HONEYPOT

(COMPUTING)
Honeypot (computing)
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner
counteract attempts at unauthorized use of information systems. Generally it consists of
a computer, data, or a network site that appears to be part of a network, but is actually isolated and
monitored, and which seems to contain information or a resource of value to attackers

Honeypots can be classified based on their deployment and based on their level of
involvement. Based on deployment, honeypots may be classified as:

1) Production honeypots

Research honeypots are run to gather information about the motives and tactics of
the Blackhat community targeting different networks. These honeypots do not add direct value to
a specific organization; instead, they are used to research the threats organizations face and to learn
how to better protect against those threats. Research honeypots are complex to deploy and
maintain, capture extensive information, and are used primarily by research, military, or
government organizations

Production honeypots are easy to use, capture only limited information, and are used primarily
by companies or corporations; Production honeypots are placed inside the production network with
other production servers by an organization to improve their overall state of security. Normally,
production honeypots are low-interaction honeypots, which are easier to deploy. They give less
information about the attacks or attackers than research honeypots do.

Based On design Criteria, honeyspots can be classified as:

1. pure honeypots
2. high-interaction honeypots
3. low-interaction honeypots
Pure honeypots are full-fledged production systems. The activities of the attacker are
monitored using a casual tap that has been installed on the honeypot's link to the network. No other
software needs to be installed. Even though a pure honeypot is useful, stealthiness of the defense
mechanisms can be ensured by a more controlled mechanism.
High-interaction honeypots imitate the activities of the real systems that host a variety of
services and, therefore, an attacker may be allowed a lot of services to waste his time. According
to recent researches in high interaction honeypot technology, by employing virtual machines,
multiple honeypots can be hosted on a single physical machine. Therefore, even if the honeypot is
compromised, it can be restored more quickly. In general, high interaction honeypots provide more
security by being difficult to detect, but they are highly expensive to maintain. If virtual machines
are not available, one honeypot must be maintained for each physical computer, which can be
exorbitantly expensive. Example: Honeynet.
 Low-interaction honeypots simulate only the services frequently requested by attackers. Since
they consume relatively few resources, multiple virtual machines can easily be hosted on one
physical system, the virtual systems have a short response time, and less code is required, reducing
the complexity of the security of the virtual systems. Example: Honeyd.
Spam versions:
Spammers abuse vulnerable resources such as open mail relays and open proxies. Some
system administrators have created honeypot programs that masquerade as these abusable
resources to discover spammer activity. There are several capabilities such honeypots provide to
these administrators and the existence of such fake abusable systems makes abuse more difficult
or risky. Honeypots can be a powerful countermeasure to abuse from those who rely on very high
volume abuse (e.g., spammers).
These honeypots can reveal the apparent IP address of the abuse and provide bulk spam capture).
For open relay honeypots, it is possible to determine the e-mail addresses ("dropboxes") spammers
use as targets for their test messages, which are the tool they use to detect open relays. It is then
simple to deceive the spammer: transmit any illicit relay e-mail received addressed to that dropbox
e-mail address. That tells the spammer the honeypot is a genuine abusable open relay, and they
often respond by sending large quantities of relay spam to that honeypot, which stops it. The
apparent source may be another abused systemspammers and other abusers may use a chain of
abused systems to make detection of the original starting point of the abuse traffic difficult.
This in itself is indicative of the power of honeypots as anti-spam tools. In the early days of anti-
spam honeypots, spammers, with little concern for hiding their location, felt safe testing for
vulnerabilities and sending spam directly from their own systems. Honeypots made the abuse
riskier and more difficult.
Spam still flows through open relays, but the volume is much smaller than in 2001 to 2002. While
most spam originates in the U.S., spammers hop through open relays across political boundaries
to mask their origin. Honeypot operators may use intercepted relay tests to recognize and thwart
attempts to relay spam through their honeypots. "Thwart" may mean "accept the relay spam but
decline to deliver it." Honeypot operators may discover other details concerning the spam and the
spammer by examining the captured spam messages.
E-mail trap
An e-mail address that is not used for any other purpose than to receive spam can also be
considered a spam honeypot. Compared with the term spamtrap, the term "honeypot" might better
be reserved for systems and techniques used to detect or counter attacks and probes. Spam arrives
at its destination "legitimately"exactly as non-spam e-mail would arrive.
An amalgam of these techniques is Project Honey Pot. The distributed, open-source Project uses
honeypot pages installed on websites around the world. These honeypot pages hand out uniquely
tagged spamtrap e-mail addresses. And Spammers can then be tracked as they gather and
subsequently send to these spamtrap e-mail addresses.
Database honeypot
Databases often get attacked by intruders using SQL Injection. Because such activities are
not recognized by basic firewalls, companies often use database firewalls. Some of the
available SQL database firewalls provide/support honeypot architectures to let the intruder run
against a trap database while the web application still runs as usual.
Detection:
Just as honeypots are weapons against spammers, honeypot detection systems are
spammer-employed counter-weapons. As detection systems would likely use unique
characteristics of specific honeypots to identify them, a great deal of honeypots in use makes the
set of unique characteristics larger and more daunting to those seeking to detect and thereby
identify them. This is an unusual circumstance in software: a situation in which "versionitis" (a
large number of versions of the same software, all differing slightly from each other) can be
beneficial. There's also an advantage in having some easy-to-detect honeypots deployed. Fred
Cohen, the inventor of the Deception Toolkit, even argues that every system running his honeypot
should have a deception port that adversaries can use to detect the honeypot. Cohen believes that
this might deter adversaries.

Honeypot Principles:
Honeypot is not a production system
1) Every flow going to (or coming from) this system is suspicious by nature.
2) This makes the analysis of collected data much easier.
3) The trap must be well done in order to collect useful and interesting data.
4) At the same time, the trap must be difficult to recognize by a potential hacker.
5) The honeypot can be hiddenamongst production systems QThis allows to identify
easily actions brought against these systems
6) The honeypot can be isolated on a DMZ QThis will allow to unmask curious
peoplewho are too interested by the equipments on the DMZ
7) The honeypot can be implemented on the Intranet QBehaviors can be analyzed
8) And why not a honeypot Wireless / 802.11b ?
9) The system that will be chosen depends on the objectives

Stakes:
Pros:
1) Collected data are on principle interesting
2) Few false positive / false negative
3) High value data
Cons:
1) Incurred risks when using such a system
 a. Bounce: a hacker may attack another site from the honeypot
b. Provocation: a hacker may feel provoked and avenge
2) Important resources needed to operate such a system
a. Skills, time
b. But results can be mutualize

Different family of honeypot:

1) Two distinct types
2) Low interaction
a. And low risk
b. Used to produce statistics on attacks
3) High interaction
a. QUsually know as research
b. Many possibilities

Low Interaction:
1) Emulate services, networks & fingerprints
2) Log all interaction
3) Honeyd is widely used to build low interaction HP
 High Interaction:
1) Allow full access to services and OS
2) Ability to capture 0-day attacks
3) May be risky

Honeyd:
1) Written by NielsProvosin 2002
2) Low interaction virtual HP
3) Released under GPL sv1.5a available at www.honeyd.org
4) Simulates boxes on unused IP space (with ARPd)
a. Oses
b. Services
c. Network topology

Honeydfake services:
Wireless Honeypots:
1) Wireless technologies are more and more available
a. In corporate networks
b. In home networks
c. In hot spots
2) New technologies such as VoIP/WLAN, UMA (Unlicensed Mobile Access)are new
ways to circumvent your security policy
3) Seems that wireless honeypot could help us in evaluating these new risks.
4) Based on a real AP, and on a honeyd server emulating a full network
5) All traffic is monitored and captured
6) Can fool hacker and wardriver
Virtual Honeypots:
1) New architectureto build honeynet
2) Ideas
a. Run everything on a single computer
b. Relies on virtualization technologies
i. VMware
ii. Xen
iii. UML (User Mode Linux)
iv.
Pros
1) Reduced cost
2) Easy to maintain / repair
3) Portable (honeynet laptop?)

Cons
1) Single point of failure
2) Not everything is possible (Cisco on Intel?)
3) Security (strong compartmentalization?)
4) Detection? Very difficult to hide

Automated MalwareCollection:
1) Automated malwarecollection is a new hyped technique
2) Most well-known tools are
a. Mwcollect
b. Nepenthes
c. Mwcollect and Nepenthes fusion (February, 2006)
3) Lots of other techniques are possible
4) PCAP capture of compromised hosts for example
Honeynet Problem:
How can we defend against an enemy, when we dont
even know who the enemy is?

Experimental Setup:

HONEYNET:
Two or more honeypots on a network form a honeynet. Typically, a honeynet is used for
monitoring a larger and/or more diverse network in which one honeypot may not be sufficient.
Honeynets and honeypots are usually implemented as parts of larger network intrusion detection
systems. A honeyfarm is a centralized collection of honeypots and analysis tools.
The concept of the honeynet first began in 1999 when Lance Spitzner, founder of the Honeynet
Project, published the paper "To Build a Honeypot":

A honeynet is a network of high interaction honeypots that simulates a production network

and configured such that all activity is monitored, recorded and in a degree, discreetly
regulated.
Honeyclient:
Idea: Honeypot client
1) Detect malicious web server, IRC net, P2P net
2) Surf the web searching for websites that use browser exploits to install malwareon the
honeymonkeycomputer

Honeynet: Honeynet Project

1) Non-profit (501c3) organization with Board of Directors.

2) Funded by sponsors
3) Global set of diverse skills and experiences.
4) Open Source, share all of our research and findings at no cost to the public.
5) Deploy networks around the world to be hacked.
6) Everything we capture is happening in the wild.
7) We have nothing to sell.