HONEYPOT

By SIDDARTHA ELETI

CLEMSON UNIVERSITY

Introduction

• Introduced in 1990/1991 by Clifford Stoll’s in his book “The Cuckoo’s Egg” �

and by Bill Cheswick’s in his paper “An Evening With Berferd.”�� ��

• A honeypot is an information system resource whose value lies in

unauthorized or illicit use of that resource.

• Acts as a Decoy or a Bait to lure attackers .

• They are designed to be attacked.

• Its about spying the spy i.e. attacker.

Working

• Uses the concept of deception.

• Honeypots work on the idea that all traffic to a honey pot should be deemed

suspicious.

• Designed to audit the activity of an intruder, save log files, and record events – Processes started– Adding, deleting, changing of files – even key strokes

Location

• Honeypots are usually placed somewhere in the DMZ. This ensures that

the internal network is not exposed to the hacker.

• Most honeypots are installed inside firewalls so that they can be better

controlled.

• But a firewall that is placed in a honeypot works exactly the opposite to

how a normal firewall works.

Types of Honeypots

• Based on level of Deployment:– Production Honeypots– Research Honeypots

• Based on Design:– Pure– High Interaction– Low Interaction

Levels of Deployment

• Production : – Its easy and captures only limited info.– Adds value to the security measures of an organization.– Used by companies and large corporations

• Research :– Collects a lot of info i.e. attackers tools, intent, identity etc.– Does not directly add value to an organization – Researches the threats and tries to come up with better measures– Used by military, government organizations and research

Interaction

• What is Interaction?

– Level of Interaction determines amount of functionality a honeypot provides.

– The greater the interaction, the more you can learn.– The greater the interaction, greater the complexity.– The greater the interaction, greater the risk.

• High Interaction:– Imitates the services and actions of a real system.

– Gives vast amount of information.

– Involves an operating system.• This involves risk

– Multiple honeypots can be hosted with the use of VM’s

– Difficult to detect

– Expensive to maintain

– Example : Honeynet

• Low Interaction Honeypots:– It simulates the services of a system.

– Predetermined set of responses

– Not good for interacting with unexpected attacks

– Gives less information. Usually • Time of attack• IP and port of attacker • Destination IP and Port of attack

– Does not involve an operating system

– Easy to Detect

– Cheaper to maintain

Commercial Honeypot Systems• There are a variety of commercial Honey Pot systems available.

– Deception ToolKit (DTK)

– Specter

• Supported OS’s– Microsoft NT – Unix.

Deception Toolkit• First free Honeypot by Fred Cohen in 1997

• Suite of applications that listen to inbound traffic.– FTP, – Telnet,– HTTP

• Uses scripted responses.

• Experienced attackers can quickly realize that they are in a

Honeypot.

SPECTER• SPECTER is a smart honeypot-based intrusion detection system.

• A Production Honeypot and easy to configure.

• Provides Real-time counterintelligence against hackers.

• It simulates a vulnerable computer with various operating systems like

Windows, Mac, Linux, Solaris etc.

• Offers common Internet services such as SMTP, FTP, POP3, HTTP and

TELNET.

• These services appear perfectly normal to the attackers but in fact are

traps for them to mess around and leave traces.

• Offers Intelligent systems like TRACER, TRACE ROUTE, DNS, FTP Banner

etc.

Advantages

• The administrator can learn about vulnerabilities in his system

• Intent of the attackers

• Simple design and implementation

• Less resources

• Cheaper to analyze collected information

Disadvantages• Has to be attacked directly.

• Can be avoided.

• Honeypots can be detected as they have expected characteristics or behavior.

• They can introduce risk to the environment.

• They don’t prevent or stop an attack.

Conclusion• It’s a tool to learn and understand the how the attack is being executed

and motives of the attackers.

• Not a solution.

• Provide important information about – The attacker– The tools being used by attacker– What the attacker is after

References• http://www.techrepublic.com/article/which-honeypot-should-i-use/10425

27• http://www.specter.com/default50.htm• http://en.wikipedia.org/wiki/Honeypot_(computing)• http://www.tracking-hackers.com/papers/honeypots.html• http://www.sans.org/security-resources/idfaq/honeypot3.php• Honeypots: Tracking Hackers By Lance Spitzner

THANK YOU