Honeypot &Honeynet

Sina Manavi

Manavi.Sina@gmail.com

Content

• What is Honeypot

• What is Honeynet

• Advantages and Disadvantages of Honeypot/net

Definition of Honeypot:

• A Honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.

- Lance Spitzner

Honeypots value:

• Preventionprevent automated attacks:(Warms and auto-rooters)

• Detectionidentify a failure or breakdown in prevention

• Response

How Honeypot works:

HoneyPot A

Gateway

Attackers

Attack Data

Prevent

Detect

Response No connection

Architecture

Honeypot can be placed:

In front of the firewall (Internet)

DMZ (DeMilitarized Zone)

Behind the firewall (intranet)

By Implementation• Virtual• Physical

By purpose• Production• Research

By level of interaction• High• Low• Middle?

Honeypot Classification:

Implementation of Honeypot

Physical• Real machines• Own IP Addresses• Often high-interactive

Virtual• Simulated by other machines that:

– Respond to the traffic sent to the honeypots– May simulate a lot of (different) virtual honeypots at the same

time

Physical Honeypot vs. Virtual Honeypot

• PH (Real machines, NICs, typically high-interaction)– High maintenance cost.– Impractical for large address spaces.

• VH (Simulated by other machines)– Multiple virtual services and VMs on one machine.– Typically it only simulate network level interactions, but

still able to capture intrusion attempts.

Research Complex to deploy and maintain. Captures extensive information. Run by a volunteer(non-profit). Used to research the threats organization face.

Production Easy to use Capture only limited information Used by companies or corporations Mitigates risks in organization

Propose of Honeypot:

Interaction Level:

• Low Interaction

• High Interaction

Note: Interaction measures the amount of activity an attacker can have with a honeypot.

Low Interaction vs. High InteractionLow-Interaction High-Interaction

Installation Easy More difficult

Maintenance Easy Time consuming

Risk Low High

Need Control No Yes

Data gathering Limited Extensive

Interaction Emulated services Full control

Example of Honeypots:

• Symantec Decoy Server (ManTrap)Symantec Decoy Server (ManTrap)• Honeynets• Nepenthes• Honeyd

– (Vitrual honeypot)

• KFSensor• BackOfficer Friendly

High Interaction

Low Interaction

Honeynet History:

• Informally began in April 1999

• The Honeynet Project officially formed in June 2000

• Became a non-profit corporation in September 2001.

• Is made up of thirty Volunteer security professionals

What is a Honeynet?

• Actual network of computers

• High-interaction honeypot

• Its an architecture, not a product

• Provides real systems, applications, and Provides real systems, applications, and services for attackers to interact with.services for attackers to interact with.

• Any traffic entering or leaving is suspect”.

How the Honeynet works?

• Monitoring, capturing, and analyzing all the packets entering or leaving through networks.

• All the traffic is entering or leaving through the Honeynet is naturally suspect.

Honeynet Evolution

• 1997, DTK (Deception Toolkit)• 1999, a single sacricial computer,• 2000, Generation I Honeynet,• 2003, Generation II Honeynet,• 2003, Honeyd software• 2004, Distributed Honeynets, Malware Collector...• 2009, Dionaea (multi stage payloads, SIP,...)

Kojoney, Kippo

Architecture Requirements:Architecture Requirements:

• Data Control Data Control

• Data CaptureData Capture

Data Control of the Honeynet

Internet

No Restrictions

No Restrictions

Honeypot

Honeypot

Internet

Honeywall

Honeypot

Honeypot

No Restrictions

Connections Limited Packet Scrubbed

Honeynet Generations:

• Gen I:– Simple Methodology, Limited Capability– Highly effective at detecting automated attacks– Use Reverse Firewall for Data Control– Can be fingerprinted by a skilled hacker– Runs at OSI Layer 3

• Gen II:– More Complex to Deploy and Maintain– Examine Outbound Data and make determination to block, pass, or modify data– Runs at OSI Layer 2

Advantages and Disadvantages of Honeynet/pots

Advantages :Honeypots are focused (small data sets)

Honeypots help to reduce false positive

Honeypots help to catch unknown attacks (false negative)

Honeypots can capture encrypted activity (cf. Sebek)

Honeypots work with IPv6

Honeypots are very flexible (advantage/disadvantage?)

Honeypots require minimal resources

Disadvantages :Honeypots field of view limited (focused)

Risk,

Q&A

Thank you 1/12/2011