n computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems

. Generally it consists of acomputer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.

1 Types

o o o

1.1 Spam versions 1.2 E-mail trap 1.3 Database honeypot

2 Detection 3 Honeynets 4 See also 5 References and notes 6 Further reading 7 External links

[edit]Types Honeypots can be classified based on their deployment and based on their level of involvement. Based on the deployment, honeypots may be classified as 1. Production Honeypots 2. Research Honeypots Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations; Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots do. The purpose of a production honeypot is to help mitigate risk in an organization. The honeypot adds value to the security measures of an organization. Research honeypots are run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of the Blackhat community targeting different networks. These honeypots do not add direct value to a specific organization; instead, they are used to research the threats organizations face and to learn how to better protect against those threats.[1] Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations. Based on the design criteria, honeypots can be classified into three categories as

spammers). This in itself is indicative of the power of honeypots as anti-spam tools. "Thwart" may mean "accept the relay spam but decline to deliver it. Spam still flows through open relays. While most spam originates in the U. If virtual machines are not available. Example:Honeynet. an attacker may be allowed a lot of services to waste his time. multiple honeypots can be hosted on single physical machine. Some system administrators have created honeypot programs that masquerade as these abusable resources to discover spammer activity. That tells the spammer the honeypot is a genuine abusable open relay. on the negative side. There are many positives with the requirement of only few services by the attackers: ease of hosting multiple virtual machines on one physical system as they consume relatively few resources. There are several capabilities such honeypots provide to these administrators and the existence of such fake abusable systems makes abuse more difficult or risky. Honeypots made the abuse riskier and more difficult. In the early days of anti-spam honeypots.S. These honeypots can reveal the apparent IP address of the abuse and provide bulk spam capture (which enables operators to determine spammers' URLs and response mechanisms). stealthiness of the defense mechanisms can be ensured by a more controlled mechanism. High interaction honeypots imitate the activities of the real systems that host a varieties of services and. These services are simulated by this classification of honeypot. Example: Honeyd. pure honeypots 2. and they often respond by sending large quantities of relay spam to that honeypot. For open relay honeypots. each honeypot need to maintained for each physical computer. there is chance for quicker recovery. Low interaction honeypot is based on the services that the attacker normally request for. Therefore. spammers. The apparent source may be another abused system² spammers and other abusers may use a chain of abused systems to make detection of the original starting point of the abuse traffic difficult.[2] spammers hop through open relays across political boundaries to mask their origin." . Honeypots can be a powerful countermeasure to abuse from those who rely on very high volume abuse (e. are highly expensive to maintain. fast response time of the virtual systems. The activities of the attacker are monitored using a casual tap that has been installed on the honeypot's link to the network. but the volume is much smaller than in 2001 to 2002. therefore.. It is then simple to deceive the spammer: transmit any illicit relay e-mail received addressed to that dropbox e-mail address. with little concern for hiding their location. [edit]Spam versions Spammers abuse vulnerable resources such as open mail relays and open proxies. which are the tool they use to detect open relays. even if the honeypot is compromised. In general. No other software needs to be installed. and shorter code length reduces the complexity in the security of the virtual systems. Even though a pure honeypot is useful. it is possible to determine the e-mail addresses ("dropboxes") spammers use as targets for their test messages. Honeypot operators may use intercepted relay tests to recognize and thwart attempts to relay spam through their honeypots.g.1. which stops it.. felt safe testing for vulnerabilities and sending spam directly from their own systems. low interaction honeypots Pure honeypot is a full fledged production system. which can be exorbitantly expensive. high interaction honeypots 3. According to recent researches in high interaction honeypot technology. by employing virtual machines. high interaction honeypots provide more security by being difficult to detect but.

[edit]Honeynets Two or more honeypots on a network form a honeynet.[5] written in C. written in Python. E-mail address harvesting and Spammers can then be tracked as they gather and subsequently send to these spamtrap e-mail addresses. Because such activities are not recognized by basic firewalls. Compared with the term spamtrap. published the paper "To Build a Honeypot": A honeynet is a network of high interaction honeypots that simulates a production network and configured such that all activity is monitored. Spam arrives at its destination "legitimately"²exactly as non-spam e-mail would arrive. founder of the Honeynet Project. The Bubblegum Proxypot[6] is an open proxy honeypot (or proxypot). These honeypot pages hand out uniquely tagged spamtrap e-mail addresses. ) Open relay honeypots include Jackpot. Typically. The distributed. An amalgam of these techniques is Project Honey Pot. the inventor of the Deception Toolkit. companies often use database firewalls. a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. smtpot. a great deal of honeypots in use makes the set of unique characteristics larger and more daunting to those seeking to detect and thereby identify them.py. even argues that every system running his honeypot should have a deception port that adversaries can use to detect the [8] honeypot. all differing slightly from each other) can be beneficial. Cohen believes that this might deter adversaries. [edit]E-mail [3] [4] trap Main article: Spamtrap An e-mail address that is not used for any other purpose than to receive spam can also be considered a spam honeypot. As detection systems would likely use unique characteristics of specific honeypots to identify them. Honeynets and honeypots are usually implemented as parts of larger network intrusion detection systems. written in Java. This is an unusual circumstance in software: a situation in which "versionitis" (a large number of versions of the same software. honeypot detection systems are spammer-employed counter-weapons. [edit]Database honeypot Databases often get attacked by intruders using SQL Injection.Honeypot operators may discover other details concerning the spam and the spammer by examining the [citation needed] captured spam messages. the term "honeypot" might better be reserved for systems and techniques used to detect or counter attacks and probes. open-source Project uses honeypot pages installed on websites around the world. and spamhole. Fred Cohen. open relay spam has declined significantly. The concept of the honeynet first began in 1999 when Lance Spitzner. Some of the available SQL database firewalls provide/support honeypot architectures to let the intruder run against a trap database while the web application still runs as usual. recorded and in a degree.[11] . There's also an advantage in having some easy-to-detect honeypots deployed. [9][10] A honeyfarm is a centralized collection of honeypots and analysis tools. discreetly regulated.[7] [edit]Detection Just as honeypots are weapons against spammers. (However.

applications. they are a highly flexible tool that comes in many shapes and sizes. and possibly when will they attack? It is questions like these the security community often cannot answer. such as a Linux DNS server. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. This creates a network environment that more realistically mirrors a production network. such as Solaris. Now a new tool called Honeypots has came together information about enemy. Cisco router. Unlike firewalls or Intrusion Detection Systems. attack.The glory of a honeypot is that it lets you catch unknown attacks as well. honeypots do not solve a specific problem. In one way the honeypot is defined as. risk and administration. the same you find on the Internet. or create jailed environments. Windows NT. Traditionally their value has been for deception or detecting attacks. Honeypots are an exciting new technology with enormous potential for the security community. Any connection attempts to a honeypot are most likely a probe. or compromised. Linux. ‡ It is not a single system but a network of multiple systems. Alteon switch.NTRODUCTION One of the greatest challenges the security community faces is lack of information on the enemy. They are usually single systems that emulate other systems. One can simply take a system from a production environment and place it within the Honeynet. tactics. emulate known services or vulnerabilities. attacked. ‡ All systems placed within the Honeynet are standard production systems. By having a variety of operating systems and applications. a Windows IIS web server. and a Solaris Database server. This network sits behind an access control device where all inbound and outbound data is controlled and captured. This captured information is then analyzed to learn the tools. or compromise. Log their conversations with each other. A honeypot is a resource who's value is being probed. Perhaps certain blackhats target specific systems. WHAT IS A HONEYPOT ? A Honeynet is a type of honeypot designed specifically for research. Setup a server and fill it with tempting files.This flexibility gives honeypots their true power. such as detecting unauthorized activity. etc. however a Honeynet requires a great deal more work. Nothing is emulated nor is anything done to make the systems less secure. and motives of the blackhat community. Mantrap. The risks and vulnerabilities discovered within a Honeynet are the same that exist in many organizations today. or vulnerabilities. Its simply not worth all the effort of building and maintaining a Honeynet just to detect attacks. Instead. Honeypots are a resource that has no authorized activity. Make it hard but not impossible to break into. Honeynets can utilize multiple systems at the same time. Observe them as they cavort around in the server. It can be used as a traditional honeypot. It is these two design differences that make a Honeynet primarily a tool for research. why do they attack. by having different systems with different applications.This means any interaction with a honeypot is most likely unauthorized or malicious activity. Then sit back and wait for the crackers to show up. Some excellent examples of honeypots include Specter. Study them like like you¶d watch insects under a magnifying glass. we can learn about different tools and tactics. we are able to accurately profile specific blackhat trends and signatures. These are real systems and applications. Questions like who is the threat. Also. or The Deception Toolkit. ³A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource´. You are far better off with the simpler honeypot . Over the past several years there has been a growing interest in honeypots and honeypot related technologies. they do not have any production value.

Honeypots can simplify the detection process. or other malicious activity. Captured information can also be used as an early indications and warning system. alerting to attacks before they happen. devices were placed throughout the ocean's floor to passively capture the activity of enemy submarines. The challenge for most organizations is determining from vast amounts of information what production traffic is and what is malicious activity. Often organizations are so overwhelmed with production activity. The ultimate goal of Honeynets is to provide information that can be used to protect against threats. Any connection initiated from the Honeynet to an outside network indicates that a system was compromised. attack. and attacker motives studied. The strategy is to defend one's organization as best as possible. The only difference is. Honeynets can be considered the SOSUS of cyber space. encryption. passively gathering information on threats. The problem here is that system administrator may receive so many alerts on a daily basis that they cannot respond to all of them. they give organizations the ability to take the initiative. Intrusion Detection Systems. detect any failures in the defense. all connections to an from the honeypot are suspect by nature. Data Control . VALUE OF A HONEYPOT Traditionally. The Honeynet solves this problem of data overload through simplicity. Another risk is false negatives. The primary purpose of a Honeynet is to gather information about threats that exist. information security has been purely defensive. Z Data Collection. Since honeypots have no production activity. not to be used for production traffic. To detect these threats. Traditionally. Honeynets can be compared to the Navy's use of SOSUS during the Cold War. enemy submarines posed a threat as they could silently approach and attack from anywhere in the world's oceans. Any connection initiated from outside the Honeynet into the network is most likely some type of probe. or exploit Honeynet systems. Isolated honeypots have a much easier time because they are systems that should not normally be accessed. Honeynets attempt to change that. New tools can be discovered. for a Honeynet to passively gather information. the greatest problem security professionals face in detecting and capturing blackhat activity is information overload. IDS administrators can be overwhelmed with alerts that were generated whenthe sensor recognized the configuired signature of an ³attack´.honeypots happily capture any attacks thrown their way. blackhats have to probe. that it can be extremely difficult to detect when a system is attacked. A Honeynet is a network designed to be compromised. Any traffic entering or leaving the network is suspicious by definition. when IDS systems fail to detect a valid attack. or even when successfully compromised.Instruction detection Systems are one solution designed for detecting attacks. This concept of no production traffic greatly simplifies the data capture and analysis. attack. they are Z Data Control Z Data Capture. such as GBs of system logging. attack patterns can be determined. There are three critical requirements that define every Honeynet. Firewalls. An attacker has initiated a connection from his newly hacked computer and is now going out to the Internet. the enemy is on the attack. The problem with this approach is it purely defensive.solutions mentioned above. During the 1950-1980's. all of these mechanisms are used defensively to protect one's resources. worms can be captured and analyzed. and then react to those failures.

INTEGRATING HONEYPOTS The integration of honey pot into network is a great determining factor into how effective it will be. It is also important to realize the limitaions of service emulation. such as organizations on the Internet. If production servers are addressed as . but without allowing them to use the compromised system to attacks others. We will now discuss these layers and there uses. register) the incident. It took the blackhat only fifteen minutes to figure out something was wrong. You should position the decoy system close to your production servers to tempt intruders that are targeting production servers. organizations that have multiple Honeynets logically or physically distributed around the world have to collect all of the captured data and store it in a central location. and . Data captured cannot be stored on locally on the honeypot. Data Collection. However.10. They can attack other systems within the Honeynet. the trick is to give the blackhat flexibility to execute whatever they need. By using port redirection on an upstream ruter or firewall. The trick to these requirements is meeting them without the attacker knowing. The key to this is capturing data in layers. but we have to protect non-Honeynet systems. Data Capture Data Capture is what collecting all the activity that happens inbound.. Data Collection There is a third requirement. Another way to deploy a honey pot is to place it logically between production servers. and leave the network. One example of this is if you run a production web server (port 80). wipe the system drive. they can use that system to attack other non-Honeynet systems. The stored data can also be lost or destroyed. so all they need to do is both Control and Capture data. Information stored locally can potentially be detected by the blackhat. This is how we learn. or within the Honeynet. Intrusion detection systems must know about the vulnerability prior the exploitaion in order for it to emulate properly. the honeypot should send off an immediate alert or at the very least. outbound.. The attacker has to be controlled so they cannot do that. exponentially increasing its value. but we have to store the information remotely. it will appear that honeypot services are running on production systems. Because these services should not be accessed on a production system. You cannot depend on a single layer for information. You gather data from a variety of resources. It controls the attacker's activity by limiting what can happen inbound and outbound. alerting them the system is a Honeynet. Not only do we have to capture the blackhats every move without them knowing.11. Many organizations will have only one single Honeynet. One such possibility is to emulate non-production services on production servers. Combined. without them realizing they are within a Honeynet. log (record. In the scenario listed above. This would require an upstream router or firewall capable of performing port/service redirection. The Data Collection requirement provides the secure means of centrally collecting all of the captured information from distributed Honeynets. Our goal is to both control and capture all of the attacker's activity. but this is only for organizations that have multiple Honeynets in distributed environments. telnet (port 23) and SMTP (port 25) could then be redirected to a honeypot. So. these layers then allow you to paint the big picture.Data Control is what mitigates risk.9. This way the captured data can be combined. in this case the upstream device is responsible for transparently handling the address translation of the honeypot in order to help conceal its real destination IP address.13 it is ideal to address the honeypt . The risk is that once an attacker compromises a system within the Honeynet. by capturing the attackers's activities. you can detect probing and tampering on production systems but only on non-production services so you would not be alserted to tampering on the production server because the service is not redirected to the honey pot.

as . the idea behind this is to catch intruders that ³sweep scan´ entire network ranges looking for vulnerable services. then create a dummy account called ³admininstrator´ with no password. This is achieved by straight network addressing of the honey pot. rendering it useless. it is possible to rename the default ³administrator´ account. if the intruder focuses only on your production systems. Reference: http://www. Because this method uses standard network addressing. on winNT. so should your honey pot. winNT allows extensive logging of a person¶s activities. The goal in this setup is to catch intruders who will ³sweep´ (scan) an entire network range.com/Thread-honeypots-seminarreport?pid=43236#pid43236#ixzz1k79JVbfd . Any existing system can also be ³honeypotized´. If your production servers are running the DNS service. you don¶t need any special configuratins on your upstream router or firewall. he or she will avoid the honey pot.seminarprojects.12. an intruder scanning for the latest DNS servcice vulnerability will hone (break up) right in. looking for vunerable services. You can even make the honey pot appear as multiple hosts by using IP aliasing (assigning multiple IP addresses to the same host). for example. so this honey pot will track users attempting to gain administrator access and exploit that access. however.

Sign up to vote on this title
UsefulNot useful