In computer terminology, a honeypot is a trap set to detect or deflect attempts at unauthorized use of information systems. Generally it consists of a computer, data or a network site that appears to be part of a network but which is actually isolated and protected, and which seems to contain information that would be of value to attackers. A honeypot that masquerades as an open proxy is known as a sugarcane.
A honeypot is valuable as a surveillance and early-warning tool. While often a computer, a honeypot can take on other forms, such as files or data records, or even unused IP address space. Honeypots should have no production value and hence should not see any legitimate traffic or activity. Whatever they capture can then be surmised as malicious or unauthorized.
Honeypots can carry risks to a network, and must be handled with care. If they are not properly walled off, an attacker can use them to actually break into a system.
Also called ‘Tarpit’, an internet-attached server that acts as a decoy, luring in potential hackers and responding in a way that causes their machine to get “stuck”, sometimes for a very long time.
Honeypots are designed to mimic systems that an intruder would like to break into but limit the intruder from having access to an entire network. If a honeypot is successful, the intruder will have no idea that s/he is being tricked and monitored. Most honeypots are installed inside firewalls so that they can better be controlled, though it is possible to install them outside of firewalls. A firewall in a honeypot works in the opposite way that a normal firewall works: instead of restricting what comes into a system from the Internet, the honeypot firewall allows all traffic to come in from the Internet and restricts what the system sends back out.
By luring a hacker into a system, a honeypot serves several purposes:
- The administrator can watch the hacker exploit the vulnerabilities of the system, thereby learning where the system has weaknesses that need to be redesigned.
- The hacker can be caught and stopped while trying to obtain root access to the system.
- By studying the activities of hackers, designers can better create more secure systems that are potentially invulnerable to future hackers.
Creating a Honeypot – overview for the basic user.
Honeypot systems should be configured to look like a box that hackers would like to exploit. You can achieve this by giving it an irresistible name, such as financials.companyname.com or mail.companyname.com. If the system doesn’t appear real or looks unusual, the hacker will most likely detect a trap and move on.
Honeypot – The two major goals
- Learn how intruders probe and attempt to gain access to your systems. The general idea is that since a record of the intruder’s activities is kept, you can gain insight into attack methodologies to better protect your real production systems.
- Gather forensic information required to aid in the apprehension or prosecution of intruders. This is the sort of information often needed to provide law enforcement officials with the details needed to prosecute. More important, when you decide you’re going to build a honeypot you must first realize that you’re playing with fire and can easily get burned. Someone with skills far superior to your own is out there and poised to attack your system and it may only take them a few hours after it’s up to discover it! Keeping this in mind the entire way through is your best hedge against doing something reckless — or even fatal.
Honeypots can operate on any variety of computer systems and just about any type of computer. While most public domain software for setting up a honeypot is written for UNIX, many of these systems have already been ported to NT. Below I’ll list some tools (free of course!) that will help you set the bait. Some packages may or may not include a sniffer (a package to log incoming and outgoing traffic) – I’ll list a few of those as well.
You’ll need a basic computer to get started. If you don’t have an extra system, you can use your current system by removing any existing drives and installing a spare drive with a fresh install of your operating system – NEVER use your original drives!
The last item to perform is making sure you have all the latest operating system service packs and patches installed. Once you’ve given it a test, connect it to the internet and wait.
This was a very quick overview for those inquisitive readers who want to get started now!
Free Honeypot Software
- BackOfficer Friendly: A free Windows-based low interaction honeypot. Excellent solution if you are new to honeypot technologies.
- Honeyd: A free Unix-based low interaction honeypot. Can emulate entire networks of systems (over 60,000 systems at the same time), proxy connections, and emulate both application and IP stack. You can also download a statically compiled version for Linux.
- LaBrea Tarpit: A free low interaction honeypot designed to slow down or stop automated attacks, such as worms. A very different concept for honeypots, one worth taking a look at.
Sniffer Software – free
- wireshark.org/ – Wireshark is a free network protocol analyzer for Unix and Windows. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, viewing summary and detail information for each packet. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session.
- monkey.org/~dugsong/dsniff – DSniff: A collection of tools for network auditing and penetration testing. Windows version can be found here.
- analyzer.polito.it – Analyzer: Analyzer is a full configurable network analyzer program for XP environment. Analyzer is able to capture packets on all platforms.