more about
attackers doing reconnaissance against their site. An administrator can cross reference
logs and view a better picture of specific attackers.

GHH can be a minimum of 3 files, including the honeypot, the configuration file, and the
log. The transparent link is made into a pre-existing webpage. GHH is written in PHP
and is issued under the GNU Public License.

28
References:

 http://en.wikipedia.org/wiki/honeypot
 http://www.honeynet.org
 www.honeypots.net/
 www.honeynet.org/papers/index.html
 www.awprofessional.com/articles/article.asp
 www.spitzner.net/honeypots.html
 www.honeynet.org.papers/cdrom/roo/
 www.honeynet.ie.about.html

29