About
Community
Bad Ideas
Drugs
Ego
Erotica
Fringe
Society
Technology
Hack
Introduction to Hacking
Hack Attack
Hacker Zines
Hacking LANs, WANs, Networks, & Outdials
Magnetic Stripes and Other Data Formats
Software Cracking
Understanding the Internet
Legalities of Hacking
Word Lists
register | bbs | search | rss | faq | about
meet up | add to del.icio.us | digg it

Honeypot FAQ

NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.

What is a honeypot?

A honeypot is a security resource who's value lies in being probed, attacked, or compromised. Unlike firewalls or IDS sensors, honeypots are something you want the bad guys to interact with. To learn more about what honeypots are all about, you may want to start with the paper Honeypots: Definitions and Values.

How do honeypots work?

Conceptually, honeypots are very simple. They are a resource that has no production value, it has no authorized activity. Whenever there is any interaction with a honeypot, this is most likely malicious activity.

What is the value of a honeypot, what can it do for me?

Honeypots are unique, they don't solve a specific problem. Instead, they are a highly flexible tool with many different applications to security. It all depends on what you want to achieve. Some honeypots can be used to help prevent attacks, others can be used to detect attacks, while other honeypots can be used for information gathering and research.

What are the advantages of a honeypot?

Honeypots have several powerful advantages. They include:

Small data sets: Honeypots collect small amount of data, but almost all of this data is real attakcs or unauthorized activity. Instead of dealing with 5,000 alerts and 10GB of logs every day, you may only get 30 alerts with your honeypots and 1MB of logs every day. Since honeypots collect only malicious activity, it makes it much easier to analyze and react to the information they collect.

Reduced false positives: With most detection technologies (such as IDS sensors) a large percentage of your alerts are false warnings, making it very difficult to figure out what is a real attack. With honepyots, almost everything you detect or capture is an attack or unauthozied activity, vastly reducing false positives.

False negatives: Unlike most technologies, its very easy for honeypots to detect and records attacks or behavior never seen before in the wild. Cost effective: Honeypots only interact with malicious activity, you do not need high preformance resources. Most honeypots can easily run on an old Pentium computer with 128 MB of Ram.

Simplicty: Honeypots are very simple, there are no advance algorithims to develop, nor any rulebases to maintaing.

What are the disadvantages of a honeypot?

Honeypots also have their disadvantages. This is why they do not replace any existing technologies. Instead they work with and compliment your existing infrastructure.

Limited View: Honeypots only see activity that interacts with them. They do not see nor capture any attacks directed against existing systems.

Risk: Anytime you add another resource with an IP stack, you introduce risk. While different honeypots have different levels of risk, this is always an issues you must address.

What are the diffent types of honeypots?

In general, there are two different types, Production and Research. Production honeypots are used to protect your organization; they are used primarily for preventing, detecting, or responding to attacks. Generally these honeypots emulate services and operating systems. Research honeypots are used to gather information. This information can be used for profiling, early warning and prediction, statistical analysis, etc. Generally these honeypots do not emulate, instead they are real operating systems for attackers to interact with.

Which one is best?

There really is no single best honeypot. Production and Research honeypots tend to be vastly different in how they work. The best honeypot for you depends on what you want to achieve.

I've never worked with honeypots, where should I start?

If you are new to the world of honeypots and want to learn what they are all about BackOfficer Friendly is the best place to start. This is an extremely simple and basic honeypot that can run on any Windows systems. Its very limited in its capabilities, but its excelent for demonstrating honeypot concepts (and its FREE!). For more advance users who prefer Unix, Honeyd is an OpenSource solution for Unix.

What are the legal issues of honeypots?

As a new technology, people often ask what are the legal issues of honeypots. While honeypots are not specificaly addressed in federal statutes or regulation, the following issues can be seen as a starting point. For specific information, refer to your own legal counsel.

Liability: You can potentially be held liable if your honepyot is used to attack or harm other systems or organizations. This risk is the greatest with Research honeypots.

Privacy: Honeypots can capture extensive amounts of information about attackers, which can potentionaly violate their privacy. Once again, this risk is primarily with Research honeypots.

Entrapment: For some odd reason, many people are concerned with the issue of entrapment. Entrapment is a legal defense used to avoid a conviction, you cannot be charged with entrapment. Most legal experts believe that entrapment is not an issue for honeypots.

What is level of interaction?

Different honeypots have different level of interaction. Level of interaction measures how much activity, or interaction, an attacker can have with a honeypot. Low interaction honeypots limit the level of interaction by emulating services. The interaction an attacker has with the honeypot is limited by how advance the emulation of the service is. An example of a low interaction honeypot is Specter. In contrast, high interaction honeypots do not emulate services, instead they provide real applications for attackers to interact with. An example of a high interaction honeypot is Honeynets. Neither is better then the other. Low interaction is simpler to deploy and has less risk (as the attacker can do less), but you can not learn as much. With a high level of interaction you can learn a great deal, as the attacker has a real operating system and applications to interact with. However, this comes at a cost, as the more interaction you provide, the more complex and greater risk you have.

Where can I learn more about honeypots?

One of the best ways to learn about honeypots is from the security community. Its highly recommended you join the Honeypot mailling list to ask questions and learn about honeypot technologies.

Technical Issues

What are Honeynets?

Honeynets are one type of honeypot, specifically they are a Research honeypot. Honeynets are entire networks or real systems designed to be compromised. You can learn more about Honeynets at the Honeynet Project.

What is GenI or GenII mean?

There are currently two different types of Honeynets, GenI or GenII. These are acronyms for 1st Generation or 2nd Generation technologies. GenI (or 1st Generation) Honeynets use basic technologies to capture and control attacker activity. Mainly a layer three firewall that counts outbound connections. A GenII (or 2nd Generation) Honeynet is more advance technologies, specifically a layer two bridge that can not only count connections, but block or modify outbound attacks. It also uses more advance tools for capturing attackers keystrokes. You can learn more about GenI and GenII at Know Your Enemy: Honeynets.

What are Honeytokens?

Honeytokens is a term first published by Augusto Paes de Barros. While the concept is not new, the term is. A Honeytoken is a resource, such as a Word document, Excel spreadsheet, or some other type of data, that has no production value or authorized activity. If someone attempts to access or retrieve this data, they are commiting an unauthorized act (intentionally or unintentionally). One example of their use would be to have IDS sensors configured to look for someone accessing or transferring a Honeytoken.

Can honeypots montior unused IP space?

Most definitely. We mentioned that one of the disadvantages of honeypots is that they capture traffic only interacting directly to them. To increase the odds of that happening, some honeypots work by monitoring all of your unused IP space. If anyone (or anything) attempts to interact with an IP address that does not have a computer assigned to it, some honeypots can dynamically take over that IP address, assume the identity of the victim, and then interact with the attacker. Two such examples are LaBrea Tarpit and Honeyd. Both work on the concept of Arp spoofing.

Data Control: How can I control what the bad guy is doing?

A critical element to most honeypots, especially Honeynets, is data control, the ability to contain the activity of a bad guy. The purpose of data control is to allow the attacker to gain access and control a honeypot, but not allow them to go back outbound and harm any non-honeypot systems. Some honeypots, mainly low interaction honeypots, do not require data control, as the honeypots do not allow attackers full acccess to the operating system. High interaction honeypots do require data control. Examples of data control would be a firewall allowing attackers inbound access to the honeypots (so they could attack them) but the same firewall would then block all outbound attacks from the honeypot. You can learn more about different data control solutions at the Honeynet Tools Page.

Data Capture: How can I capture what the bad guy is doing?

A critical element to any honeypot is data capture, the ability to log, alert, and capture everything the bad guy is doing. Most honeypot solutions, such as Honeyd or Specter, have their own logging and alerting capabilities. However, you may want additional data capturing mechanisms to enhance the capabilities of these honeypots. Also, some solutions require you to deploy you own data capture capabilities, for example solutions such as Honeynets. I highly recommend you deploy Snort with any honeypot deployment. Snort is an OpenSource IDS system that will not only detect and alert any attacks against your honeypot, but it can capture the packets and packet payloads involved in the attack. This information can prove critical in analyzing the attackers activities. If you require more advance data capture capabilities (such as with SSH sessions), I recommend you check out the Honeynet Tools Page for a complete listing of different tools used to capture what the bad guys are doing.

 
To the best of our knowledge, the text on this page may be freely reproduced and distributed.
If you have any questions about this, please check out our Copyright Policy.
 

totse.com certificate signatures
 
 
About | Advertise | Bad Ideas | Community | Contact Us | Copyright Policy | Drugs | Ego | Erotica
FAQ | Fringe | Link to totse.com | Search | Society | Submissions | Technology
Hot Topics
Php
Withstanding an EMP
Good computer destroyer?
Wow, I never thought the navy would be so obvious.
Alternatives Internets to HTTP
Anti-Virus
a way to monitor someones AIM conversation
VERY simple question: browser history
 
Sponsored Links
 
Ads presented by the
AdBrite Ad Network

 

TSHIRT HELL T-SHIRTS