HONEYPOTS

TRACKING HACKERS By Rohit Kumar

A WORD ON SECURITY

The secret to a good defense is good offense - Anonymous

Brief Background
Who is a Hacker?
A Hacker is a person who tries to gain unauthorized access to a network.

How a hacker affect a server?

Steals confidential data. Imposes someone else. Causes loss of resources. Sometimes causes even hardware loss.

What are the security issues?

To provide secure connection between the client and the server. E.g. email service provided by various web-sites.

How Hackers work

Gathers information about the server Chooses the weakest link Start exploiting that link

How Honeypots work.

Definition of Honeypots
A honeypot is a security resource whose value is in being probed, attacked or compromised

HONEYPOT ?
HoneyPots are not a single tool but a highly flexible technology. HoneyPots come in variety of shapes and sizes.
everything from a simple windows system emulating a few services to an entire network of production systems waiting to be hacked !!!

HoneyPots have a variety of values.

everything from a burglar alarm that detects an intruder to a research tool that can be used to study the motives of the black hat community !!!

QUESTIONS ON HPs ?

What are the different values this unique technology can have? What are the different HoneyPot technologies available today? What the advantages and disadvantages of using HoneyPots? Are there any deployment and maintenance issues associated with HoneyPots? Are all HoneyPots offensive in nature?

IS THIS A HONEYPOT ?
On a network, install a firewall which restricts all outbound traffic. Attackers can get into the network but not use this network to spread out the infection.

CONCERNS
(THE WHAT-IF FACTOR) What if the attacker is lured into a HoneyPot? He/She will be infuriated by the deception and retaliate against the organisation. What if the HoneyPot is misconfigured?

THEN WHY USE HONEYPOTS ?

At the end of year 2000, the life expectancy of a default installation of Red Hat 6.2 was less than 72 hrs ! One of the fastest recorded times a HoneyPot was compromised was 15 min. This means that within 15 min of being connected to the internet, the system was found, probed, attacked, and successfully exploited by the attacker! The record for capturing a worm was 90 sec !! During an 11 month period (Apr 2000 Mar 2001), there was a 100% increase in IDS alerts based on Snort. In the beginning of 2002, a home network was scanned on an average by three different systems a day. The year 2001 saw a 100% increase in reported incidents from 21,756 to 52,658 reported attacks.

WHAT CAN HONEYPOTS DO ?

Can they capture known attacks ?

Can they detect unknown attacks ?

ADVANTAGES OF USING HONEYPOTS

Data Value
HoneyPots collect very little data, but they collect is essentially of very high value. HoneyNet project research group collects less than 1 MB data per day !

Resources
HoneyPots typically donot have problems of resource exhaustion.

Simplicity
No fancy algorithms to develop. No signature databases to maintain. No rule-bases to misconfigure !

DISADVANTAGES OF HONEYPOTS

Narrow field of view

HoneyPots only see the activity directed against them.

Fingerprinting
An incorrectly implemented HoneyPot can identify itself and others of the same kind.

CLASSIFICATION OF HONEYPOTS (1/2)

[Based on level of INTERACTION] Are you hoping to catch the attackers in action and learn about their tools and tactics?
OR

Are you interested in detecting unauthorized activity ?

OR

Are you hoping to capture latest worm for analysis ?

CLASSIFICATION OF HONEYPOTS (2/2)

LEVEL OF

WORK TO INSTALL

WORK TO DEPLOY

INFORMATION

LEVEL OF

INTERACTION

AND CONFIGURE

AND MAINTAIN

GATHERING

RISK

Low

Easy

Easy

Limited

Low

Medium

Involved

Involved

Variable

Medium

High

Difficult

Difficult

Extensive

High

Conclusion
Honeypots are good resources for tracing hackers. The value of Honeypots is in being Hacked. Honeypots have their own pros and cons and this technology is still developing.

REFERENCES

WWW.SNORT.ORG WWW.HACKINGEXPOSED.COM WWW.INFOSECWRITERS.COM WWW.SECURITYFOCUS.COM WWW.SANS.ORG WWW.SPECTER.COM