4 .honey pots

8/6/2019 4 .Honey Pots

1/21

Honey Pots Seminar Report'11

School Of Information Science And technology 1

INTRODUCTION

Honey pot is an Internet-attached server that acts as a decoy, luring in potential hackers in

order to study their activities and monitor how they are able to break into a system. Honey

pots are designed to mimic systems that an intruder would like to break into but limit the

intruder from having access to an entire network. If a honey pot is successful, the intruder

will have no idea that he is being tricked and monitored. Most honey pots are installed

inside firewalls so that they can better be controlled, though it is possible to install them

outside of firewalls. A firewall in a honey pot works in the opposite way that a normal

firewall works: instead of restricting what comes into a system from the Internet, the

honey pot firewall allows all traffic to come in from the Internet and restricts what the

system sends back out. By luring a hacker into a system, a honey pot serves several

purposes:

y The administrator can watch the hacker exploit the vulnerabilities of the system,

thereby learning where the system has weaknesses that need to be redesigned.

y The hacker can be caught and stopped while trying to obtain root access to the

system.

y By studying the activities of hackers, designers can better create more secure

systems that are potentially invulnerable to future hackers.

Over the last years, network-based intrusions have increased exponentially due

to the popularity of scripted or automated attack tools. This increase in intrusions has

rekindled interest in honey pot systems, which can be used totrap and decode the attack

methods used by the black hat community.


2/21



DEFINITION OF HONEY POTS

Honey pots are an exciting new technology with enormous potential for the security

community. The first step to understanding honey pots is defining what a honey pot is

unlike firewalls or Intrusion Detection Systems, honey pots do not solve a specific problem.

Instead, they are a highly flexible tool that comes in many shapes and sizes... It is also this

flexibility that can make them challenging to define and

understand. Honey pots can be defined as

A honey pot is an information system resource whose value lies in

Unauthorized or illicit use of that resource.

This is a general definition covering all the different forms of honey pots. We will be

discussing in this report different examples of honey pots and their value to security. All

will fall under the definition we use above; their value lies in the bad guys interacting with

them. Conceptually almost all honey pots work they same. They are a resource that has no

authorized activity; they do not have any production value. Theoretically, a honey pot

should see no traffic because it has no legitimate activity. This means any interaction with a

honey pot is most likely unauthorized or malicious activity. Any connection attempts to a

honey pot are most likely a probe, attack, or compromise. Honey pots are a highly flexible

security tool with different applications for security. They don't fix a single problem.

Instead they have multiple uses, such as prevention, detection, or information gathering.

Honey pots all share the same concept: a security resource that should not have any

production or authorized activity. In other words, deployment of honey pots in a network

should not affect critical network services and applications. A honey pot is a security

resource whose value lies in being probed, attacked, or compromised.


3/21



There are two general types of honey pots: production and research.

Production honey pots are easy to use, capture only limited information, and are used

primarily by companies or corporations. Research honey pots are complex to

deploy and maintain, capture extensive information, and are used primarily by research,

military, or government organizations.

One example of a honey pot is a system used to simulate one or more network services that

you designate on your computer's ports. An attacker assumes you're running vulnerable

services that can be used to break into the machine. This kind of honey pot can be used to

log access attempts to those ports including the attacker's keystrokes. This could give you

advanced warning of a more concerted attack.

Types of honey pots

Honey pots come in many shapes and sizes. To help us better understand honey pots and

all the different types, we break them down into two general categories,

1. Low-interaction honey pots

2. High-interaction honey pots


4/21



Low-interaction honey pots

These categories help us understand what type of honey pot we are dealing with, its

strengths, and weaknesses. Interaction defines the level of activity a honey pot allows an

attacker. Low-interaction honey pots have limited interaction; they normally work by

emulating services and operating systems. Attacker activity is limited to the level of

emulation by the honey pot. These honey pots tend to be easier to deploy and maintain,

with minimal risk. Usually they involve installing software, selecting the operating systems

and services we want to emulate and monitor, and letting the honey pot go from there. This

plug and play approach makes deploying them very easy for most organizations. Also, the

emulated services mitigate risk by containing the attacker's activity, the attacker never has

access to an operating system to attack or harm others. The main disadvantages with low

interaction honey pots is that they log only limited information and are designed to capture

known activity. The emulated services can only do so much. Also, its easier for an attacker

to detect a low-interaction honey pot, no matter how good the emulation is, skilled attacker

can eventually detect their presence. Examples of low-interaction honey pots include

Specter, Honeyd, and KF sensor

Honeyd: Low-interaction honey pot

Honeyd is a low-interaction honey pot. Developed by Niels Provos, Honeyd is Open Source

and designed to run primarily on UNIX systems (though it has been ported to Windows).

Honeyd works on the concept of monitoring unused IP space. Anytime it sees a connection

attempt to an unused IP, it intercepts the connection and then interacts with the attacker,

pretending to be the victim. By default, Honeyd detects and logs any connection to any UDP

or TCP port.


5/21



In addition, you can configure emulated services to monitor specific ports, such as an

emulated FTP server monitoring TCP port 21. When an attacker connects to the emulated

service, not only does the honey pot detect and log the activity, but it captures all of the

attacker's interaction with the emulated service. In the case of the emulated FTP server, we

can potentially capture the attacker's login and password, the commands they issue, and

perhaps even learn what they are looking for or their identity. It all depends on the level of

emulation by the honey pot. Most emulated services work the same way. They expect a

specific type of behavior, and then are programmed to react in a predetermined way. If

attack A does this, then react this way. If attack B does this, then respond this way. The

limitation is if the attacker does something that the emulation does not expect, then it does

not know how to respond. Most low-interaction honey pots, including Honeyd, simply

generate an error message.

High-interaction honey pots

High-interaction honey pots are different; they are usually complex solutions as they

involve real operating systems and applications. Nothing is emulated; we give

attackers the real thing. If you want a Linux honey pot running an FTP server, you build a

real Linux system running a real FTP server. The advantages with such a solution are

twofold. First, you can capture extensive amounts of information... The second advantage is

high interaction honey pots make no assumptions on how an attacker will behave. Instead,

they provide an open environment that captures all activity. This allows high-interaction

solutions to learn behavior we would not expect. An excellent example of this is how a

Honey net). However, this also increases the risk of the honey pot as attackers can use this

real operating system to attack non-honey pot systems. As result, additional technologies

have to be implement that prevent the attacker from harming other non-honey pot

systems. In general, high-interaction honey pots can do everything low-interaction honey

pots can do and much more. However, they can be more complex to deploy and

maintain. Examples of high-interaction honey pots include honeynets.


6/21



Honeynets: High-interaction honey pot

Honeynets are a prime example of high-interaction honey pot. Honeynets are not a product,

they are not a software solution that you install on a computer. Instead, Honeyents are an

architecture, an entire network of computers designed to attacked. The idea is to have an

architecture that creates a highly controlled network, one where all activity is controlled

and captured. Within this network we place our intended victims, real computers running

real applications. The bad guys find, attack, and break into these systems on their own

initiative. When they do, they do not realize they are within a Honey net. All of their

activity, from encrypted SSH sessions to emails and files uploads, are captured without

them knowing it. This is done by inserting kernel modules on the victim systems that

capture all of the attacker's actions. At the same time, the Honeynet controls the attacker's

activity. Honeynets do this using a Honeywall gateway. This gateway allows inbound traffic

to the victim systems, but controls the outbound traffic using intrusion prevention

technologies. This gives the attacker the flexibility to interact with the victim systems, but

prevents the attacker from harming other non-Honeynet computers. An example of such a

deployment can be seen in Figure 1.


7/21



How Honeynet are connected to main server

Figure 1


8/21



Value of Honey pots

Now that we have understanding of two general categories of honeypots, we can focus on

their value. Specifically, how we can use honey pots. Once again, we have two general

categories, honey pots can be used for production purposes or research. When used for

production purposes, honey pots are protecting an organization. This would include

preventing, detecting, or helping organizations respond to an attack. When used for

research purposes, honey pots are being used to collect information. This information has

different value to different organizations. Some may want to be studying trends in attacker

activity, while others are interested in early warning and prediction, or law enforcement. In

general, low-interaction honey pots are often used for production purposes, while high-

interaction honey pots are used for research purposes. However, either type of honey pot

can be used for either purpose. When used for production purposes, honey pots can protect

organizations in one of three ways; prevention, detection, and response. We will take a

more in-depth look at how a honey pot can work in all three.

Now that we discuss different types of honey pots and their value, lets discuss someexamples. The more a honey pot can do and the more an attacker can do to a honey pot, the

more information can be derived from it. However, by the same token, the more an attacker

can do to the honey pot, the more potential damage an attacker can do. For example, a low

interaction honey pot would be one that is easy to install and simply emulates a few

services. Attackers can merely scan, and potentially connect to several ports. Here the

information is limited (mainly who connected to what ports when) however there is little

that the attacker can exploit. On the other extreme would be high interaction honey pots.


9/21



These would be actual systems. We can learn far much more, as there is an actual operating

system for the attacker to compromise and interact with, however there is also a far

greater level of risk, as the attacker has an actual operating system to work with. Neither

solution is a better honey pot. It all depends on what you are attempting to achieve.

Remember, honey pots are not a solution. Instead, they are a tool. Their value depends on

what your goal is, from early warning and detection to research. Based on 'level of

interaction', lets compare some possible honey pot solutions.

For this report we will discuss three more honey pots. There are a variety of other possible

honey pots; however this selection covers a range of options. We will cover Specter,

Honeyd, homemade honey pots, Mantrap, and Honeynets. This paper is not meant to be a

comprehensive review of these products. I only highlight some of their features. Instead, I

hope to cover the different types of honey pots, how they work, and demonstrate the value

they add and the risks involved. If you wish to learn more about the capabilities of these

solutions, I highly recommend you try them out on your own in a controlled, lab

environment.

Specter

Specter is a commercial product 'low interaction' production honey pot. It can emulate a far

greater range of services and functionality. In addition, not only can it emulate services, but

emulate a variety of operating systems. It is easy to implement and low risk. Specter works

by installing on a Windows system. The risk is reduced as there is no real operating system

for the attacker to interact with. For example, Specter can emulate a web server or telent

server of the operating system of ours choice. When an attacker connects, it is then

prompted with an http header or login banner.


10/21



The attacker can then attempt to gather web pages or login to the system. This activity is

captured and recorded by Specter, however there is little else the attacker can do. There is

no real application for the attacker to interact with, instead just some limited, emulated

functionality. Specters value lies in detection. It can quickly and easily determine who is

looking for what. As a honey pot, it reduces both false positives and false negatives,

simplifying the detection process. Specter also support a variety of alerting and logging

mechanisms. One of the unique features of Specter is that it also allows for information

gathering, or the automated ability to gather more information about the attacker. Some of

this information gathering is relatively passive, such as DNS lookups. However, some of this

research is active, such as port scanning the attacker. While this intelligence functionality

may be of value, many times you do not want the attacker to know he is being watched. Be

careful when implementing any active, automated responses to the attacker.

Homemade Honey pots

Another common honey pot is homemade. These honey pots tend to be low interaction.

Their purpose is usually to capture specific activity, such as Worms or scanning activity.

These can be used as production or research honey pots, depending on their purpose. Once

again, there is not much for the attacker to interact with, however the risk is reduced

because there is less damage the attacker can do. One common example is creating a

service that listens on port 80 (http) capturing all traffic to and from the port. This is

commonly done to capture Worm attacks. One such implementation would be using net cat,

as follows:


11/21



Homemade honey pots can be modified to do (and emulate) much more, requiring a higher

level of invovlement, and incurring a higher level of risk. For example, FreeBSD has a jail

functionality, allowing an administrator to create a controlled environment within the

operating system. The attacker can then interact with this controlled environment. The

value here is the more the attacker can do, the more can be potentially learned. However,

care must be taken, as the more functionality the attacker can interact with, the more can

go wrong, with the honey pot potentially compromised.

Mantrap

Mantrap is a commercial honey pot. Instead of emulating services, Mantrap creates up to

four sub-systems, often called 'jails'. These 'jails' are logically discrete operating systems

separated from a master operating system. This makes the honey pot far more flexible, as it

can do much more. The attacker has a full operating system to interact with, and a variety

of applications to attack. All of this activity is then captured and recorded. Not only can we

detect port scans and telnet logins, but we can capture root kits, application level attacks,

IRC chat session, and a variety of other threats. However, just as far more can be learned, so

can more go wrong. Once compromised, the attacker can use that fully functional operating

system to attack others. Care must be taken to mitigate this risk. As such, I would

categorize this as a mid-high level of interaction. Also, these honey pot can be used as

either a production honey pot (used both in detection and reaction) or a research honey

pot to learn more about threats. There are limitations to this solution. The biggest one is

you are limited to what the vendor supplies you. Currently, Mantrap only exists on

Solaris operating system.


12/21



How honey pots works?

According to the Lance Spitzener definition of the security it lies in

the three regions.

1> Prevention

2 >Detection

3 >Reaction

PREVENTION

Honey pots add little value to prevention, honey pots will not help keep the bad guys out.

What will keep the bad guys out are best practices, such as disabling unneeded or insecure

services, using strong authentication mechanisms. It is the best practices and procedures

such as these that will keep the bad guys out. A honey pot, a system to be compromised,

will not help keep the bad guys out. In fact, if incorrectly implemented, a honey pot may

make it easier for an attacker to get in. Some individuals have discussed the value of

deception as a method to deter attackers. The concept is to have attackers spend time and

resource attacking honey pots, as opposed to attacking production systems. The attacker is

deceivedinto attacking the honey pot, protecting production resources from attack. While

this may prevent attacks on production systems, most organizations are much better off

spending their limited time and resources on securing their systems, as opposed to

deception. Deception may contribute to prevention, but organization will most likely get

greater prevention putting the same time and effort into security best practices. Also,

deception fails against two of the most common attacks today; automated toolkits and

worms. Today, more and more attacks are automated. These automated tools will probe,

attack, and exploit anything they can find vulnerable. Yes, these tools will attack a honey

pot, but they will also just as quickly attack every other system in our organization.


13/21



If we have a coffee pot with an IP stack, it will be attacked. Deception will not prevent these

attacks, as there is no consciously acting individual to deceive. Organizations are better off

focusing their resources on security best practices.

DETECTION

While honey pots add little value to prevention, for many organizations, it is extremely

difficult to detect attacks. Often organizations are so overwhelmed with production

activity, such as gigabytes of system logging, that it can be extremely difficult to detect

when a system is attacked, or even when successfully compromised. Intrusion Detection

Systems (IDS) are one solution designed for detecting attacks. However, IDS administrators

can be overwhelmed with false positives. False positives are alerts that were generated

when the sensor recognized the configured signature of an "attack", but in reality was just

valid traffic. The problem here is that system administrators may receive so many alerts on

a daily basis that they cannot respond to all of them. Also, they often become conditioned to

ignore these false positive alerts as they come in day after day, similar to the story of "the

boy who cried wolf". The very IDS sensors that they were depending on to alert them to

attacks can become ineffective unless these false positives are reduced. This does not mean

that honey pots will never have false positives, only that they will be dramatically fewer

than with most IDS implementations. Another risk is false negatives, when IDS systems fail

to detect a valid attack. Many IDS systems, whether they are signature based, protocol

verification, etc, can potentially miss new or unknown attacks. It is likely that a new attack

will go undetected by currently IDS methodologies. Also, new IDS evasion methods are

constantly being developed and distributed.


14/21



Honey pots address false negatives as they are not easily evaded or defeated by new

exploits. In fact, one of their primary benefits is that they can most likely detect when a

compromise occurs via a new or unknown attack by virtue of system activity, not

signatures. Administrators also do not have to worry about updating a signature database

or patching anamoly detection engines. Honey pots happily capture any attacks thrown

their way. As discussed earlier though, this only works if the honey pot itself is attacked.

Honey pots can simplify the detection process. Since honey pots have no production

activity, all connections to and from the honey pot are suspect by nature. By definition,

anytime a connection is made to your honey pot, this is most likely an unauthorized probe,

scan, or attack. Anytime the honey pot initiates a connection, this most likely means the

system was successfully compromised. This helps reduce both false positives and false

negatives greatly simplifying the detection process. By no means should honey pots replace

your IDS systems or be your sole method of detection. However, they can be a powerful

tool to complement your detection capabilities.

REACTION

Though not commonly considered, honey pots also add value to reaction. Often when a

system within an organization is compromised, so much production activity has occurred

after the fact that the data has become polluted. Incident response team cannot determine

what happened when users and system activity have polluted the collected data. For

example, I have often come onto sites to assist in incident response, only to discover that

hundreds of users had continued to use the compromised system. Evidence is far more

difficult to gather in such an environment. The second challenge many organizations face

after an incident is that compromised systems frequently cannot be taken off-line. The

production services they offer cannot be eliminated. As such, incident response teams

cannot conduct a proper or full forensic analysis.


15/21



Honey pots can add value by reducing or eliminating both problems. They offer a system

with reduced data pollution, and an expendable system that can be taken off-line. For

example, lets say an organization had three web servers, all of which were compromised

by an attacker. However, management has only allowed us to go in and clean up specific

holes. As such, we can never learn in detail what failed, what damage was done, is there

attacker still had internal access, and if we were truly successful in cleanup. However, if one

of those three systems was a honey pot, we would now have a system we could take off-

line and conduct a full forensic analysis. Based on that analysis, we could learn not only

how the bad guy got in, but what he did once he was in there. These lessons could then be

applied to the remaining web servers, allowing us to better identify and recover from

the attack.

RESEARCH

As discussed at the beginning, there are two categories for honey pots; production and

research. We have already discussed how production honey pots can add value to an

organization. We will now discuss how research honey pots add value. One of the greatest

challenges the security community faces is lack of information on the enemy. Questions like

who is the threat, why do they attack, how do they attack, what are their tools, and possibly

when will they attack? It is questions like these the security community often cannot

answer. For centuries military organizations have focused on information gathering to

understand and protect against an enemy. To defend against a threat, you have to first

know about it. However, in the information security world we have little such information.

Honey pots can add value in research by giving us a platform to study the threat. What

better way to learn about the bad guys then to watch them in action, to record step-by-step

as they attack and compromise a system. Of even more value is watching what they do after

they compromise a system, such as communicating with other black hats or uploading a

new tool kit. It is this potential of research that is one of the most unique characteristics of

honey pots. Also, research honey pots are excellent tools for capturing


16/21



automated attacks, such as auto rooters or Worms. Since these attacks target entire

network blocks, research honey pots can quickly capture these attacks for analysis.

ADVANTAGES OF HONEYPOTS

There are so many advantages of using honey pots as security agents it will make the

security arrangement strong by the use of various IDS and fire walls. Some of them are very

powerful and strong.

y Small data sets of high value: Honey pots collect small amounts of

information. Instead of logging a one GB of data a day, they can log only one

MB of data a day. Instead of generating 10,000 alerts a day, they can generate

only 10 alerts a day. Remember, honey pots only capture bad activity, any

interaction with a honey pot is most likely unauthorized or malicious activity.

As such, honey pots reduce 'noise' by collection only small data sets, but

Information of high value, as it is only the bad guys . This means its much

easier (and cheaper) to analyze the data honey pot collects and derives value

from it.

y New tools and tactics:Honey pots are designed to capture anything thrown

at them, including tools or tactics never seen before.

y Minimal resources: Honey pots require minimal resources, they only

capture bad activity. This means an old Pentium computer with 128MB of

RAM can easily handle an entire class B network sitting off an OC-12

network.

y Encryption or IPv6:Unlike most security technologies (such as IDS systems)

honey pots work fine in encrypted or IPv6 environments. It does not matter

what the bad guys throw at a honey pot, the honey pot will detect and

capture it.


17/21



y Information: Honey pots can collect in-depth information that few, if any

other technologies can match.

y Simplicity: Finally, honey pots are conceptually very simple. There are no

fancy algorithms to develop, state tables to maintain, or signatures to update.

The simpler a technology, the less likely there will be mistakes or

misconfigurations.

DISADVANTAGES OF HONEY POTS

Like any technology, honey pots also have their weaknesses. It is because of this they do

not replace any current technology, but work with existing technologies.

y Limited view: Honey pots can only track and capture activity that directly

interacts with them. Honey pots will not capture attacks against other

systems, unless the attacker or threat interacts with the honey pots also.

y Risk: All security technologies have risk. Firewalls have risk of being

penetrated, encryption has the risk of being broken, IDS sensors have the riskof failing to detect attacks. Honey pots are no different, they have risk also.

Specifically, honey pots have the risk of being taken over by the bad guy and

being used to harm other systems. This risk varies for different honey pots.

Depending on the type of honey pot, it can have no more risk then an IDS

sensor, while some honey pots have a great deal of risk.


18/21



DIFFERENCES BETWEEN HIGH AND LOW INTERACTION HONEY POTS

There is even an easy deployment of Honeyd on Linux computers. Low-interaction

honey pots have the advantage of being easier to deploy and little risk, as they contain the

activity of the attacker. Once you have had an opportunity to work with low-interaction

solutions, you can take the skills and understanding you have developed and work with

high interaction solutions. To help you better understand honey pots, below is a chart

summarizing what we just covered.

Low-interaction High-interaction

Solution emulates operating systems

and services.

No emulation, real operating

systems and services are provided.

y Easy to install and deploy. Usually

requires simply installing and

configuring 2software on a computer.

y Minimal risk, as the emulated services

control what attackers can and cannot

do.

y Captures limited amounts of

information, mainly transactional

data and some limited intraction

.

y Can capture far more information,

including new tools,

communications, or attacker

keystrokes.

y Can be complex to install or deploy

(commercial versions tend to be

much simpler).

y Increased risk, as attackers are

provided real operating systems to

interact with


19/21



Finally, no paper on honey pots would be complete without a discussion about legal issues.

There are many misconnects about the legal issues of honey pots. Instead of briefly

covering the legal issues in this paper, I will be releasing a new paper at the end of May,

2003 dedicated to the legal issues of honey pot technologies.

What are the legal issues of honey pots?

As a new technology, people often ask what the legal issues of honey pots are. While honey

pots are not specifically addressed in federal statutes or regulation, the following

issues can be seen as a starting point. For specific information, refer to the paper Honey

pots: Are They Illegal?

y Liability: We can potentially be held liable if your honey pot is used to attack

or harm other systems or organizations. This risk is the greatest with high-

interaction honey pots.

y Privacy: Honey pots can capture extensive amounts of information about

attackers, which can potentially violate their privacy, such as IRC chats or

emails. This could violate the privacy of the attacker, or more likely people he

is communicating with. Once again, this risk is primarily with high

interaction honey pots.

y Entrapment: For some odd reason, many people are concerned with the issue

of entrapment. Entrapment is a legal defense used to avoid a conviction, you

cannot be charged with entrapment. Most legal experts believe that

entrapment is not an issue for honey pots


20/21



CONCLUSION

The purpose of this seminar report is to define what honey pots are and their value to the

security community. We identified two different types of honey pots, low-interaction and

high-interaction honey pots. Interaction defines how much activity a honey pot allows an

attacker. The value of these solutions is both for production or research purposes. Honey

pots can be used for production purposes by preventing, detecting, or responding to

attacks. Honey pots can also be used for research, gathering information on threats so we

can better understand and defend against them. If you are interested in learning more

about honey pots, you may want to consider the book, the first and only book dedicated to

honey pot technologies.


21/21



References

http://www.tracking-hackers.com/papers/honeypots.htmlhttp://www.securityfocus.com/infocus/1757

http://www.securitywizardry.com/honeypots.html

http://en.wikipedia.org/wiki/Honeypot

http://www.honeynet.org/papers/honeynet/

4 .honey pots

Documents