Honeypot

An Introduction to The Honeypots

Shashwat Shriparvdwivedishashwat@gmail.comInfinitySoft

2

Content

Definition Three ArchitecturesApplicationsAdvantages and disadvantagesFuture Work

3

Definition

Honeypot

Honeypot is a trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems..

How it works

Theoretically, a honeypot should see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity

4

5

Type of Honeypot

Purposes Production / Research

Characteristics Low / High Interactivity

6

Low-Interaction vs. High-Interaction

Low-Interaction High-Interaction

Installation Easy More difficult

Maintenance Easy Time consuming

Risk Low High

Need Control No Yes

Data gathering Limited Extensive

Interaction Emulated services Full control

7

Value of Honeypots

PreventionDetectionResponseResearch Purpose

Prevention

Honeypots can help prevent attacks in several ways. The first is against automated attacks, such as worms or auto-rooters. These attacks are based on tools that randomly scan entire networks looking for vulnerable systems. If vulnerable systems are found, these automated tools will then attack and take over the system

8

Detection

Detection is critical, its purpose is to identify a failure or breakdown in prevention. Regardless of how secure an organization is, there will always be failures, if for no other reasons then humans are involved in the process. By detecting an attacker, we can quickly react to them, stopping or mitigating the damage they do.

9

Response

Response can often be one of the greatest challenges an organization faces. There is often little information on who the attacker is, how they got in, or how much damage they have done. In these situations detailed information on the attacker's activity are critical

10

11

Three Architectures

Honeyd

Gen I Honeynet

Gen II Honeynet

12

Honeyd Overview

Honeyd is a low-interaction virtual honeypot Simulate arbitrary TCP/UDP service

• IIS, Telnet, pop3… Supports multiple IP addresses

• Test up to 65536 addresses simultaneously

Supports ICMP• Virtual machines answer to ping and

traceroute Supports subsystem

13

Honeyd Architecture

14

Honeyd Architecture

Configuration database Store the personalities of the

configured network stack. Central packet

dispatcher Dispatch Incoming packets to the

correct protocol handler.

Protocol handles Personality engine Option routing

component

15

GEN I Honeynet

Simple Methodology, Limited Capability Highly effective at detecting automated

attacks Use Reverse Firewall for Data Control Can be fingerprinted by a skilled hacker Runs at OSI Layer 3

16

Gen I Honeynet

GEN II Honeynet

More Complex to Deploy and Maintain Examine Outbound Data and make

determination to block,pass, or modify data

Runs at OSI Layer 2

17

18

Gen II Honeynet

Application

Detecting and countering wormsSpam prevention

19

How effective it is !

20

Advantages

One can learn about incident response; setting up a system that intruders can break into will provide knowledge on detecting hacker break-ins and cleaning-up after them.

Knowledge of hacking techniques can protect the real system from similar attacks.  

The honeypot can be used as an early warning system; setting it up will alert administrators of any hostile intent long before the real system gets compromised.

21

Disadvantages

Honeypots add complexity to the network. Increased complexity may lead to increased exposure to exploits.

Honeypots must be maintained just like any other networking equipment and services.

Requires just as much use of resources as a real system.

Building a honeypot requires at least a whole system dedicated to it, and this may be an expensive resource

22

23

Future Work

Ease of use: In future Honeypots will most probably appear in prepackaged solutions, which will be easier to administer and maintain. People will be able to install and

develop Honeypots at home and without difficulty. Closer integration: Currently Honeypots are used along

with other technologies such as firewall, tripwire, IDS etc. As technologies are developing, in future Honeypots will be used in closer integration with them.

Specific purpose: Already certain features such as honeytokens are under development to target Honeypots only for a specific purpose. Eg: catching only those attempting credit card fraud etc.

24

THANK YOU

Shashwat Shriparvdwivedishashwat@gmail.comInfinitySoft