Seminar On Honey Pot

Submitted By:Gourav Verma MCA/11/54 Submitted To:Mrs. Nisha

Definition:In computer terminology, a Honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.

How Honeypot works? Theoretically, a honeypot see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity.

Types of honeypot
1)

Purposes based

1.1) Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations; Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots do. The purpose of a production honeypot is to help mitigate risk in an organization. The honeypot adds value to the security measures of an organization. 1.2) Research honeypots are run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of the Blackhat community targeting different networks. These honeypots do not add direct value to a specific organization; instead, they are used to research the threats organizations face and to learn how to better protect against those threats.This information is then used to protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.

2)

Characteristic based

2.1) Low interaction honeypot is based on the services that the attacker normally request for. These services are simulated by this classification of honeypot. There are many positives with the requirement of only few services by the attackers: ease of hosting multiple virtual machines on one physical system as they consume relatively few resources, fast response time of the virtual systems, and shorter code length reduces the complexity in the security of the virtual systems. 2.2) High interaction honeypots imitate the activities of the real systems that host a varieties of services and, therefore, an attacker may be allowed a lot of services to waste his time. According to recent researches in high interaction honeypot technology, by employing virtual machines, multiple honeypots can be hosted on single physical machine. Therefore, even if the honeypot is compromised, there is chance for quicker recovery. In general, high interaction honeypots provide more security by being difficult to detect but, on the negative side, are highly expensive to maintain. If virtual machines are not available, each honeypot need to maintained for each physical computer, which can be exorbitantly expensive.

Low Interaction v/s High Interaction

Topic Installation Maintenance Risk Need Control Data Gathering Interaction Low Interaction Easy Easy Low No Limited Emulated Service High Interaction More Difficult Time Consuming High Yes Extensive Full Control

Values of honeypot
i) Prevention I personally feel honeypots add little value to prevention: honeypots will not help keep the bad guys out. What will keep the bad guys out is good security practices, such as disabling unnecessary or insecure services, patching services that are needed, and using strong authentication mechanisms. A honeypot, a system to be compromised, will not help keep the bad guys out. In fact, if incorrectly implemented, a honeypot may make it easier for an attacker to get in. Some individuals have discussed the value of deception as a method to deter attackers. The idea underlying this concept is to have attackers spend time and resource attacking honeypots instead of attacking production systems. The attacker is deceived into attacking the honeypot, thus drawing away resources that may have been used for attacking production resources. While this may prevent attacks on production systems, I feel that most organizations are much better off spending their limited time and resources securing their systems, as opposed to deceiving would-be attackers. Perhaps more importantly, deception will fail against the most common of attacks: automated toolkits and

worms. These days, more and more attacks are automated. These automated threats will probe, attack, and exploit anything they can find vulnerable. Yes, these threats will attack a honeypot, but they will also just as quickly attack every other system in your organization. If you have a coffee pot with an IP stack, it will be attacked. Deception will not prevent these attacks, as there is no individual to deceive. As such, I feel that honeypots add little value to prevention, organizations are better off focusing their resources on good security practices.

ii) Detection While honeypots add little value to prevention, I feel they add extensive value to detection. For many organizations, it is extremely difficult to detect attacks. Organizations can be so overwhelmed with production activity, such as gigabytes of system logging, that they may have difficulty detecting when a system has been attacked or exploited. Intrusion Detection Systems are designed to detect attacks. However, IDS administrators can be overwhelmed with false positives, alerts that are mistakenly generated when a sensor perceives and

alerts on an attack that is actually valid traffic. False positives are dangerous because system administrators receive so many alerts that they become inured to the alerts, as they are falsely alerted day after day, similar to "the boy who cried wolf". if false positives are not effectively reduced, system administrators may simply start ignoring alerts issued by IDS sensors. This does not mean that honeypots will never have false positives, only that they will be dramatically lower than in most IDS implementations. Another risk posed by Intrusion Detection Systems is false negatives, which occur when IDS systems fail to detect a valid attack. Honeypots eliminate false negatives, as they are not easily evaded or defeated by new exploits. In fact, one of their primary values is that they can detect new or unknown attacks. Administrators do not have to worry about updating signature database or patching anamoly detection engines. Honeypots happily capture any attacks that come their way. As discussed earlier though, this only works if the honeypot itself is attacked. Honeypots can simplify the detection process. Since honeypots have no production activity, all connections to and from the honeypot are suspect by nature. By definition, anytime a connection is made to your honeypot, it is most likely an unauthorized probe,

scan, or attack. Anytime the honeypot initiates a connection, this most likely means the system was successfully compromised. This helps reduce both false positives and false negatives, greatly simplifying the detection process. By no means should honeypots replace your IDS systems or be the sole method of detection; however, they can be a powerful tool to complement intrusion detection capabilities. iii) Reaction Though not commonly considered, honeypots also add value to reaction. Often when an organization is compromised, so much production activity has occurred after the fact, that the data has become polluted. The Incident Response Team cannot determine what happened if users and systems have polluted the collected data. For example, I have often come onto sites to assist in incident response, only to discover that hundreds of users had continued to use the compromised system. Evidence is far more difficult to gather in such an environment. The second challenge many organizations face after an incident is that compromised systems cannot be taken off-line. The production services they offer cannot be eliminated. As such, incident response teams cannot conduct a proper or a full forensic analysis.

Honeypots can add value by reducing both of these problems. They offer a system with reduced data pollution and an expendable system that can be taken off-line. For example, let's say an organization has three Web servers, all of which were compromised by an attacker. However, management has only allowed Incident Response personnel to go in and clean up specific holes: they can never learn in detail what failed, what damage was done, whether an attacker still had internal access, and if they were truly successful in cleanup. However, if one of those three systems was a honeypot, the Incident Response people would have a system they could take off-line in order to conduct a full forensic analysis. Based on that analysis, they could learn not only how the bad guy got in, but also what he did once he was in there. These lessons could then be applied to the remaining Web servers, allowing them to better identify and recover to the attack.

Architectures

i)

Honeyd is a small daemon that runs both on UNIX-like and Windows platforms. It is used to create multiple virtual honeypots on a single machine. Entire networks can be simulated using honeyd. Honeyd can be configured to run a range of services like FTP, HTTP, or SMTP. Furthermore, a personality can be configured to simulate a certain operating system. Honeyd allows a single host to claim as many as 65536 IP addresses.

Honeyd Architecture

ii) GEN 1 Honeynet:-

ii.i) simple mythology, limited capability. ii.ii) highly effective at detecting automated attacks. ii.iii) uses reverse firewall for data control. ii.iv) can be fingerprinted by a skilled hacker. ii.v) runs at osi layer 3.

iii) GEN 2 honeynet:-

iii.i) more complex to maintain and develop. iii.ii) examine outbound data and make determination to block, pass or modify data. iii.iii) runs at osi layer 2

Application

Spam versions
Spammers abuse vulnerable resources such as open mail relays and open proxies. Some system administrators have created honeypot programs that masquerade as these abusable resources to discover spammer activity. There are several capabilities such honeypots provide to these administrators and the existence of such fake abusable systems makes abuse more difficult or risky. Honeypots can be a powerful countermeasure to abuse from those who rely on very high volume abuse (e.g., spammers). These honeypots can reveal the apparent IP address of the abuse and provide bulk spam capture (which enables operators to determine spammers' URLs and response mechanisms). For open relay honeypots, it is possible to determine the e-mail addresses ("dropboxes") spammers use as targets for their test messages, which are the tool they use to detect open relays. It is then simple to deceive the spammer: transmit any illicit relay e-mail received addressed to that dropbox e-mail address. That tells the spammer the honeypot is a genuine abusable open relay, and they often respond by sending large quantities of relay spam to that honeypot, which stops it. The apparent source may be another abused systemspammers and other abusers may use a chain of abused systems to make detection of the original starting point of the abuse traffic difficult. This in itself is indicative of the power of honeypots as anti-spam tools. In the early days of anti-spam honeypots, spammers, with little concern for hiding their location, felt safe testing for vulnerabilities and sending spam directly from their own systems. Honeypots made the abuse riskier and more difficult. Spam still flows through open relays, but the volume is much smaller than in 2001 to 2002. While most spam originates in the U.S., spammers hop through open relays across political boundaries to mask their origin. Honeypot operators may use intercepted relay tests to recognize and thwart attempts to relay spam through their honeypots. "Thwart" may mean "accept the relay spam but decline to deliver it." Honeypot operators may discover other details concerning the spam and the spammer by examining the captured spam messages. (However, open relay spam has declined significantly

E-mail trap
An e-mail address that is not used for any other purpose than to receive spam can also be considered a spam honeypot. Compared with the term spamtrap, the term "honeypot" might better be reserved for systems and techniques used to detect or counter attacks and probes. Spam arrives at its destination "legitimately"exactly as non-spam e-mail would arrive. An amalgam of these techniques is Project Honey Pot. The distributed, open-source Project uses honeypot pages installed on websites around the world. These honeypot pages hand out uniquely tagged spamtrap e-mail addresses. E-mail address harvesting and Spammers can then be tracked as they gather and subsequently send to these spamtrap e-mail addresses

Advantages and Disadvantages

Advantage #1 - Data Collection Honeypots collect very little data, and what they do collect is normally of high value. This cuts the noise down, make it much easier to collect and archive data. One of the greatest problems in security is wading through gigabytes of meaningless data to find something meaningful. Honeypots can give users the exact information they need in a quick and easy to understand format. For example, the Honeynet Project, a group researching honeypots, collects on average only 1-5 MB of data per day. This information is normally of high value, as it shows not only network activity, but also the attacker's activities once he or she gets on the system. We will explore this advantage in greater depth in when we discuss how honeypots add value to detection. Advantage #2 - Resources Many security tools can be overwhelmed by bandwidth or activity. Network Intrusion Detection Devices may not be able to keep up with network activity, dropping packets, and potentially attacks. Centralized log servers may not be able to collect all the system logs, potentially dropping logs. Honeypots do not have this problem, they only capture that which comes to them.

Disadvantage #1 - Single Point

Honeypots all have one common problem: they are worthless if no one attacks them. Yes, they can accomplish wonderful things; but if the attacker does not send any packets to the honeypot, it will be blissfully unaware of any unauthorized activity. Disadvantage #2 - Risk Honeypots can introduce risk into the user's environment. As we discuss later in this series, different honeypots have different levels of risk. Some introduce very little risk, while others give the attacker entire platforms to launch new attacks. Risk is variable, depending on how one builds and deploys the honeypot. It is because of these disadvantages that honeypots do not replace any security mechanisms. They can only add value by working with existing security mechanisms. Now that we have reviewed the overall value of honeypots, lets apply them to security.

Future work

i)

Ease of use: - In future Honeypots will most probably appear in prepackaged solutions, which will be easier to administer and maintain. People will be able to install and develop Honeypots at home and without difficulty. Closer integration: - Currently Honeypots are used along with other technologies such as firewall, tripwire, IDS etc. As technologies are developing, in future Honeypots will be used in closer integration with them. Specific purpose: - Already certain features such as honeytokens are under development to target Honeypots only for a specific purpose. Example: catching only those attempting credit card fraud etc.

ii)

iii)

THANKING YOU!