Honeypots

The Internet is growing fast and doubling its number of websites every 53 days and
the number of people using the internet is also growing. Hence, global communication is
getting more important every day. At the same time, computer crimes are also increasing.
Countermeasures are developed to detect or prevent attacks - most of these measures are
based on known facts, known attack patterns. Countermeasures such as firewalls and
network intrusion detection systems are based on prevention, detection and reaction
mechanism; but is there enough information about the enemy?
As in the military, it is important to know, who the enemy is, what kind of strategy he uses,
what tools he utilizes and what he is aiming for. Gathering this kind of information is not easy
but important. By knowing attack strategies, countermeasure scan be improved and
vulnerabilities can be fixed. To gather as much information as possible is one main goal of a
honeypot. Generally, such information gathering should be done silently, without alarming an
attacker. All the gathered information leads to an advantage on the defending side and can
therefore be used on productive systems to prevent attacks.
A honeypot is primarily an instrument for information gathering and learning. Its primary
purpose is not to be an ambush for the blackhat community to catch them in action and to
press charges against them. The focus lies on a silent collection of as much information as
possible about their attack patterns, used programs, purpose of attack and the blackhat
community itself. All this information is used to learn more about the blackhat proceedings
and motives, as well as their technical knowledge and abilities. This is just a primary purpose
of a honeypot. There are a lot of other possibilities for a honeypot - divert hackers from
productive systems or catch a hacker while conducting an attack are just two possible
examples. They are not the perfect solution for solving or preventing computer crimes.
Honeypots are hard to maintain and they need operators with good knowledge about
operating systems and network security. In the right hands, a honeypot can be an effective
tool for information gathering. In the wrong, unexperienced hands, a honeypot can become
another infiltrated machine and an instrument for the blackhat community.
This paper will present the basic concepts behind honeypots and also the legal aspects
of honeypots.
HONEYPOT BASICS
Honeypots are an exciting new technology with enormous potential for
the security community. The concepts were first introduced by several icons in
computer security, specifically Cliff Stoll in the book "The Cuckoo's Egg" , and Bill
Cheswick's paper "An Evening with Berferd". Since then, honeypots have continued to
evolve, developing into the powerful security tools they are today.
Honeypots are neither like Firewalls that are used to limit or control the traffic coming into the
network and to deter attacks neither is it like IDS (Intrusion Detection Systems) which is
used to detect attacks. However it can be used along with these. Honeypots does not solve
a specific problem as such, it can be used to deter attacks, to detect attacks, to gather

information, to act as an early warning or indication systems etc.

They can do everything from detecting encrypted attacks in IPv6 networks to capturing the
latest in on-line credit card fraud. It is this flexibility that gives honeypots their true power. It is
also this flexibility that can make them challenging to define and understand.
WHY INTERNAL HONEYPOTS?
Lets start with a plausible scenario. A colleague opens a link from an email which promises
pictures of cute puppies, but its actually malware which installs an advanced persistent
threat(APT) malware kit. Now, the attacker has access to the compromised machine and our
internal network. She begins scanning the network to start the covert information gathering
process and to find additional exploitable machines.
Organizations typically focus on monitoring inbound and outbound network traffic via
firewalls, yet ignore internal network traffic due to the complexity involved. In the scenario
above, a firewall will not protect or alert us.
By running honeypots on our internal network, we are able to detect anomalous events. We
gain awareness and insight into our network when network hosts interact with a Raspberry
Pi honeypot sensor. Since there isnt a good reason to interact with it (since it doesnt do
anything), activity on the Raspberry Pi is usually indicative of something roaming around our
network and a possible security breach.
WHY RASPBERRY PI?
We wanted to use a Raspberry Pi as a honeypot because of its low profile, minimal power
consumption, and most importantly, its CHEAP! Understandably, not everyone has a big
budget to spend on monitoring things like internal network traffic. Raspberry Pi devices are
cost effective, so it is realistic to add 30 network sensors, which would cost around $1,000.
Imagine (and experience for yourself) how powerful it is to add this kind of tooling to your
security arsenal (or your house)!

About The Honeynet Project

The Honeynet Project is a leading international 501c3 non-profit security research
organization, dedicated to investigating the latest attacks and developing open source
security tools to improve Internet security. With Chapters around the world, our volunteers
have contributed to fight against malware (such as Confickr), discovering new attacks and
creating security tools used by businesses and government agencies all over the world. The
organization continues to be on the cutting edge of security research by working to analyze
the latest attacks and educating the public about threats to information systems across the
world.
Founded in 1999, The Honeynet Project has contributed to fight against malware and
malicious hacking attacks and has the leading security professional among members and
alumni. Our mission reads "to learn the tools, tactics and motives involved in computer and
network attacks, and share the lessons learned" with three main pillars:
Research
The Honeynet Project volunteers collaborate on security research efforts covering data
analysis approaches, unique security tool development and gathering data about attackers

and malicious software they use. We provide critical additional information, such as their
motives in attacking, how they communicate, when they attack systems and their actions
after compromising a system. We provide this service through our Know Your Enemy
whitepapers, The Project blog posts and our Scan of the Month challenges.
Awareness
The Honeynet Project members engage the broader security community and educate the
public about threats to systems and information. We raise awareness of the threats and
vulnerabilities that exist on the Internet today. We provide this information so people can
better understand they are a target, and understand the basic measures they can take to
mitigate these threats as well as better handle advanced threats that slip through the
defenses. This information is provided through our Know Your Enemy series of papers as
well as The Honeynet Project blog and other media venues and public security workshops.
Tools
The Honeynet Project engages broader security community via Google Summer of Code
(GSoC) and other efforts to expand security tool development. For organizations interested
in continuing their own research about cyber threats, we provide the tools and techniques we
have developed. Recent tools examples include Cuckoo, Capture-HPC, Glastopf, HoneyC,
Honeyd, Honeywall. We provide these through our Tools Site. Key tools are also described
in Know Your Tools papers and on The Project blog.
Vision
Our vision for the Honeynet Project reads as follows:
The Honeynet Project is a diverse, talented, and engaged group of international computer
security experts who conduct open, cross disciplinary research and development into the
evolving threat landscape. It cooperates with like-minded people and organizations in that
endeavor.
11. ADVANTAGES AND DISADVANTAGES
Honeypots have certain advantages as security tools. It is the advantages that help define
the value of a honeypot. The beauty of a honeypot lies in its simplicity. It is a device intended
to be compromised, not to provide production services. This means there is little or no
production traffic going to or from the device, hence all honeypot traffic is suspect by nature.
Now, this is not always the case. Mistakes do happen, such as an incorrect DNS entry or
someone from accounting inputting the wrong IP address. But in general, most honeypot
traffic represents unauthorized activity.
Because of this simplistic model, honeypots have certain inherent advantages and
disadvantages. We will cover several of them.
11.1 Advantages
Data Collection: Honeypots collect very little data, and what they do collect is normally of
high value. This cuts the noise level down, make it much easier to collect and archive data.
One of the greatest problems in security is wading through gigabytes of data to find the data
you need. Honeypots can give you the exactly the information you need in a quick and easy
to understand format. For example, the Honeynet Project, a group researching honeypots,
collects on average only 1-5MB of data per day. This information is normally of high value

also, as not only can you show network activity, but also what the attacker does once he or
she gets on the system.
Reduction of False Positives and False Negatives: This has already been covered under
Security and Honeypots in Section 2.
Simplicity: The very simplicity of design, implementation and use makes a honeypot a
desirable method to enhance security conditions in any organization.
Resources: Many security tools can be overwhelmed by bandwidth or activity. Network
Intrusion Detection Devices may not be able to keep up with network activity, dropping
packets, and potentially attacks. Centralized log servers may not be able to collect all the
system events, potentially dropping some events. Honeypots do not have this problem, they
only capture that which comes to them.
Honeypots are a great training environment for security professionals.

11.2 Disadvantages
Single Data Point: Honeypots all share one huge drawback; they are worthless if no one
attacks them. Yes, they can accomplish wonderful things, but if the attacker does not send
any packets to the honeypot, the honeypot will be blissfully unaware of any unauthorized
activity.
Risk: Honeypots can introduce risk to your environment. Different honeypots have different
levels of risk. Some introduce very little risk, while others give the attacker entire platforms
from which to launch new attacks. Risk is variable, depending on how one builds and
deploys the honeypot. Some of them are:
o A poorly contained honeypot puts the rest of your network at risk.
o There is also the temptation to retaliate. One should be careful and stay within legal
means. Returning tit for tat only gets one in trouble. The goal is to increase ones own
security, not go to war with the script kiddies.
o Honeypots won't fulfill their promise unless one has the time to administer them correctly.
Companies concerned about security threats are "better off using an intrusion-detection
system" if they don't have a dedicated team of highly trained administrators. But many
administrators, torn by budget constraints and the need to find quick-fix solutions to get
critical systems back online, often are in no position to probe cracker attacks, says Frank
Prince, an electronic-security analyst with Forrester Research in Cambridge, Mass.
What's more, in dollar terms the most damaging attacks come from inside companies, not
from crackers. While honeypots can help compile information on people breaking into the
system, they do little to combat sabotage from within.
Thus though honeypots can add value, the time and resources involved may best focused
on greater priorities. It is because of these disadvantages that honeypots do not replace any
security mechanisms. They can only add value by working with existing security
mechanisms.

HONEYD DEVELOPMENT
Honeyd is a small daemon that creates virtual hosts on a network. The hosts can be
configured to run arbitrary services, and their personality can be adapted so that they appear
to be running certain operating systems. Honeyd enables a single host to claim multiple
addresses - I have tested up to 65536 - on a LAN for network simulation. Honeyd
improves cyber security by providing mechanisms for threat detection and assessment. It
also deters adversaries by hiding real systems in the middle of virtual systems.
Honeyd is open source software released under GNU General Public License. Even though
Honeyd is used commercially by many companies, it is being developed in my spare time
without any financial support. Nontheless, I always appreciate a reduction of my wishlists, if
you feel so inclined. The README in Honeyd's source distribution and
the acknowledgments page lists a number of people who have contributed code and ideas.
Current Status
Honeyd is maintained and developed by Niels Provos. Honeyd 1.5c has been released on
2007-05-27 and the next version is currently being developed.
.