Synopsis

With an ever-increasing number of methods and tactics used to attack networks, the goal of securing a network must also continually expand in scope. While traditional methods such as IDS/IPS systems, DMZ’s, penetration testing and various other tools can create a very secure network, it is best to assume vulnerabilities will always exist, and sooner or later, they will be exploited. Thus, we need to continuously find innovative ways of countering the threats, and one such way is to deploy honeypots on top of standard security mechanisms.

What are honeypots

Honeypots are decoy systems, deployed alongside production systems with the intent of tricking the hackers into hacking the decoy systems. It is a system whose value is in getting hacked. This is one of the few methods available to a security professional to deceive the attacker and study his or her behavior. The main objectives of honeypots are to divert malicious traffic away from important systems, get early warning of a current attack before critical systems are hit, and gather information about the attacker and the attack methods. By deceiving an attacker into carrying out his/her attack on a non-critical, well-monitored system, valuable insight can be gained into their attack methods, and information can be gathered for forensic or legal purposes.

In terms of objectives, there are two categories of honeypots that are deployed. Research honeypots are focused on gathering information about the attack, used specifically for the purpose of learning about hacking methodologies. For example, the Honeynet Project is a volunteer project that runs honeypots to assess cyber threats. Production honeypots, on the other hand, are focused primarily on diverting attacks from important systems. Information gathering is also very important, since the data can be used to further secure the real production systems, as well as for forensic or legal purposes.

There are several things worth noting. As implied before, honeypots do not replace any of the traditional security mechanisms, but add another layer of security. It will not prevent attacks. Its purpose is to divert attacks from real systems, and gather information about that attack. But a honeypot will only see attacks against itself. Attacks on other systems will go completely undetected.

How do honeypots work

In terms of design set up, there are three kinds of honeypots. Low-interaction honeypots have simple services that hackers typically look for. These are easy to maintain, and less resource-intensive. These are also harder to use as a launch point for attacks on other systems. High-interaction honeypots generally run (or appear to run) all the services that a production system would run, including a proper operating system. This allows the deploying organization to learn a lot more about the attacker’s behavior and attack methods. Also, detecting that it is a honeypot is much harder since it mimics production systems. But these systems are more resource-intensive and are harder to set up and maintain. These are also loaded with more capabilities, thus, are more likely to be used to attack other systems. In such cases, the owner of the honeypot can be held liable for the attacks. This is referred to as downstream liability. Mid-interaction honeypots emulate aspects of the application layer, but do not have an operating system. Thus, they provide some interactivity, but are unlike to be used for other attacks.

To an outsider breaking in, the system should appear to be a legitimate system, running processes a production system is expected to run, and containing files that seem important, but are not. It can be any system that has been set up with proper sniffing and logging capabilities, along with dummy files and processes that a legitimate system should run. Any traffic in to or out of the honeypot is malicious by definition. In general, it is a good idea to place the honeypot inside the firewall, as it not only provides enhanced logging and alerting capabilities, but also provides a way to block outgoing traffic, so that it cannot be used as a launch point for attacks on other systems.

Several honeypot technologies in use are:

  • Malware honeypots: These can use known replication and attack vectors to detect malware. For example, a honeypot can be made to emulate a USB drive, which can be checked for evidence of unauthorized modifications.
  • Spam honeypots: These honeypots can be used to emulate open mail relays and open proxies. Spammers will test the open mail relay by sending themselves an email first, and if that succeeds, they send out large quantities of spam. Spam honeypots can detect and recognize the test and successfully block the massive volume of spam that follows.
  • Database honeypot: Since activities like SQL injections can often go undetected by firewalls, some choose to use database firewall. Some of these database firewalls will provide honeypot support to create decoy databases.
  • Client honeypots: While most honeypots are servers listening for connections, client honeypots are client systems that actively search out malicious servers and monitor the unexpected modifications to the systems. Generally these systems run on virtualization technology, so that infected systems can be cleaned out after the infection.

How to set up a simple honeypot

Honeypots can be set up as a dedicated server, a simulated system, a simple service listening on an unused port on a host or a network of virtual systems. For setting up a honeypot, a Unix or Microsoft NT system would work.

The simplest of honeypots can be set up on a system that has no services running, using the netcat utility to listen on common ports. Suppose on host 192.168.1.22, we run:

nc -l -p 80

A port scan from a utility such as nmap will reveal back to the attacker all open ports. For that, on a different system we run:

nmap -sS -p 1-500 -O 192.168.1.22

Since netcat will only listen, there is no interactivity, and the attacker cannot do much. In this way, our system is safe from downstream liability issues, but we are left with no answers about the attackers tools, methods and intentions.

A more useful honeypot can be set up using the open-source tool called honeyd. It is a daemon that emulates machines with services running on the machines. It is a low-mid interaction honeypot. Honeyd creates what are essentially virtual honeypots, emulating the machine(s) we want. These machines obviously need unique IP addresses. We also need a tool such as farpd to tell the router to redirect all traffic destined to these virtual IP addresses to the machine running the honeyd. After installing honeyd, all the information about the honeypots must be entered into the honeyd.conf file. A simple configuration file could look like:

# Create the host to be emulated
create windows
set windows personality “Microsoft Windows XP SP2”
set windows default tcp action reset
add windows tcp port 80 “sh /path/to/script/webserver.sh”
add windows tcp port 23 “sh /path/to/script/telnet.sh”

# Instantiate the host and assign it an unused IP address
bind 192.168.1.22 windows

The configuration file creates a template for a Windows XP system called “windows” and opens up tcp ports 80 and 23. Port 80 runs the webserver.sh script, which could perhaps serve a fake webpage, and port 23 runs the telnet script which may give the attacker some console level interactivity. Finally, the machine is given an IP address and a specific instance of the machine is created. Once the file is ready, run the following command:

honeyd -d -f /path/to/honeyd.conf

Now the honeypot should be up and running. The -d flag is to make the daemon run in the foreground, so that its operations can be seen in the terminal. Once again, nmap can be used to check that the honeypot is indeed running and it has port 80 open.

Detecting a honeypot

Honeypots are made to be a target for hackers, and depending on the setup, it can often be difficult to detect. If it is a high-interaction honeypot, it will run everything one could expect a real system to run, and thus, can be very difficult to detect. A low-interaction honeypot can be fairly easy to detect once the attacker is inside. It will have few and simple processes running, and many basic tools may be missing or may not work as expected. Some may fail to save files over different sessions, and some may block all outgoing connections. Ultimately, it depends entirely on how the honeypot was set up. Thus, there really is no set method of detecting honeypots. If a specific method to detect honeypots is discovered, new honeypots will immediately come into play to nullify the method.

Advantages

Overall, the addition of honeypots to a network offers several advantages:

  • Honeypots are not supposed to have any traffic, thus any traffic on it is malicious by definition. This causes fewer false positives.
  • Gather forensic data without gathering legitimate traffic as well, creating smaller, high-value datasets.
  • Waste attacker’s time by diverting attacks to a useless system, and get early warning about an attack.
  • Does not require known attack signatures, unlike IDS’s.

Disadvantages

When the systems are full-fledged systems, they can be abused in some cases, and used in attacking other systems.
When the systems are minimal systems, they are easily detected by hackers.
Can detect only attacks against itself. Attacks against other systems can go undetected.

Conclusion

Honeypots are part of a new kind of security techonology, often called Deception Technology, that are a way to mitigate damage once the attacker has broken inside the network already, and are an increasingly important aspect of the modern enterprise network. It adds an additional layer of security on top of IDS, firewalls etc., and is a valuable source of information about attackers and impending attacks. This information can be used to further enhance the security of the network. Honeypots are still being actively researched, and in recent years, honeypot technology has been expanded to create world-wide networks of honeynets and honeyfarms, which are being put to use against various different kinds of malicious activity on the internet.

References

A Guide to Different kinds of Honeypots
Managing a Honeypot
Basic HoneyD Configuration
Getting started with HoneyD
HoneyD: Your Own Virtual Honeypot
HoneyD Configurations to build honeypots
Antispam Honeypots Give Spammers Headaches

Complementary Tools

KFSensor
HoneyBOT
HoneyPoint

More Reading & Other Resources

HoneyD: A Virtual Honeypot Daemon
A Practical Guide to Honeypots
Honeypot/honeyd turorial