I have always been interested in information security technologies and loved playing with them. Honeypots first caught me by a news at Security Focus. The Honeynet Project had monitored the activity of one of the largest Pakistan’s hackers group. I was impressed with the amount of information they had collected about their activity. They had explained how the attackers probed the system, exploited, and trojanized. Once it was compromised, the attacker had put an IRC bot and connected it to IRC channel. They had recorded the conversation on the channel for 14 days. You can read more about it in Know Your Enemy: Motives paper.

Honeypots / Honeynets

A honeypot is a system setup for the purpose of being compromised by attackers. Lance Spitzner uses the following definition to define what a honeypot is.

A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.

Generally we are not able to analyze systems properly after they are compromised. We don’t get detailed information about the attacker and his motives. By setting up honeypot we can be able to see the approaches attacker is using to get into the network. Honeypots are basically traps. They run real services or simulated services, depending on the level of interaction, on a system which is meant to be compromised by attacker. Also, there can be network traps running real or simulated operating systems or services. It gives attacker a feel that he has compromised a vulnerable network. Network traps are also called Honeynets.

Advantages / Disadvantages

Regularly due to the size of traffic and activity on the production network, we can not log the level of detail that security practitioner often need. Honeypots are a way to get much more detailed logging for certain malicious situations than would be possible with normal logging.

Suppose you have firewall which is properly configured to stop attack on port 445. It is good, but you won’t be able to learn about the attack, which can be bad. There might be situations when you want to see the content of the traffic. It can be when you want to know the intentions of the attackers and how much they know about your network. It can be when a particular system is getting lots of probes. Also, when you think that a new attack or technique has been used to exploit your network. The good thing about honeypots is that they can be deployed easily on a low speed machine.

Honeypots can be risky sometimes, depending on the type of honeypot. Once the attacker has compromised the honeypot, there is a possibility that it will harm other systems on the network which is scary and risky. We have to properly control the attacker’s activity from the honeypot.

If honeypots are widely deployed, they can improve security. Currently if a system is rooted by an attacker, it is a compromised system and attacker feels free with what he wants to do. Honeypots demonstrate the activity of the attackers, as they are assuming no one can monitor them. Distributed deployments of honeypots can cause attackers in slowing down the attacks and being careful.

Types

There can be different types of honeypots, depending on their deployment and involvement. Normally we break them into two categories according to the deployment:

• Research Honeypots
• Production Honeypots

Research honeypots are run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of Black Hat community targeting different networks. Pakistan Honeynet Project is an example of such kind of organization, which is raising awareness of the threats and vulnerabilities that exist on Pakistan's networks today by demonstrating real systems that are compromised in the wild by the Black Hat community.

Production honeypots are placed inside the production network with other production servers by organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots which are easier to deploy. They give little information about the attacks or attackers than research honeypots do.

The differences between research and production honeypots are not fixed. They are defined on the basis of observations to help identify the purpose of honeypots. Organizations can deploy full featured high-interaction honeypots to get the information about attacks and attackers targeting their network. And researchers can deploy low-interaction honeypots to observe the tactics and motives of Black Hat community. It all depends on how honeypots are used.

Levels of Interaction

Honeypots can be categorized according to the level of involvement. Level of involvement is defined as the amount of involvement an attacker would have with the honeypot. The more the involvement, the more an attacker can do with the honeypot. We can categories honeypots as:

• Low-interaction honeypots
• High-interaction honeypots

As it is self explanatory from the name that low-interaction honeypot have limited interaction with the attacker. They run simulated operating systems or services. There are no real operating systems or services running on them, they are just emulations running above OS layer. The advantages of low-interaction honeypots is their easy deployment and management. Since they are running above OS layer, it saves the system from the attacker control. The maximum amount of damage attacker can do is that he can take down that honeypot emulation.

Low-interaction honeypots are helpful in identifying attackers IP addresses. The disadvantages with the low-interaction honeypots is their low amount of activity logging. They are designed to respond and log known attacks which makes them easier to detect. If you are new with honeypots, I would recommend low-interaction honeypots to start with because of their simplicity.

High-interaction honeypots are actual systems running real operating systems and services. They give the ability to learn more about the attacks and attackers since they are running actual operating system with real services running which an attacker can compromise. Unlike low-interaction honeypot emulation, they are running real services that come with the operating system. Once attacker has compromised the system, he has full control over it and he can interact with it as he wants to, which is very risky. Attackers try to compromise and attack other systems on the network. It has been observed that attackers use compromised systems to scan large class A and B networks for a specific vulnerability and once they have found vulnerable systems, they exploit them. To mitigate suck risks, high-interaction honeypots are deployed in controlled environment.

High-interaction honeypots are very difficult to deploy because multiple tools are used to make them run. Once a high-interaction honeypot is successfully deployed and managed, it can be very helpful in discovery new exploits, worms, viruses and vulnerabilities.

Available Honeypots

I have talked about the honeypots, their types and levels of interaction. Now let’s cover some details about the available honeypots.

Honeyd

Honeyd is an open source low-interaction honeypot, developed and maintained by Niels Provos. Honeyd runs as a small daemon that creates virtual hosts on a network. The hosts can be configured to emulate the behavior of an operating system and network services running on them like HTTP, SMTP, POP, Telnet, SSH, FTP, etc. Honeyd enables a single host to claim multiple addresses, up to 65536, on a LAN for network simulation. As it supports network simulation, Honeyd can be used to create virtual Honeynet. Some of the features available in Honeyd are:

• Simulation of arbitrary routing topologies.
• Configurable latency and packet loss.
• Asymmetric routing.
• Integration of physical machines into topology.
• Distributed Honeyd via GRE tunneling.
• Subsystem virtualization.

You can see from the features that different levels of honeypots can be emulated using Honeyd. It can be from a basic single-host honeypot to an advanced full featured network of honeypots i.e. a Honeynet.

Pakistan Honeynet Project

Pakistan Honeynet Project has been started with the funding of Cyber Internet Services (Pvt.) Ltd. as a non-profit, all-volunteer organization dedicated to Honeynet research. Its goal is to learn and raise awareness about the motives and tactics of the Black Hat community targeting Pakistan's networks. The aim is to share and dissipate knowledge about the various tools and hacker practices in use on the Internet today. The project is based on principles and guidelines given by the Honeynet Research Project, and it is a part of the Honeynet Research Project’s Alliance.

Honeynet is a high-interaction network of honeypots. Honeynet is not a single product but composed of multiple technologies and products. Ideally, a honeynet includes computers running multiple real operating systems with real services on them. Honeynets are like real networks but the difference is that all the activity is logged and analyzed. Any activity happens on the honeynet is supposed to be from an attacker. The environment is so realistic that attacker doesn’t feel that he is inside a honeynet. The whole honeynet deployment emphasizes data control, data capture, data collection and data analysis. In order to control the attacker’s activity from harming other networks, numbers of outgoing connections from the honeynet are controlled. To capture the attacker’s activity in honeynet, combination of tools like syslog, network sniffer, sebek, etc are used for logging. Once the data has been captured, it is transferred through a secured channel from the honeynet to a central server for analysis. After the data has been collected from honeynet, different data analysis tools are used to analyze the logs.

Conclusion

The purpose of this paper was to help you understand what honeypots are and their importance. We discussed two types of honeypots, research honeypots and production honeypots. Then we discussed how you can deploy honeypots according to the level of interaction, low-interaction honeypots and high-interaction honeypots. In the end we discussed available honeypots which you can deploy. If you are interested in learning more about Honeynets, you can read it here.