Honeypots - Complete Reference

A honeypot is a trap set to detect or deflect attempts at unauthorized use of information systems. Generally it consists of a computer, data or a network site that appears to be part of a network but which is actually isolated and protected, and which seems to contain information that would be of value to attackers.

Honeypots are a new technology for the network security industry whose value,unlike most security tools designed to defend and protect a computer network, lies in being probed, attacked, or compromised

When a group of suspected Pakistani hackers broke into a U.S.-based computer system in June, they thought they had found a vulnerable network to use as an anonymous launching pad to attack Web sites across India. But what they had done was walk right into a trap known as a honeypot -- a specially equipped system deployed by security professionals to lure hackers and track their every move. For a month, every keystroke they made, every tool they used, and every word of their online chat sessions was recorded and studied. The honeypot administrators learned how the hackers chose their targets, what level of expertise they had, what their favorite kinds of attacks were, and how they went about trying to cover their tracks so that they could nest [avoid detection] on compromised systems...

Honeypots may be used for the following purposes:

• Prevention: Even though a honeypot's value, as defined above, lies in being compromised, a honeypot may contribute to the prevention of unauthorized network access by enticing attackers to spend time and resources attacking honeypots as opposed to attacking production systems.

• Detection: Most organization's networks are so routinely overwhelmed with production activity that it can be extremely difficult to detect when the system is attacked. Since honeypots have no production activity, all connections to and from the honeypot are suspect by nature.


• Reaction: Production activity that occurred prior to and after an attack on a compromised system often makes it difficult for the response team to determine what happened. Another problem that prevents incident response teams from gathering data is that many organizations' compromised systems frequently cannot be taken off line even after they have been compromised. Honeypots add value by reducing or eliminating both problems.


• Research: One of the greatest challenges the security community faces is in gathering information about the enemy. Honeypots can be an added research tool by giving a platform to study the threat. Using honeypots for research is an advanced application more suited for the scientific community and academia than for corporations.

How They Work

Once again, honeypots are a resource without any production value. Therefore, any activity on a honeypot would be unauthorized, suspicious and most likely malicious.

A honeypot may be visualized as an additional computer on a network. The "computer" (honeypot) may be set up to simulate various network vulnerabilities. When a hacker scans a network for vulnerable systems they find and attack the honeypot, alerting the systems' manager of the probe and, depending on the type of honeypot, capturing data relating to the type of attack, including downloaded tools, worms, BoTs and/or viruses, for further study.

Types of Honeypots

Honeypots may be broken down into two general categories: production honeypots and research honeypots. The decision to deploy one over the other is based on the purpose of deployment, as two different purposes are served, and come with two different risk levels.

• Production Honeypots: Production honeypots have a direct positive effect on security by protecting a network. They do this by preventing, detecting, and responding to attacks. (See: "What is a Honeypot?" page 9 of this paper) They are easier to build and deploy because they require less functionality. Because of their relative simplicity and the fact they emulate services, they are less risky and difficult to use than research honeypots. Conversely, they do not gather as much information about attackers and attacks.

• Research Honeypots: Research honeypots, as the name implies, are used to gather information about attacks. They have a more indirect positive effect on security by allowing for the study of hacker tools and trends such as downloaded software, worms, or viruses. Information retrieved from research honeypots may also be used to learn about the hackers themselves by capturing on-line conversations amongst hackers made from the honeypots.

On the down side, research honeypots are riskier to deploy than production honeypots. In order to gather as much information as possible from hackers, the honeypot administrator must give them something with which to interact. Therefore, research honeypots are full-blown operating systems and applications that require more time and effort to administer.


The Honeypot Security Role

Honeypots have been around for approximately ten years, but only recently have they begun to receive more interest from the security community to be used as decoys that may be probed, attacked, and compromised. Once a honeypot is attacked, security administrators have an opportunity to watch the hacker move around the system. Not only can he/she monitor the hacker's movements, he/she may also see the tools the hacker uses to gain entry and the type of information the hacker is attempting to acquire.

"The beauty of a honeypot lies in its simplicity. It is a device intended to be compromised, not to provide production services. This means there is little or no production traffic going to or from the device. Any time a connection is sent to the honeypot, this is most likely a probe, scan, or even attack. Any time a connection is initiated from the honeypot, this most likely means the honeypot was compromised. As there is little production traffic going to or from the honeypot, all honeypot traffic is suspect by nature. Now, this is not always the case. Mistakes do happen, such as an incorrect DNS entry or someone from accounting inputting the wrong IP address. But in general, most honeypot traffic represents unauthorized activity."

Advantages

The primary advantage of honeypots is their simplicity. Basically, because they have no production value, any activity on a honeypot is unauthorized and potentially malicious. It is from this simple concept the following additional advantages may be derived.

• Data Value: One challenge network security specialists face is an inability to focus on malicious or unauthorized activity taking place on production computers amongst the sheer volume of activity processed each day. Since any activity on a honeypot is suspect (most likely a scan, probe, or attack), a honeypot reduces the "noise" by collecting only small data sets of high-value information.

• Tools, Tactics and Viruses: Honeypots may be designed to capture anything downloaded to them. Therefore, they are useful in tracking hacker activity and tactics, but they may also capture programs downloaded by hackers, including the tools used to gain control or access to other's computers and data. Honeypots have also been used to capture and study entire viruses, leading to the development of anti-virus tools.

• Simplicity: One of the greatest advantages of honeypots, as stated above, is their simplicity. Most honeypots only need to be connected to a network. The user may then just sit back and wait for signal that the honeypot has been attacked. Though research honeypots may be more complex, all honeypots work on the same basic premise: if there is an activity, check it out.

Disadvantages

Like any other technology, honeypots also have weaknesses. Even with the advantages listed previously, honeypots do not replace existing security technology.

• Limited View: Honeypots can only track and capture activity that directly interacts with them. Honeypots will not capture attacks against other systems unless the attacker or threat also interacts with the honeypots. Therefore, if an attacker breaks into a network and attacks any other system, the honeypot will be unaware of the activity.

• Fingerprinting: Another disadvantage of honeypots is the ability of a tracker to identify its use. Fingerprinting is when an attacker can identify the true identity of a honeypot because it has certain expected characteristics or behaviors. This threat is even greater for research honeypots. Once an attacker identifies the system as one designed to gather information, he/she may continue to interact with it in a way that will lead the security community to make incorrect conclusions based on the data collected.

• Risk: A honeypot, once attacked, may be used to attack or gain entry to other systems. This risk varies with the type of honeypot being compromised. A production honeypot may be of limited use to a hacker as a platform to stage further attacks. On the other hand, a research honeypot, depending on its implementation, may give the hacker this ability.

Low Interaction Honeypots

A low interaction honeypot is one that is easy to install, configure, deploy, and maintain. Because the attacker can do less than he might with other higher interaction honeypots, it is less risky to implement. Low interaction honeypots do not allow the attacker access to an operating system from which he/she might attack other systems, which also significantly reduces risk. Low interaction honeypots are normally production honeypots, as they are used to protect an organization.

Since low interaction honeypots restrict an attacker's activity, they are limited in the amount of information they can give about an attacker. The information received from this type of honeypot is normally restricted to the following:

• The time and date of attack
• Source IP address and source port of the attack
• Destination IP address and destination port of the attack

An example of a low interaction honeypot is BackOfficer Friendly. BackOfficer Friendly emulates a limited number of services. By limiting the number of services, the attacker is restricted to how much he/she can interact with the honeypot. BackOfficer Friendly will be discussed in greater detail in the next section. Figure 5-1 depicts an installation of BOF detecting an unauthorized connection. The honeypot allows an attacker to connect to a port and attempt to execute a restricted number of commands, after which the attacker is disconnected.

Medium Interaction Honeypots

Medium interaction honeypots offer attackers more ability to interact than do low interaction honeypots, but less than those considered high interaction. They are usually more time-consuming to install and configure as they normally involve a high level of development and customization from an organization. As attackers have an increased ability to interact with this type of honeypot, more caution must be used to ensure that the attacker does not have access to other systems.

An example of a medium interaction honeypot would be the use of the jail. This functionality allows an administrator to partition an operating system environment, creating a virtual operating system within a real operating system. The virtual operating system can be controlled by the real operating system, but gives the appearance and feel of a true operating system. The goal is for an attacker to attack and gain access to the jailed environment, and then the attacker's activities can be heavily monitored or controlled from the real or master operating system.

A medium interaction honeypot is more complicated to deploy and comes with a higher risk, increasing the chance that something may go wrong. Therefore, there is an increased maintenance cost (time) to deploying and maintaining this level of technology. However, with greater risk comes greater reward; medium interaction honeypots may be configured to allow the administrator to gather specific the types of attack information data.

High Interaction Honeypots

High interaction honeypots are most often research honeypots. They are used, at a great amount of risk, to gather large amounts of information about attackers. The goal of a high interaction honeypot is to give the attacker access to a real operating system where nothing is emulated or restricted. High interaction honeypots give users the opportunity to capture the tools, monitor the activity, and even learn how hackers communicate with one another.

Since this type of honeypot allows the attacker to interact with a real operating system there is the possibility that an attacker might use the honeypot to attack other computers. In order to ensure that this does not take place, high interaction honeypots need to be placed within a controlled environment that restricts the ability of a hacker to launch attacks from within. One of the difficulties in maintaining this type of architecture is to not allow the attacker to realize that he/she is being monitored in a controlled environment.

Because of the amount of risk involved and the complexity in their implementation, high-interaction honeypots may be extremely difficult to configure, install, and maintain. Nonetheless, they are the best resource for studying the blackhat community as well as for capturing worms and viruses in the wild for analysis.

Lets take a look on some of the popular honeypots

BackOfficer Friendly (BOF) - BackOfficer Friendly is a low interaction honeypot supported by NFR Security Inc. that can run on almost any Windows-based platform to include Windows 95 and Windows 98. It was designed to identify attacks from Back Orifice. Back Orifice is a remote control penetration application originally produced and distributed by the Cult of the Dead Cow. Much like a computer virus, it is distributed as an embedded program within downloadable shareware utilities and executable greeting card programs. When the user opens the downloaded file Back Orifice installs itself on the user's machine and allows the attacker complete control of the computer through the Internet connection.

Specter - Specter is a commercial honeypot supported by NetSec, a network security company based in Switzerland. Like BOF, Specter is a low interaction honeypot that offers no operating system for the attacker to access. Yet, Specter offers far more functionality, including the ability to monitor more services and to more realistically emulate the applications. Additionally, the system may be configured to emulate vulnerabilities, making it more attractive to hackers, and to even deliver bogus information to a hacker during an attack.

Honeyd - Honeyd is a prepackaged OpenSource honeypot designed for the UNIX platform by Neils Provos. OpenSource means that the solution is free and the user has access to the source code, which enables customization. It is a low interaction honeypot; therefore, there is no operating system to interact with and it is designed primarily to detect attacks or unauthorized activity. Since it is an OpenSource solution and highly customizable, the user may configure it to listen on any port he/she wants and to adjust the level of emulation to meet his/her specifications.
One of the most interesting concepts introduced by Honeyd is that it does not detect attacks against its own IP address. Instead, it assumes the identity of IP addresses that do not have a valid system. It does this by monitoring all of the unused IP addresses in a network. When an attacker attempts to connect to one of these unused IP addresses Honeyed assumes the identity of the intended target and replies to the attacker.

Decoy Server - Decoy Server, previously called ManTrap, is a high interaction honeypot sold by Symantec. Decoy Server is unique in that it provides a complete operating system in which the attackers may interact, which then captures their every action.
Decoy Server creates a jailed environment in which attackers have access to virtual cages as opposed to limited operating systems. The cages are controlled environments from which the attacker is unable to escape. Decoy Server is also able to create up to four of these cages on a single system.

Honeynets - A Honeynet is a high interaction honeypot designed primarily for research. Rather than its value being in detecting or deceiving attackers, its value is in its ability to gain information on threats.
One of the unique features of a honeynet is that, rather than emulating a single system like BOF and Specter or multiple systems like Honeyd and Decoy Server, it is actually a network of standard production systems. The systems are put behind some type of access control device and monitored for activity