Honey Pots For Network Security

Submitted by:M.sreeram Regno :Y09CS038

SUBMITTED TO: DEPARTMENT OF ENGLISH VRSEC

Date :26/9/2011

TABLE OF CONTENTS

1) Abstraction 2)Introduction 3)History of honey pots 4) Definition of a Honey pots 5) The idea of Honey pots 6) THE VALUE OF HONEYPOTS
7) BUILDING A HONEYPOT 8) How do HONEYPOTS work 9) TYPES OF HONEYPOTS 10) HONEYNETS

1 3 3 4 5
5 7 8 9

14
15 17 18

11) LEVEL OF INTERACTION

12) Conclusion 13) References

Abstract:
1. INTRODUCTION:
For every consumer and business that is on the Internet, viruses, worms, and crackers are but a few security threats.The systems can only react to or prevent attacks but they cannot give us other publication, An Evening with Berferd by Bill Chewick is about a computer hackers moves through traps that he and his colleagues used to catch him. In both of these writings were the beginnings of what became honeypots. The first type of honeypot was released in 1997 called the Deceptive Toolkit. The point of this kit was to use deception to attack back. In 1998 the first commercial honeypot came out. This was called Cybercop Sting. In 2002 the honeypot could be shared and used all over the world. Since then honeypot technology has improved greatly and many honeypot users feel that this is only the beginning. In the year, 2005, The Philippine Honeypot Project was started to promote computer safety over in the Philippines.

information about the attacker, the tools used or even the methods employed. Hence, Honeypots are a novel approach to network security and security research alike. Honeypots are closely monitored decoys that are employed in a network to study the trail of hackers and to alert network administrators of a possible intrusion. Honeypots provide a costeffective solution to increase the security posture of an organization. Nowadays, they are also being extensively used by the research community to study issues in network security.

1.2 Definition of a Honeypots:

What is a Honeypot? A HONEYPOT is an information system resource whose value lies in unauthorized or illicit use of that resource It is defined as a computer system on the Internet that is expressly set up to attract and "trap" people who attempt to penetrate other persons computer systems. Honeypot is a trap; an electronic bait. It is a computer

1.1 History of Honeypots:

The idea of honeypots began in 1991 with two publications, The Cuckoos Egg and An Evening with Breford. The Cuckoos Egg by Clifford Stoll was about his experience catching a computer hacker that was in his

corporation searching for secrets. The

or network resources that appear to be a part of the network but have been deployed as a sitting duck to entice hackers .We can define honeypot as an information system resource whose value lies in unauthorized or illicit use of that resource. Most honeypots are installed with firewalls. Honeypots and firewalls work in reverse direction to each other as the honeypots allow all traffic to come in but blocks all outgoing traffic. Most honeypots are installed inside network firewalls and is a means of monitoring and tracking hackers. Honeypots are a unique tool to learn about the tactics of hackers. Is It Just a Computer? Honeypot is often a computer, but it can also be in other forms like data records, idle IP address spaces, or files. It must be handled carefully as there are chances of hazards being carried to a network. A hacker can make use of a honeypot to break into a system; hence, it should be walled off appropriately.

hardened operating system or one that appears to have several vulnerabilities for easy access to its resources. A honeypot can be as simple as a single computer running a program to listen on any number of ports; when a connection is made, the program logs the source IP and alerts the owner with an e-mail. HONEYPOT resource has no REAL use. In other words, normal users will never connect to it. It is setup ONLY to lure the malicious users to attack it. Since, a HONEYPOT resource has no REAL use, and thus, if a system administrator notices a user connecting to it, then 99% of the times that user is a malicious one. The concept of Honeypots in general is to catch malicious network activity with a prepared machine. This computer is used as bait. A valuable compromised data is collected with the help of software that permanently collects data when a honeypot is attacked. This information is more of a surveillance and early warning tool that which also serves as an aid to computer and network forensics. The intruder is intended to detect the Honeypot and try to break into

2. THE IDEA OF HONEYPOTS:

The idea behind a honey pot is to setup a "decoy" system that has a non-

it. Next the type and purpose of the Honeypot specifies what the attacker will be able to perform. A common setup is to

deploy a Honeypot within a production system.The two main reasons why honeypots are deployed are 1. To learn how intruders probe and attempt to gain access to your systems and gain insight into attack

Figure1: Deployment scenario of a single Honeypot

3. THE VALUE OF HONEYPOTS:

The value of the honeypots can be known depending on the way they are used. This is discussed in detail depending on the way they help prevent attacks The first is against automated attacks, such as worms or auto-rooters. These information attacks are based on tools that randomly scan entire networks looking for vulnerable systems. If vulnerable systems are found, these automated tools will then attack and take over the system (with worms selfreplicating, copying themselves to the victim). One way that honeypots can help defend against such attacks is slowing their scanning down, potentially even stopping them. Called sticky honeypots, these

methodologies to better protect real production systems. 2. To gather forensic

required to aid in the apprehension or prosecution of intruders. The Fig1 below shows the Honeypot colored orange. It is not registered in any naming servers or any other production systems, i.e. domain controller to hide its existence. This is important, because only within a properly configured

network, one can assume that every packet sent to the Honeypot, is suspect for an attack. If misconfigured packets arrive, the amount of false alerts will rise and the value of the Honeypot drops.

solutions monitor unused IP space. When probed by such scanning activity, these honeypots interact with and slow the attacker down. They do this using a variety of TCP tricks, such as a Windows size of zero, putting the attacker into a holding pattern. This is excellent for slowing down or preventing the spread of a worm that has penetrated your internal organization. One such example of a sticky honeypot is LaBrea Tarpit. Sticky honeypots are most often lowinteraction solutions (you can almost call

them 'no-interaction solutions', as they slow the attacker down to a crawl :). The second way honeypots can help protect an organization is through detection. Detection is critical, its purpose is to identify a failure or breakdown in prevention. Regardless of how secure an organization is, there will always be failures, if for no other reasons then humans are involved in the process. By detecting an attacker, you can quickly react to them, stopping or mitigating the damage they has do.

information on who the attacker is, how they got in, or how much damage they have done. In these situations detailed information on the attacker's activity are critical. There are two problems compounding incidence

response. First, often the very systems compromised cannot be taken offline to analyze. Production systems, such as an organization's mail server, are so critical that even though its been hacked, security professionals may not be able to take the system down and do a proper forensic analysis. Instead, they are limited to analyze the live system while still providing production services. This cripiles the ability to analyze what happend, how much damage the attacker has done, and even if the attacker have broken into other systems. The other problem is even if the system is pulled offline, there is so much data pollution it can be very difficult to determine what the bad guy did. By data pollution, I mean there has been so much activity (user's logging in, mail accounts read, files written to

Traditionally,

detection

proven

extremely difficult to do. Technologies such as IDS sensors and systems logs haven proven ineffective for several reasons. They generate far too much data, large percentage of false positives, inability to detect new attacks, and the inability to work in encrypted or IPv6 environments. Honeypots excel at

detection, addressing many of these problems of traditional detection The third and final way a honeypot can help protect an

databases, etc) it can be difficult to determine what is normal day-to-day

organization is in reponse. Once an organization has detected a failure, how do they respond? This can often be one of the greatest challenges an

activity, and what is the attacker. Honeypots can help address both problems. Honeypots make an excellent incident resonse tool, as they can quickly and easily be taken offline for a full forensic analysis, without

organization faces. There is often little

impacting

day-to-day

business

This approach is found to be remarkable in its simplicity and feel that a few significant issues need to be brought to light. 1. The choice of a private host-only network. Though this may seem counter intuitive at first, there is a relatively sound reasoning for doing so. 2. While bridging the VMs on to the physical network would seem like a better approach because it transparently forwards packets to the VMs and eliminates an additional layer of routing, it requires an additional data control device which will

operations. Also, the only activity a honeypot captures is unauthorized or malicious activity. This makes hacked honeypots much easier to analyze then hacked production systems, as any data you retrieve from a honeypot is most likely related to the attacker. The value honeypots provide here is quickly giving organizations the in-depth information they need to rapidly and effectively respond to an incident

4. BUILDING A HONEYPOT:
To build a honeypot, A set of virtual machines (VMs) are created. They are then setup on a private network with the host OS. To facilitate data control, a stateful firewall such as IPTables can be used to log connections. This firewall would

monitor the packets being sent from the VMs. The operation of data control cannot be performed by the host OS when the VMs are in bridged mode, since all data from the VMs bypass any firewalls or IDSs which exist at the application layer on the host, as shown in the figure2 below.

typically be configured in Layer 2 bridging mode, rendering it transparent to the attacker. The final step is data capture, for which tools such as Sebek and Term Log can be used. Once data has been captured, analysis on the data can be performed using tools such as Honey Inspector, PrivMsg and Sleuth Kit. Figure2: Structure of A VM Based Honeypot. 7

3. The firewall on the host should be transparent to the attacker. This requires considerable effort, since firewalls by default work at Layer 3 or greater. To render the firewall transparent to the attacker requires recompilation of the kernel. This may not be possible on all operating systems such as Windows. Finally, once a honeypot is

Low-Involved DO NOT give us must insight into the attacker, hence, they are normally used as PRODUCTION

HONEYPOTS.

5.2 High-Involved Honeypots

A typical High-Involved Honeypot will have for example a few ports open AND a few vulnerable services running. Hence, the attacker is allowed to actually break into the Honeypot. The attacker is allowed to do everything he wants to on the High-Involved Honeypot. Hence, High-Involved

compromised, a restoration mechanism has to be implemented so that it is instantly taken off the network and all its holes carefully plugged before placing it back on the network. This is currently a manual process and can only be partly automated.

HONEYPOTS are considered relatively risky. High-Involved HONEYPOTS can be used to gather a lot of insight on the tools,

5. IMPLEMENTATION:
On the basis of implementation of HONEYPOTS, they can be categorized into the following:

techniques and methods used by the attacker. Hence, they are normally used as RESEARCH HONEYPOTS.

5.1 Low-Involved Honeypots

A typical Low-Involved

6. How do HONEYPOTS work?

Honey pots are generally based on a real server, real operating system, and with data that appears to be real. One of the main differences is the location of the machine in relation to the actual servers.

Honeypot will have a few ports open, so that the administrator knows what ports the attackers are trying to connect. The attacker will NOT be allowed to do anything else on the Low-Involved Honeypot. Hence, Low-Involved

Honey pots work by monitoring and/or controlling the intruder during their use of the honey pot. A critical element to any

HONEYPOTS are relatively less risky.

honeypot is data capture, the ability to log, alert, and capture everything the bad guy is doing. Most honeypot solutions, such as Honeyd or Specter, have their own logging and alerting capabilities. It is highly recommend deploying Snort with any honeypot deployment. Snort is an OpenSource IDS system that will not only detect and alert any attacks against your honeypot, but it can capture the packets and packet payloads involved in the attack. This information can prove critical in analyzing the attackers'

7.

How

does

Honeypot

Gather

Information?
Honeypot must capture data in an area that is not accessible to an attacker. Data capture happens on a number of levels; 1. Firewall Logs-Simple, yet effective 2. A Packet Sniffer (or similar IDS sensor)The IDS should be configured to passively monitor network traffic (for an added level of invisibility, one might set the system up to have no IP address or, in some instances, the sniffer could be configured to

activities.

completely lack an IP stack). This will capture all cleartext communication, and can read keystrokes. 3. Local and Remote Logs-These should be set up just as you would on any other system, and will possibly be disabled, deleted, or modified by an experienced hacker, but plenty of useful information will still be available from all the previous capture methods.

Remotely Forwarded Logs: will capture data on a remote log and then instantly forward Figure3. Working of a Honeypot. the data to a system even further out of the range of the attacker

8. TYPES OF HONEYPOTS:
The types of Honeypots describe them in greater detail and define their goals.

8.1 Production Honeypot:

They are used in performing an advanced detection function. They prove whether the security function of Figure4. Production Honeypot

Honeypot is inadequate in case of an attack which becomes hard to lock. However measures should be taken to avoid a real attack. With the knowledge of the attack on the Honeypot it is easier to determine and close security holes. Honeypot investment allows of a justifying firewall. With the a

8.2. Research Honeypot:

A research Honeypot is used in a different scenario. A research Honeypot is used to learn about the tactics and

techniques of the Blackhat community (In the computer security community, a

Blackhat is a skilled hacker who uses his or her ability to pursue his interest illegally). The Honeypot operator gains knowledge about the Blackhats tools and tactics. When a system was compromised the

Honeypot there is recorded evidence of attacks. The system can provide

information for statistics of monthly happened attacks. A person with legal access to the internal network threat. can pose an on

administrators usually find the tools used by the attacker but there is no information about how they were used. A Honeypot gives a real-live insight on how the attack happened. Honeyed Research: Honeypots against spam: Honeyd can be used effectively to battle spam. Since June 2003, Honeyd has been deployed to instrument several networks with spam traps. We observe how spammers

unidentifiable

Activities

Honeypots can be used to proof if that person has malicious intentions. Another benefit and the most important one is that a Honeypot detects attacks which are not caught by other security systems.

10

detect open mail relays and so forth. The diagram on the right shows the overall architecture of the system.

8.3 OTHERS:
There are other types also they are: a) Looking for trouble: Client honeypots:

The networks are instrumented with open relays and open proxies. We intercept all spam email and analyze why we received it. A single Honeyd machine is capable of simultaneously instrumenting several C-class networks. It simulates machines running mail servers, proxies and web servers.

Instead of passively waiting for an attack, client honeypots will actively search out malicious servers; typically this has centered on web servers that deliver client-side browser exploits, but is certainly not limited to such. Recently, client honeypots have expanded to investigate attacks on office applications. Examples of client honeypots are the MITREHoneyClient, Shelia, Honeymonkey, and CaptureHPC. These client honeypots all work on the same principle. We start with a dedicated system, which is usually based on some virtualization technology so it can be automatically reset into clean state after a successful infection. They interact with potentially malicious servers and monitor the system for unauthorized state changes that occur during or after the interaction with the server. Capture HPC is now in version 2.0 and allows the use of different clients, such as Firefox, RealPlayer, Microsoft Word, etc, as well as an option to collect pushed malware and log tcpdump captures of the

Captured email is sent to a collaborative spam filter that allows other users to avoid reading known spam. Curiously, this setup has also been very successful in identifying hosts infected with worms. Our findings are going to be made available as research paper in the near future.

Figure5.Honeyed Spam Research

interactions between client and webserver.

11

Client honeypots need to interact with servers in order to determine whether they are malicious or not. With high interaction client honeypots, this is quite expensive, and therefore selection of what servers to interact with can greatly increase the success rate of finding malicious servers on a network.

deliver a test email to verify the host in question is actually an open relay.). The protocol which has been given attention recently is HTTP, specifically web application honeypots. The Google Hack Honeypot is designed to provide

reconaissance against attackers that use search engines as a hacking tool against your resources.

Figure6. Client Honeypot Figure7. Google Hack Honeypot b) Niche players: Application-specific honeypots: This is application or protocol specific honeypots. These honeypots are designed to catch spam by masquerading as open email relays or open proxies. Jackpot is written in Java and pretends to be a misconfigured SMTP server which allows relaying. Instead however, it presents a list of messages to the user, who can then pass the spammer's test message and hold the rest of the spam run. (Usually, spammers will attempt to 12 It provides various different modules, one of which looks like a misconfigured version of PHPShell. PHPShell allows an administrator to execute shell commands via a web interface, but access to it should be restricted using a password at the very least. In the Google Hack Database, there is a search which will match on unprotected PHPShell applications and the GHH module attempts to reproduce this interface. GHH has a central web interface which allows the

operator to monitor commands users are trying to execute. Recently, a more sophisticated

unauthorized activity appears. A system might alert on suspicious or malicious activity, even if the data is valid. Due to the high network traffic on most networks, the chances of false alarms and non-detected attacks are more leaving it unscanned and benefiting the attacker.

method of building web application honeypots is described in Michael Mueter's MSc thesis. This toolkit allows arbitrary PHP applications to be turned into high-interaction honeypots and has been tested with software such as PHPMyAdmin, PHP-Nuke and

9.3 Response:
Honeypots provide exact evidence of malicious activities and gives the

information of the attack to prevent any such in the future and to start the

PHPBB.

countermeasures.

9. SECURITY CATEGORIES: 10. MOST POPULAR HONEYPOTS:

To assess the value of the The popular honey pots are: 10.1 Back Officer Friendly (BOF): It is a Low Involved Honeypot It Emulates Services like FTP, Telnet, HTTP. Records scans, probes etc. It also works on Windows platform With BOF, this low-interaction honeypots, we break the security into three catogories:

9.1 Prevention:
A honeypot cannot prevent an unpredictable attack but can detect it. One case where they prevent the attacker is when he directly attacks the server. It will prevent attack on a production system by making the hacker waste his time on a non-sufficient target.

honeypot is both easy to deploy and maintain 10.2 Specter: Its also an example of Low Involved Honeypot 13

9.2 Detection:
Detecting intrusions in networks is similar to the function of an alarm system for protecting facilities when an

It is Similar to BOF it also Emulates Services like FTP, Telnet, HTTP etc.

Deploying a Honeynet requires at least two devices: a Honeypot and the Honeywall. Here, the attacker is given a Honeypot with a real operating system. This means he can fully access and mangle it. Through that possibility an attacker could easily attack

It works on different Operating Systems as well.

10.3 Honeyd: It is a Low Involved Honeypot. It emulates Services like FTP, Telnet and HTTP etc. It emulates different Operating Systems as well. 10.4 Mantrap: It is Highly Involved Honeypot It emulates Services like FTP, Telnet and HTTP etc. It emulates different Operating Systems as well. It gives more on in-depth malicious

other systems or launch a denial-of-service attack. To reduce this risk a firewall is configured on the Honeywall, which limits the outbound connections. Access to the production network is completely restricted. The Honeywall also maintains an Intrusion Detection System which monitors and records every packet going to and from the Honeypot. Honeynets can be classified as high interaction honeypots.

knowledge attackers.

11. HONEYNETS:
A collection of honeypots are combined to create a single honeynet. Honeynets extend to concept of single Honeypots to a network of Honeypots. Figure 8: Honeynet setup Figure 8 shows a network diagram of a Honeynet setup with four Honeypots. The Honeywall acts in bridge-mode which is the same function as performed by switches. 14

This connects the Honeynet logically to the production network and allows the Honeynet to be of the same address

to emulate and monitor, and letting the honeypot go from there. This plug and play approach makes deploying them very easy for most organizations. Also, the emulated

12. LEVEL OF INTERACTION:

To describe honeypots in greater detail it is necessary to explain the level of interaction with the attacker.

services mitigate risk by containing the attacker's activity, the attacker never has access to an operating system to attack or harm others. The main disadvantages with low interaction honeypots is that they log

12.1 Low-interaction Honeypots:

Low-interaction Honeypots are used only for detection and serve is as very

only limited information and are designed to capture known activity. The emulated services can only do so much. Also, its easier for an attacker to detect a lowinteraction honeypot, no matter how good the emulation is, skilled attacker can eventually detect their presence. Examples

production

Honeypots.This

secure solution which promotes little risk to the environment where it is installed in. Low-interaction honeypots have

of

low-interaction

honeypots

include

limited interaction, they normally work by emulating services and operating systems. Attacker activity is limited to the level of emulation by the honeypot. For example, an emulated FTP service listening on port 21 may just emulate a FTP login, or it may support a variety of additional FTP commands. The

Specter, Honeyd, and KFSensor. Honeyd: Low Interaction Honeypot Honeyd is a low-interaction

honeypot. Developed by Niels Provos, Honeyd is OpenSource and designed to run primarily on Unix systems (though it has been ported to Windows). Honeyd works on the concept of monitoring unused IP space. Anytime it sees a connection attempt to an unused IP, it intercepts the connection and then interacts with the attacker, pretending to be the victim. By default, Honeyd detects and logs any connection to any UDP or TCP port. In addition, you can configure

advantage of a low-interaction honeypot is their simplicity. These honeypots tend to be easier to deploy and maintain, with minimal risk. Usually they involve installing software, selecting the

operating systems and services you want

15

emulated services to monitor specific ports, such as an emulated FTP server monitoring TCP port 21. When an attacker connects to the emulated

12.2 Medium-interaction Honeypots:

Medium-interaction Honeypots are further capable of emulating full services or specific vulnerabilities. Their primary

service, not only does the honeypot detect and log the activity, but it captures all of the attacker's interaction with the emulated service. In the case of the emulated FTP server, we can potentially capture the attacker's login and

purpose is detection and they are used as production Honeypots but the chance of failure is higher.

12.3 High-interaction Honeypots:

They either emulate a full operating system or use a real installation of an operating system with additional monitoring which involves high risk factor also. Highinteraction Honeypots are used primarily as research and production Honeypots. High-interaction honeypots are different, they are usually complex solutions as they involve real operating systems and

password, the commands they issue, and perhaps even learn what they are looking for or their identity. It all depends on the level of emulation by the honeypot. Most emulated services work the same way. They expect a specific type of behavior, and then are programmed to react in a predetermined way. If attack A does this, then react this way. If attack B does this, then respond this way. The limitation is if the attacker does

applications. Nothing is emulated, we give attackers the real thing. If you want a Linux honeypot running an FTP server, you build a real Linux system running a real FTP server. The advantages with such a solution are two fold. First, you can capture extensive amounts of information. By giving attackers real systems to interact with, you can learn the full extent of their behavior, everything from new root kits to international IRC sessions. The second advantage is highinteraction honeypots make no assumptions on how an attacker will behave. Instead, they provide an open environment that

something that the emulation does not expect, then it does not know how to respond.Most low-interaction honeypots, including Honeyd, simply generate an error message. Some honeypots, such as Honeyd, can not only emulate services, but emulate actual operating systems. In other words, Honeyd can appear to the attacker to be a Cisco router, WinXP webserver, or Linux DNS server.

16

captures all activity. This allows highinteraction solutions to learn behavior we would not expect. An excellent example of this is how a Honeynet captured encoded back door commands on a non-standard IP protocol

architecture that creates a highly controlled network, one where all activity is controlled and captured. Within this network we place our intended victims, real computers running real applications. The bad guys find, attack, and break into these systems on their own initiative. When they do, they do not realize they are within a Honeynet. All of their activity, from encrypted SSH sessions to emails and files uploads, are captured without them knowing it. This is done by inserting kernel modules on the victim systems that capture all of the attacker's actions. At the same time, the Honeynet controls the attacker's activity. Honeynets do this using a Honeywall gateway. This gateway allows inbound traffic to the victim systems, but controls the outbound traffic using intrusion prevention technologies. This gives the attacker the flexibility to interact with the victim systems, but prevents the attacker from harming other

(specifically IP protocol 11, Network Voice Protocol). However, this also increases the risk of the honeypot as attackers can use these real operating system to attack non-honeypot systems. As result, additional technologies have to be implement that prevent the attacker from harming other non-honeypot

systems. In general, high-interaction honeypots can do everything lowinteraction honeypots can do and much more. However, they can be more complext to deploy and maintain.

Examples of high-interaction honeypots include Symantec Decoy Server and Honeynets. Honeynets: Honeypots Honeynets are a prime example of high-interaction honeypot. Honeynets are not a product, they are not a software solution that you install on a computer. Instead, Honeyents are an architecture, an entire network of computers designed to attacked. The idea is to have an High Interaction

non-Honeynet computers.

22. CONCLUSION:
In this paper, we looked at various aspects of Honeypots. A honeypot is just a tool. How we use that tool is up to us. There 17

are a variety of honeypot options, each having different value to organizations. We have discussed the value of the honeypot and how they reduce the attacks. We have categorized two types of honeypots, production and research. Production honeypots help reduce risk in an organization. While they do little for prevention, they can greatly contribute to detection or reaction. Research

network. We think it is important that new legal policies be formulated to foster and support research in this area. With the different types of honeypots such as BOF, Honeyd, Specter etc we can solve the current challenges and make it possible to use Honeypots for the benefit of the broader Internet community.

23. REFERENCES:

honeypots are different in that they are not used to protect a specific

organization. Instead they are used as a research tool to study and identify the threats in the Internet community. Regardless of what type of honeypot we use, keep in mind the 'level of
1. http://www.rbaumann.net

2. http://www.christianplattner.net 3. http://www.honeynet.org 4. www.topsite.com/best/honeypot 5. www.en.wikipedia.org/Honeypot 6. www.trackinghackers.com/honeypots

interaction'. This means that the more the honeypot can do and the more we can learn from it, the more risk that potentially exists. We will have to determine what is the best relationship of risk to capabilities that exist for us. Honeypots will not solve an

organization's security problems. Only best practices can do that. However, honeypots may be a tool to help contribute to those best practices.

Although Honeypots have legal issues now, they do provide beneficial

information regarding the security of a

18