Seminar Report On

HONEYPOTS
(A tool to fight against the hackers)
By Bijay Kumar ( Y2M007) S4MCA Department of computer science and engineering National Institute of Technology Calicut-673601 February 2004

1

Seminar Report On

HONEYPOTS
(A tool to fight against the hackers)
By Bijay Kumar (Y2M007) S4MCA Department of computer science and engineering National Institute of Technology Calicut-673601 February 2004

1

2 Certificate This is to certify that this seminar report titled Honeypot is a bonafide record of the Seminar presented by Bijay Kumar (Y2M007) fourth semester MCA student. National Institute of Technology Calicut Coordinator Place Date Professor and head 2 .

Mrs. H. who helped me in preparing this seminar and given a useful guidance. Nisha.3 Acknowledgement I would like to put on records my sincere thanks to: Dr.D.. I would also like to thank all of my friends and well wishers who helped me alot in the successful presentation of my seminar.K.O. Priya Chandran and Miss. 3 . Computer science and engineering department.Govindan.V.

Reaction ---------------------------------------------d. Values of honeypots -------------------------------------------a.Hoemade honeypots -------------------------------------------c. How honeypots work -------------------------------------------a.Mantrap -------------------------------------------5. Disadvantages of honeypots--------------------------------------------8.Spector -------------------------------------------b. Conclusion -----------------------------------------------10. Types of honeypots -------------------------------------------a.4 CONTENTS 1. Definition of honeypots -------------------------------------------3. Diffrences --------------------------------------------9.Advantages of honeypots --------------------------------------------7. Abstract -------------------------------------------2. High interaction honeypots -------------------------------------------b.Prevention -------------------------------------------b.Low interaction honeypots -------------------------------------------4.Detection --------------------------------------------c.Research --------------------------------------------6. References ---------------------------------------- 05 06 07 07 08 11 12 13 13 14 14 15 16 17 17 18 19 21 22 4 .

If a honeypot is successful. designers can better create more secure systems that are potentially invulnerable to future hackers. the honeypot firewall allows all traffic to come in from the Internet and restricts what the system sends back out. though it is possible to install them outside of firewalls. thereby learning where the system has weaknesses that need to be redesigned. network-based intrusions have increased exponentially. The hacker can be caught and stopped while trying to obtain root access to the system. 5 . the intruder will have no idea that he is being tricked and monitored. Over the last years. This increase in intrusions has rekindled interest in honeypot systems. By luring a hacker into a system. due to the popularity of scripted or automated attack tools. By studying the activities of hackers. which can be used to trap and decode the attack methods used by the black hat community. Most honeypots are installed inside firewalls so that they can better be controlled. a honeypot serves several purposes: • • • The administrator can watch the hacker exploit the vulnerabilities of the system. luring in potential hackers in order to study their activities and monitor how they are able to break into a system. A firewall in a honeypot works in the opposite way that a normal firewall works: instead of restricting what comes into a system from the Internet.5 HONEYPOTS Abstract Honeypot is an Internet-attached server that acts as a decoy. Honeypots are designed to mimic systems that an intruder would like to break into but limit the intruder from having access to an entire network.

a honeypot should see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity. Theoreticlly. We will be discussing in this report different examples of honeypots and their value to security.. attack. They are a resource that has no authorized activity. The first step to understanding honeypots is defining what a honeypot is unlike firewalls or Intrusion Detection Systems. honeypots do not solve a specific problem. It is also this flexibility that can make them challenging to define and understand. they are a highly flexible tool that comes in many shapes and sizes. 6 . or compromise. This is a general defintion covering all the different forms of honeypots. Honey pots can be defined as A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource..6 Definition of Honeypots Honeypots are an exciting new technology with enormous potential for the security community. Conceptually almost all honeypots work they same. Any connection attempts to a honeypot are most likely a probe. All will fall under the definition we use above. their value lies in the bad guys interacting with them. they do not have any production value. Instead.

This kind of honeypot can be used to log access attempts to those ports including the attacker's keystrokes. High-interaction honeypots 7 . capture extensive information.7 Honeypots are a highly flexible security tool with different applications for security. There are two general types of honeypots: production and research. Instead they have multiple uses. detection. such as prevention. or information gathering. Types of honeypots Honeypots comes in many shapes and sizes. To help us better understand honeypots and all the different types. Research honeypots are complex to deploy and maintain. 1. capture only limited information. In other words. One example of a honeypot is a system used to simulate one or more network services that you designate on your computer's ports. military. An attacker assumes you're running vulnerable services that can be used to break into the machine. Production honeypots are easy to use. or government organizations. Low-interaction honeypots 2. or compromised. we break them down into two general categories. and are used primarily by research. A honeypot is a security resource whose value lies in being probed. They don't fix a single problem. Honeypots all share the same concept: a security resource that should not have any production or authorized activity. deployment of honeypots in a network should not affect critical network services and applications. and are used primarily by companies or corporations. attacked. This could give you advanced warning of a more concerted attack.

not only does the honeypot detect and log the activity. but it captures all of the attacker's interaction with the emulated service. the emulated services mitigate risk by containing the attacker's activity. it intercepts the connection and then interacts with the attacker. Examples of low-interaction honeypots include Specter. Interaction defines the level of activity a honeypot allows an attacker. pretending to be the victim. By default. we can potentially capture the attacker's login and password. skilled attacker can eventually detect their presence. and KF sensor Honeyd: Low-interaction honeypot Honeyd is a low-interaction honeypot. Also. selecting the operating systems and services we want to emulate and monitor. such as an emulated FTP server monitoring TCP port 21. Honeyd detects and logs any connection to any UDP or TCP port. The emulated services can only do so much. Also. Developed by Niels Provos. they normally work by emulating services and operating systems. Low-interaction honeypots have limited interaction. you can configure emulated services to monitor specific ports. Honeyd is Open Source and designed to run primarily on UNIX systems (though it has been ported to Windows). Honeyd works on the concept of monitoring unused IP space. These honeypots tend to be easier to deploy and maintain. it’s easier for an attacker to detect a low-interaction honeypot. with minimal risk. This plug and play approach makes deploying them very easy for most organizations. Anytime it sees a connection attempt to an unused IP. the commands 8 . When an attacker connects to the emulated service. The main disadvantages with low interaction honeypots is that they log only limited information and are designed to capture known activity. In addition. its strengths. Usually they involve installing software. In the case of the emulated FTP server. and letting the honeypot go from there. and weaknesses.8 Low-interaction honeypots These categories help us understand what type of honeypot we are dealing with. the attacker never has access to an operating system to attack or harm others. Attacker activity is limited to the level of emulation by the honeypot.Honeyd. no matter how good the emulation is.

then react this way. It all depends on the level of emulation by the honeypot. Examples of high-interaction honeypots include honeynets. including Honeyd. First. The idea is to have an architecture that creates a highly 9 . high-interaction honeypots can do everything low-interaction honeypots can do and much more. Honeynets are not a product. As result. and perhaps even learn what they are looking for or their identity. then respond this way. they are usually complex solutions as they involve real operating systems and applications. additional technologies have to be implement that prevent the attacker from harming other non-honeypot systems. they provide an open environment that captures all activity. Instead. simply generate an error message. Most low-interaction honeypots. this also increases the risk of the honeypot as attackers can use this real operating system to attack non-honeypot systems. they are not a software solution that you install on a computer. High-interaction honeypots High-interaction honeypots are different. an entire network of computers designed to attacked. and then are programmed to react in a predetermined way. However. you build a real Linux system running a real FTP server. Nothing is emulated. The advantages with such a solution are two fold. In general. However. Honeynets: High-interaction honeypot Honeynets are a prime example of high-interaction honeypot. Instead. The second advantage is highinteraction honeypots make no assumptions on how an attacker will behave.9 they issue. Most emulated services work the same way. An excellent example of this is how a Honeynet). If attack B does this.. They expect a specific type of behavior. Honeyents are an architecture. This allows high-interaction solutions to learn behavior we would not expect. If attack A does this. they can be more complex to deploy and maintain. then it does not know how to respond.. The limitation is if the attacker does something that the emulation does not expect. If you want a Linux honeypot running an FTP server. we give attackers the real thing. you can capture extensive amounts of information.

Honeynets do this using a Honeywall gateway. This is done by inserting kernel modules on the victim systems that capture all of the attacker's actions. but controls the outbound traffic using intrusion prevention technologies. This gives the attacker the flexibility to interact with the victim systems. real computers running real applications. but prevents the attacker from harming other non-Honeynet computers. At the same time. An example of such a deployment can be seen in Figure 1. and break into these systems on their own initiative. one where all activity is controlled and captured. Within this network we place our intended victims. from encrypted SSH sessions to emails and files uploads. All of their activity. How honeynets are connected to main server 10 . The bad guys find. When they do. are captured without them knowing it. attack.10 controlled network. the Honeynet controls the attacker's activity. they do not realize they are within a Honeynet. This gateway allows inbound traffic to the victim systems.

and potentially connect to several ports. 11 . or helping organizations respond to an attack. the more information can be derived from it. a low interaction honeypot would be one that is easy to install and simply emulates a few services. Specifically. honeypots can protect organizations in one of three ways. as the attacker has an actual operating system to work with. Here the information is limited (mainly who connected to what ports when) however there is little that the attacker can exploit. Neither solution is a better honeypot. either type of honeypot can be used for either purpose. how we can use honeypots. Now that we discuss different types of honeypots and and their value. On the other extreme would be high interaction honeypots. This information has different value to different organizations. These would be actual systems. honeypots are protecting an organization. while high-interaction honeypots are used for research purposes. Attackers can merely scan. For example. We can learn far much more. by the same token. or law enforcement. honeypots are being used to collect information. the more an attacker can do to the honeypot. When used for production purposes. honeypots can be used for production purposes or research. Some may want to be studying trends in attacker activity.11 Figure 1 Value of Honeypots Now that we have understanding of two general categories of honepyots. Remember. the more potential damage an attacker can do. and response. This would include preventing. However. In general. We will take a more in-depth look at how a honeypot can work in all three. detection. When used for research purposes. while others are interested in early warning and prediction. we can focus on their value. lets discuss some examples. however there is also a far greater level of risk. as there is an actual operating system for the attacker to compromise and interact with. detecting. Once again. However. low-interaction honeypots are often used for production purposes. When used for production purposes. It all depends on what you are attempting to achieve. prevention. we have two general categories. The more a honeypot can do and the more an attacker can do to a honeypot.

however there is little else the attacker can do. It is easy to implement and low risk. Their value depends on what your goal is. emulated functionality. instead just some limited. This paper is not meant to be a comprehensive review of these products. not only can it emulate services. I hope to cover the different types of honeypots. it reduces both false positives and false negatives. For this report we will discuss three more honeypots. It can emulate a far greater range of services and functionality. Specter works by installing on a Windows system. Based on 'level of interaction'. Some of this information 12 . The risk is reduced as there is no real operating system for the attacker to interact with. I highly recommend you try them out on your own in a controlled. how they work. There is no real application for the attacker to interact with. they are a tool. For example. Specters value lies in detection. lets compare some possible honeypot solutions. We will cover Specter. I only highlight some of their features. Instead. and Honeynets. but emulate a variety of operating systems. or the automated ability to gather more information about the attacker. simplifying the detection process. The attacker can then attempt to gather web pages or login to the system. It can quickly and easily determine who is looking for what. Specter Specter is a commercial product 'low interaction' production honeypot. If you wish to learn more about the capabilities of these solutions.12 honeypots are not a solution. As a honeypot. When an attacker connects. One of the unique features of Specter is that it also allows for information gathering. however this selection covers a range of options. and demonstrate the value they add and the risks involved. This activity is captured and recorded by Specter. Specter also support a variety of alerting and logging mechanisms. lab environment. There are a variety of other possible honeypots. Specter can emulate a webserver or telent server of the operating system of ours choice. Instead. In addition. from early warning and detection to research. homemade honeypots. it is then prompted with an http header or login banner. Honeyd. Mantrap.

many times you do not want the attacker to know he is being watched. such as port scanning the attacker. and incurring a higher level of risk. requiring a higher level of invovlement. All of this activity is then captured and recorded. This makes the honeypot far more flexible. The value here is the more the attacker can do. allowing an administrator to create a controlled environment within the operating system. FreeBSD has a jail functionality. The attacker can then interact with this controlled environment. automated responses to the attacker. and a variety of applications to attack. These 'jails' are logically discrete operating systems separated from a master operating system. While this intelligence functionality may be of value. with the honeypot potentially compromised. and a 13 . as follows: Homemade honeypots can be modified to do (and emulate) much more. Their purpose is usually to capture specific activity. the more can be potentially learned. These can be used as production or research honeypots.13 gathering is relatively passive. One such implementation would be using netcat. For example. as it can do much more. Once again. This is commonly done to capture Worm attacks. Instead of emulating services. the more can go wrong. Homemade Honeypots Another common honeypot is homemade. The attacker has a full operating system to interact with. application level attacks. However. care must be taken. These honeypots tend to be low interaction. However. Mantrap Mantrap is a commercial honeypot. Mantrap creates up to four sub-systems. One common example is creating a service that listens on port 80 (http) capturing all traffic to and from the port. such as Worms or scanning activity. but we can capture rootkits. IRC chat session. such as DNS lookups. there is not much for the attacker to interact with. as the more functionality the attacker can interact with. some of this research is active. Not only can we detect port scans and telnet logins. however the risk is reduced because there is less damage the attacker can do. Be careful when implementing any active. often called 'jails'. depending on their purpose.

Some individuals have discussed the value of deception as a method to deter attackers. a system to be compromised. Care must be taken to mitigate this risk. A honeypot.14 variety of other threats. using strong authentication mechanisms. Currently. 1> Prevention 2 >Detection 3 >Reaction Prevention Honeypots add little value to prevention. the attacker can use that fully functional operating system to attack others. What will keep the bad guys out are best practices. The attacker is deceived into attacking the honeypot. just as far more can be learned. Deception may 14 . There are limitations to this solution. such as disabling unneeded or insecure services. protecting production resources from attack. While this may prevent attacks on production systems. As such. In fact. However. How honeypots works? According to the Lance Spitzener definition of the security it lies in the three regions. It is the best practices and procedures such as these that will keep the bad guys out. Mantrap only exists on Solaris operating system. The concept is to have attackers spend time and resource attacking honeypots. a honeypot may make it easier for an attacker to get in. these honeypots can be used as either a production honeypot (used both in detection and reaction) or a research honeypot to learn more about threats. will not help keep the bad guys out. I would categorize this as a mid-high level of interaction. The biggest one is you are limited to what the vendor supplies you. Also. as opposed to deception. as opposed to attacking production systems. most organizations are much better off spending their limited time and resources on securing their systems. Once compromised. honeypots will not help keep the bad guys out. so can more go wrong. if incorrectly implemented.

but in reality was just valid traffic. IDS administrators can be overwhelmed with false positives. Also. as there is no consciously acting individual to deceive. it will be attacked. Detection While honeypots add little value to prevention. These automated tools will probe. However. Another risk is false negatives. Organizations are better off focusing their resources on security best practices. Intrusion Detection Systems (IDS) are one solution designed for detecting attacks. whether they are signature based. it is extremely difficult to detect attacks. they often become conditioned to ignore these false positive alerts as they come in day after day.15 contribute to prevention. that it can be extremely difficult to detect when a system is attacked. automated toolkits and worms. protocol verification. deception fails against two of the most common attacks today. The problem here is that system administrators may receive so many alerts on a daily basis that they cannot respond to all of them. when IDS systems fail to detect a valid attack. can potentially miss new or unknown attacks. This does not mean that honeypots will never have false positives. It is likely that a new attack will go undetected by currently IDS methodologies. If we have a coffee pot with an IP stack. but they will also just as quickly attack every other system in our organization. or even when successfully compromised. False positives are alerts that were generated when the sensor recognized the configured signature of an "attack". attack. Many IDS systems. Also. similar to the story of "the boy who cried wolf". new IDS evasion methods are constantly being developed and distributed. such as gigabytes of system logging. Also. for many organizations. more and more attacks are automated. only that they will be dramatically fewer than with most IDS implementations. these tools will attack a honeypot. but organization will most likely get greater prevention putting the same time and effort into security best practices. The very IDS sensors that they were depending on to alert them to attacks can become ineffective unless these false positives are reduced. Deception will not prevent these attacks. Yes. etc. Today. and exploit anything they can find vulnerable. 15 . Often organizations are so overwhelmed with production activity.

In fact. or attack. For example. Reaction Though not commonly considered. all connections to and from the honeypot are suspect by nature. this only works if the honeypot itself is attacked. However. By no means should honeypots replace your IDS systems or be your sole method of detection. For example. what damage was done. They offer a system with reduced data pollution. we can never learn in detail what failed. The second challenge many organizations face after an incident is that compromised systems frequently cannot be taken off-line. As discussed earlier though. only to discover that hundreds of users had continued to use the compromised system. management has only allowed us to go in and clean up specific holes. not signatures. anytime a connection is made to your honeypot. However. Honeypots happily capture any attacks thrown their way. so much production activity has occurred after the fact that the data has become polluted. This helps reduce both false positives and false negatives greatly simplifying the detection process. Often when a system within an organization is compromised. As such. this most likely means the system was successfully compromised. they can be a powerful tool to complement your detection capabilities. all of which were compromised by an attacker. one of their primary benefits is that they can most likely detect when a compromise occurs via a new or unknown attack by virtue of system activity. is 16 . Anytime the honeypot initiates a connection. Honeypots can simplify the detection process. scan. this is most likely an unauthorized probe. The production services they offer cannot be eliminated. I have often come onto sites to assist in incident response. Incident response team cannot determine what happened when users and system activity have polluted the collected data. incident response teams cannot conduct a proper or full forensic analysis. Evidence is far more difficult to gather in such an environment. As such. By definition. and an expendable system that can be taken off-line. honeypots also add value to reaction. Since honeypots have no production activity. let’s say an organization had three web servers. Administrators also do not have to worry about updating a signature database or patching anamoly detection engines. Honeypots can add value by reducing or eliminating both problems.16 Honeypots address false negatives as they are not easily evaded or defeated by new exploits.

in the information security world we have little such information. we would now have a system we could take off-line and conduct a full forensic analysis. production and research. Based on that analysis. To defend against a threat.17 there attacker still had internal access. why do they attack. but what he did once he was in there. such as auto rooters or Worms. Research As discussed at the beginning. and possibly when will they attack? It is questions like these the security community often cannot answer. It is this potential of research that is one of the most unique characteristics of honeypots. we could learn not only how the bad guy got in. These lessons could then be applied to the remaining web servers. We have already discussed how production honeypots can add value to an organization. Honeypots can add value in research by giving us a platform to study the threat. However. allowing us to better identify and recover from the attack. there are two categories for honeypots. and if we were truly successful in cleanup. you have to first know about it. Of even more value is watching what they do after they compromise a system. what are their tools. such as communicating with other black hats or uploading a new tool kit. research honeypots are excellent tools for capturing automated attacks. However. Since these attacks target entire network blocks. What better way to learn about the bad guys then to watch them in action. Questions like who is the threat. how do they attack. research honeypots can quickly capture these attacks for analysis. to record step-by-step as they attack and compromise a system. if one of those three systems was a honeypot. Also. For centuries military organizations have focused on information gathering to understand and protect against an enemy. Advantages of honeypots 17 . We will now discuss how research honeypots add value. One of the greatest challenges the security community faces is lack of information on the enemy.

The simpler a technology. It is because of this they do not replace any current technology. honeypots are conceptually very simple. they can generate only 10 alerts a day. honeypots also have their weaknesses. Some of them are very powerful and strong. Instead of logging a one GB of data a day. including tools or tactics never seen before. This means it’s much easier (and cheaper) to analyze the data a honeypot collects and derives value from it. honeypots only capture bad activity. Disadvantages of honeypots Like any technology. as it is only the bad guys. New tools and tactics: Honeypots are designed to capture anything thrown at them. • • • • • • Small data sets of high value: Honeypots collect small amounts of information. Encryption or IPv6: Unlike most security technologies (such as IDS systems) honeypots work fine in encrypted or IPv6 environments.000 alerts a day. Instead of generating 10. any interaction with a honeypot is most likely unauthorized or malicious activity.18 There are so many advantages of using honeypots as security agents it will make the security arrangement strong by the use of various IDS and fire walls. It does not matter what the bad guys throw at a honeypot. Information: Honeypots can collect in-depth information that few. but work with existing technologies. This means an old Pentium computer with 128MB of RAM can easily handle an entire class B network sitting off an OC-12 network. Minimal resources: Honeypots require minimal resources. the honeypot will detect and capture it. honeypots reduce 'noise' by collection only small data sets. they only capture bad activity. Remember. 18 . they can log only one MB of data a day. There are no fancy algorithms to develop. state tables to maintain. but information of high value. or signatures to update. Simplicity: Finally. if any other technologies can match. the less likely there will be mistakes or misconfigurations. As such.

you can take the skills and understanding you have developed and work with highinteraction solutions. as they contain the activity of the attacker. Firewalls have risk of being penetrated. IDS sensors have the risk of failing to detect attacks. To help you better understand honeypots. encryption has the risk of being broken. below is a chart summarizing what we just covered. honeypots have the risk of being taken over by the bad guy and being used to harm other systems. Depending on the type of honeypot. Differences between High and Low interaction honeypots There is even an easy deployment of Honeyd on Linux computers. Low-interaction High-interaction 19 . while some honeypots have a great deal of risk. Honeypots will not capture attacks against other systems. Specifically. unless the attacker or threat interacts with the honeypots also. it can have no more risk then an IDS sensor. Low-interaction honeypots have the advantage of being easier to deploy and little risk. Once you have had an opportunity to work with low-interaction solutions. they have risk also. Honeypots are no different. This risk varies for different honeypots.19 • • Limited view: Honeypots can only track and capture activity that directly interacts with them. Risk: All security technologies have risk.

or attacker keystrokes. Can be complex to install or deploy (commercial versions tend to be much simpler). There are many misconnects about the legal issues of honeypots. as attackers are provided real operating systems to interact with Finally. mainly transactional data and some limited interaction. While honeypots are not specifically addressed in federal statutes or regulation. Instead of briefly covering the legal issues in this paper. as the emulated services control what attackers can and cannot do. real operating systems and services are provided. communications. What are the legal issues of honeypots? As a new technology. people often ask what the legal issues of honeypots are.20 Solution emulates operating systems and services. • Captures limited amounts of information. Usually requires simply installing and configuring 2software on a computer. refer to the paper Honeypots: Are They Illegal? 20 . • Minimal risk. the following issues can be seen as a starting point. • • • Can capture far more information. 2003 dedicated to the legal issues of honeypot technologies. including new tools. No emulation. • Easy to install and deploy. I will be releasing a new paper at the end of May. Increased risk. For specific information. no paper on honeypots would be complete without a discussion about legal issues.

If you are interested in learning more about honeypots. which can potentially violate their privacy. We identified two different types of honeypots. • Entrapment: For some odd reason. or more likely people he is communicating with. low-interaction and high-interaction honeypots. such as IRC chats or emails. This risk is the greatest with high-interaction honeypots. 21 . many people are concerned with the issue of entrapment. Most legal experts believe that entrapment is not an issue for honeypots Conclusion The purpose of this seminar report is to define what honeypots are and their value to the security community. Interaction defines how much activity a honeypot allows an attacker. This could violate the privacy of the attacker. The value of these solutions is both for production or research purposes. • Privacy: Honeypots can capture extensive amounts of information about attackers. or responding to attacks. gathering information on threats so we can better understand and defend against them. you may want to consider the book. Once again. Honeypots can be used for production purposes by preventing. you cannot be charged with entrapment. Honeypots can also be used for research. Entrapment is a legal defense used to avoid a conviction.21 • Liability: We can potentially be held liable if your honeypot is used to attack or harm other systems or organizations. this risk is primarily with highinteraction honeypots. the first and only book dedicated to honeypot technologies. detecting.

securityfocus.tracking-hackers.honeynet.securitywizardry.org/papers/honeynet/ 22 .wikipedia.html http://www.com/infocus/1757 http://www.org/wiki/Honeypot http://www.22 References http://www.html http://en.com/honeypots.com/papers/honeypots.

Sign up to vote on this title
UsefulNot useful