1. INTRODUCTION: Berferd” by Bill Chewick is about a For every consumer and business computer hacker’s moves through traps that that is on the Internet, viruses, worms, and he and his colleagues used to catch him. In crackers are but a few security threats.The both of these writings were the beginnings systems can only react to or prevent of what became honeypots. attacks but they cannot give us The first type of honeypot was released in information about the attacker, the tools 1997 called the Deceptive Toolkit. The point used or even the methods employed. of this kit was to use deception to attack Hence, Honeypots are a novel approach to back. In 1998 the first commercial honeypot network security and security research came out. This was called Cybercop Sting. alike. In 2002 the honeypot could be shared and Honeypots are closely monitored used all over the world. Since then honeypot decoys that are employed in a network to technology has improved greatly and many study the trail of hackers and to alert honeypot users feel that this is only the network administrators of a possible beginning. In the year, 2005, The Philippine intrusion. Honeypots provide a cost- Honeypot Project was started to promote effective solution to increase the security computer safety over in the Philippines. posture of an organization. Nowadays, 1.2 Definition of a Honeypots: they are also being extensively used by the research community to study issues in What is a Honeypot? network security. A HONEYPOT is an information 1.1 History of Honeypots: system resource whose value lies in unauthorized or illicit use of that resource The idea of honeypots began in 1991 with two publications, “The Cuckoos It is defined as a computer system on Egg” and “An Evening with Breford”. the Internet that is expressly set up to attract “The Cuckoos Egg” by Clifford Stoll and "trap" people who attempt to penetrate was about his experience catching a other person’s computer systems. Honeypot computer hacker that was in his is a trap; an electronic bait. It is a computer corporation searching for secrets. The or network resources that appear to be a part other publication, “An Evening with of the network but have been deployed as a

1 sitting duck to entice hackers .We can honeypot can be as simple as a single define honeypot as an “information computer running a program to listen on any system resource whose value lies in number of ports; when a connection is made, unauthorized or illicit use of that the program logs the source IP and alerts the resource.” owner with an e-mail. Most honeypots are installed with HONEYPOT resource has no REAL firewalls. Honeypots and firewalls work use. In other words, normal users will never in reverse direction to each other as the connect to it. It is setup ONLY to lure the honeypots allow all traffic to come in malicious users to attack it. Since, a but blocks all outgoing traffic. Most HONEYPOT resource has no REAL use, honeypots are installed inside network and thus, if a system administrator notices a firewalls and is a means of monitoring user connecting to it, then 99% of the times and tracking hackers. Honeypots are a that user is a malicious one. unique tool to learn about the tactics of hackers. The concept of Honeypots in general is Is It Just a Computer? to catch malicious network activity with a Honeypot is often a computer, but it prepared machine. This computer is used as can also be in other forms like data bait. A valuable compromised data is records, idle IP address spaces, or files. collected with the help of software that It must be handled carefully as there are permanently collects data when a honeypot chances of hazards being carried to a is attacked. This information is more of a network. A hacker can make use of a surveillance and early warning tool that honeypot to break into a system; hence, which also serves as an aid to computer and it should be walled off appropriately. network forensics. The intruder is intended to detect the Honeypot and try to break into it. Next the type and purpose of the 2. THE IDEA OF HONEYPOTS: Honeypot specifies what the attacker will be The idea behind a honey pot is to able to perform. A common setup is to setup a "decoy" system that has a non- deploy a Honeypot within a production hardened operating system or one that system.The two main reasons why appears to have several vulnerabilities honeypots are deployed are for easy access to its resources. A

2 1. To learn how intruders probe and The value of the honeypots can be attempt to gain access to your systems known depending on the way they are used. and gain insight into attack This is discussed in detail depending on the methodologies to better protect real way they help prevent attacks production systems. The first is against automated attacks, such as worms or auto-rooters. These 2. To gather forensic information attacks are based on tools that randomly required to aid in the apprehension or scan entire networks looking for vulnerable prosecution of intruders. systems. If vulnerable systems are found, The Fig1 below shows the Honeypot these automated tools will then attack and colored orange. It is not registered in any take over the system (with worms self- naming servers or any other production replicating, copying themselves to the systems, i.e. domain controller to hide its victim). One way that honeypots can help existence. This is important, because defend against such attacks is slowing their only within a properly configured scanning down, potentially even stopping network, one can assume that every them. Called sticky honeypots, these packet sent to the Honeypot, is suspect solutions monitor unused IP space. When for an attack. If misconfigured packets probed by such scanning activity, these arrive, the amount of false alerts will rise honeypots interact with and slow the and the value of the Honeypot drops. attacker down. They do this using a variety of TCP tricks, such as a Windows size of zero, putting the attacker into a holding pattern. This is excellent for slowing down or preventing the spread of a worm that has penetrated your internal organization. One such example of a sticky honeypot is LaBrea Tarpit. Sticky honeypots are most often low- Figure1: Deployment scenario of a interaction solutions (you can almost call single Honeypot them 'no-interaction solutions', as they slow 3. THE VALUE OF the attacker down to a crawl :). HONEYPOTS: The second way honeypots can help protect an organization is through

3 detection. Detection is critical, it’s compounding incidence response. First, purpose is to identify a failure or often the very systems compromised cannot breakdown in prevention. Regardless of be taken offline to analyze. Production how secure an organization is, there will systems, such as an organization's mail always be failures, if for no other server, are so critical that even though its reasons then humans are involved in the been hacked, security professionals may not process. By detecting an attacker, you be able to take the system down and do a can quickly react to them, stopping or proper forensic analysis. Instead, they are mitigating the damage they do. limited to analyze the live system while still Traditionally, detection has proven providing production services. This cripiles extremely difficult to do. Technologies the ability to analyze what happend, how such as IDS sensors and systems logs much damage the attacker has done, and haven proven ineffective for several even if the attacker have broken into other reasons. They generate far too much systems. The other problem is even if the data, large percentage of false positives, system is pulled offline, there is so much inability to detect new attacks, and the data pollution it can be very difficult to inability to work in encrypted or IPv6 determine what the bad guy did. By data environments. Honeypots excel at pollution, I mean there has been so much detection, addressing many of these activity (user's logging in, mail accounts problems of traditional detection read, files written to databases, etc) it can be The third and final way a difficult to determine what is normal day-to- honeypot can help protect an day activity, and what is the attacker. organization is in reponse. Once an Honeypots can help address both problems. organization has detected a failure, how Honeypots make an excellent incident do they respond? This can often be one resonse tool, as they can quickly and easily of the greatest challenges an be taken offline for a full forensic analysis, organization faces. There is often little without impacting day-to-day business information on who the attacker is, how operations. Also, the only activity a they got in, or how much damage they honeypot captures is unauthorized or have done. In these situations detailed malicious activity. This makes hacked information on the attacker's activity are honeypots much easier to analyze then critical. There are two problems hacked production systems, as any data you

4 retrieve from a honeypot is most likely 2. While bridging the VMs on to the related to the attacker. The value physical network would seem like a better honeypots provide here is quickly giving approach because it transparently forwards organizations the in-depth information packets to the VMs and eliminates an they need to rapidly and effectively additional layer of routing, it requires an respond to an incident additional data control device which will monitor the packets 4. BUILDING A HONEYPOT: being sent from the VMs. The operation of To build a honeypot, data control cannot be performed by the host A set of virtual machines (VMs) OS when the VMs are in bridged mode, are created. They are then setup on a since all data from the VMs bypass any private network with the host OS. To firewalls or IDSs which exist at the facilitate data control, a stateful firewall application layer on the host, as shown in such as IPTables can be used to log the figure2 below. connections. This firewall would typically be configured in Layer 2 bridging mode, rendering it transparent to the attacker. The final step is data capture, for which tools such as Sebek and Term Log can be used. Once data has been captured, analysis on the data can be performed using tools such as Honey Inspector, PrivMsg and Sleuth Kit. Figure2: Structure of A VM Based This approach is found to be Honeypot. remarkable in its simplicity and feel that 3. The firewall on the host should be a few significant issues need to be transparent to the attacker. This requires brought to light. considerable effort, since firewalls by 1. The choice of a private host-only default work at Layer 3 or greater. network. Though this may seem counter To render the firewall transparent to the intuitive at first, there is a relatively attacker requires recompilation of the kernel. sound reasoning for doing so. This may not be possible on all operating systems such as Windows.

5 Finally, once a honeypot is break into the Honeypot. The attacker is compromised, a restoration mechanism allowed to do everything he wants to on the has to be implemented so that it is High-Involved Honeypot. Hence, High- instantly taken off the network and all its Involved HONEYPOTS are considered holes carefully plugged before placing it relatively risky. back on the network. This is currently a High-Involved HONEYPOTS can be manual process and can only be partly used to gather a lot of insight on the tools, automated. techniques and methods used by the attacker. Hence, they are normally used as 5. IMPLEMENTATION: RESEARCH HONEYPOTS. On the basis of implementation of HONEYPOTS, they can be categorized into the following: 6. How do HONEYPOTS work? 5.1 Low-Involved Honeypots Honey pots are generally based on a real server, real operating system, and with A typical Low-Involved data that appears to be real. One of the main Honeypot will have a few ports open, so differences is the location of the machine in that the administrator knows what ports relation to the actual servers. the attackers are trying to connect. The Honey pots work by monitoring and/or attacker will NOT be allowed to do controlling the intruder during their use of anything else on the Low-Involved the honey pot. A critical element to any Honeypot. Hence, Low-Involved honeypot is data capture, the ability to log, HONEYPOTS are relatively less risky. alert, and capture everything the bad guy is Low-Involved DO NOT give us doing. Most honeypot solutions, such as must insight into the attacker, hence, Honeyd or Specter, have their own logging they are normally used as and alerting capabilities. It is highly PRODUCTION HONEYPOTS. recommend deploying Snort with any 5.2 High-Involved Honeypots honeypot deployment. Snort is an OpenSource IDS system that will not only A typical High-Involved Honeypot detect and alert any attacks against your will have for example a few ports open honeypot, but it can capture the packets and AND a few vulnerable services running. packet payloads involved in the attack. This Hence, the attacker is allowed to actually

6 information can prove critical in in some instances, the sniffer could be analyzing the attackers' activities. configured to completely lack an IP stack). This will capture all cleartext communication, and can read keystrokes.

3. Local and Remote Logs-These should be set up just as you would on any other system, and will possibly be disabled, deleted, or modified by an experienced hacker, but plenty of useful information will still be available from all the previous capture methods. Remotely Forwarded Logs: will capture data on a remote log and then instantly forward the data to a system even further out of the range of the attacker Figure3. Working of a Honeypot.

8. TYPES OF HONEYPOTS: 7. How does Honeypot Gather The types of Honeypots describe them in Information? greater detail and define their goals.

Honeypot must capture data in an area that is not accessible to an attacker. 8.1 Production Honeypot: Data capture happens on a number of They are used in performing an advanced levels; detection function. They prove whether the security function of Honeypot is inadequate 1. Firewall Logs-Simple, yet effective in case of an attack which becomes hard to lock. However measures should be taken to 2. A Packet Sniffer (or similar IDS avoid a real attack. With the knowledge of sensor)-The IDS should be configured to the attack on the Honeypot it is easier to passively monitor network traffic (for an determine and close security holes. added level of invisibility, one might set Honeypot allows justifying the investment the system up to have no IP address or,

7 of a firewall. With a Honeypot there is The Honeypot operator gains knowledge recorded evidence of attacks. The system about the Blackhats tools and tactics. When can provide information for statistics of a system was compromised the monthly happened attacks. administrators usually find the tools used by A person with legal access to the the attacker but there is no information internal network can pose an about how they were used. A Honeypot unidentifiable threat. Activities on gives a real-live insight on how the attack Honeypots can be used to proof if that happened. person has malicious intentions. Honeyed Research: Another benefit and the most Honeypots against spam: important one is that a Honeypot detects Honeyd can be used effectively to battle attacks which are not caught by other spam. Since June 2003, Honeyd has been security systems. deployed to instrument several networks with spam traps. We observe how spammers detect open mail relays and so forth. The diagram on the right shows the overall architecture of the system.

The networks are instrumented with open relays and open proxies. We intercept all spam email and analyze why we received it. A single Honeyd machine is capable of Figure4. Production Honeypot simultaneously instrumenting several C- 8.2. Research Honeypot: class networks. It simulates machines A research Honeypot is used in a running mail servers, proxies and web different scenario. A research Honeypot servers. Captured email is sent to a is used to learn about the tactics and collaborative spam filter that allows other techniques of the Blackhat community users to avoid reading known spam. (In the computer security community, a Curiously, this setup has also been very Blackhat is a skilled hacker who uses his successful in identifying hosts infected with or her ability to pursue his interest worms. Our findings are going to be made illegally). available as research paper in the near future.

8 principle. We start with a dedicated system, which is usually based on some virtualization technology so it can be automatically reset into clean state after a successful infection. They interact with potentially malicious servers and monitor the system for unauthorized state changes that occur during or after the interaction with the server. Figure5.Honeyed Spam Research Capture HPC is now in version 2.0 8.3 OTHERS: and allows the use of different

There are other types also they are: clients, such as Firefox, RealPlayer, Microsoft Word, etc, as well as an a) Looking for trouble: Client option to collect pushed malware and honeypots: Instead of log tcpdump captures of the passively waiting for an attack, interactions between client and client honeypots will actively webserver. Client honeypots need to search out malicious servers; interact with servers in order to typically this has centered on determine whether they are web servers that deliver client- malicious or not. With high side browser exploits, but is interaction client honeypots, this is certainly not limited to such. quite expensive, and therefore Recently, client honeypots have selection of what servers to interact expanded to investigate attacks with can greatly increase the success on office applications. rate of finding malicious servers on a

Examples of client honeypots are network. the MITREHoneyClient, Shelia, Honeymonkey, and CaptureHPC. These client honeypots all work on the same

9 The protocol which has been given attention recently is HTTP, specifically web application honeypots. The Google Hack Honeypot is designed to provide reconaissance against attackers that use search engines as a hacking tool against your resources.

Figure6. Client Honeypot b) Niche players: Application-specific honeypots:

This is application or protocol specific honeypots. These honeypots are designed to catch spam by masquerading as open Figure7. Google Hack Honeypot email relays or open proxies. Jackpot is written in Java and It provides various different modules, pretends to be a misconfigured one of which looks like a SMTP server which allows misconfigured version of PHPShell. relaying. Instead however, it PHPShell allows an administrator to presents a list of messages to the execute shell commands via a web user, who can then pass the interface, but access to it should be spammer's test message and hold restricted using a password at the the rest of the spam run. very least. In the Google Hack (Usually, spammers will attempt Database, there is a search which to deliver a test email to verify will match on unprotected PHPShell the host in question is actually an applications and the GHH module open relay.). attempts to reproduce this interface. GHH has a central web interface which allows the operator to monitor

10 commands users are trying to might alert on suspicious or malicious execute. activity, even if the data is valid. Due to the high network traffic on most networks, the Recently, a more sophisticated chances of false alarms and non-detected method of building web application attacks are more leaving it unscanned and honeypots is described in Michael benefiting the attacker. Mueter's MSc thesis. This toolkit 9.3 Response: allows arbitrary PHP applications to be Honeypots provide exact evidence of turned into high-interaction honeypots malicious activities and gives the and has been tested with software such information of the attack to prevent any such as PHPMyAdmin, PHP-Nuke and in the future and to start the PHPBB. countermeasures.

9. SECURITY CATEGORIES: 10. MOST POPULAR HONEYPOTS:

To assess the value of the The popular honey pots are: honeypots, we break the security into 10.1 Back Officer Friendly (BOF): three catogories: • It is a Low Involved Honeypot

9.1 Prevention: • It Emulates Services like FTP, A honeypot cannot prevent an Telnet, HTTP. unpredictable attack but can detect it. • Records scans, probes etc. One case where they prevent the attacker • It also works on Windows platform is when he directly attacks the server. It • With BOF, this low-interaction will prevent attack on a production honeypot is both easy to deploy and system by making the hacker waste his maintain time on a non-sufficient target. 10.2 Specter: 9.2 Detection: Detecting intrusions in networks • Its also an example of Low Involved is similar to the function of an alarm Honeypot system for protecting facilities when an • It is Similar to BOF it also Emulates unauthorized activity appears. A system Services like FTP, Telnet, HTTP etc.

11 • It works on different Operating mangle it. Through that possibility an Systems as well. attacker could easily attack other systems or launch a denial-of-service attack. To reduce 10.3 Honeyd: this risk a firewall is configured on the Honeywall, which limits the outbound • It is a Low Involved Honeypot. connections. Access to the production • It emulates Services like FTP, network is completely restricted. The Telnet and HTTP etc. Honeywall also maintains an Intrusion • It emulates different Operating Detection System which monitors and Systems as well. records every packet going to and from the

10.4 Mantrap: Honeypot. Honeynets can be classified as high interaction honeypots. • It is Highly Involved Honeypot • It emulates Services like FTP, Telnet and HTTP etc. • It emulates different Operating Systems as well. • It gives more in-depth knowledge on malicious attackers.

11. HONEYNETS: Figure 8: Honeynet setup A collection of honeypots are Figure 8 shows a network diagram of a combined to create a single honeynet. Honeynet setup with four Honeypots. The Honeynets extend to concept of single Honeywall acts in bridge-mode which is the Honeypots to a network of Honeypots. same function as performed by switches. Deploying a Honeynet requires at This connects the Honeynet logically to the least two devices: a Honeypot and the production network and allows the Honeywall. Here, the attacker is given a Honeynet to be of the same address Honeypot with a real operating system. This means he can fully access and 12. LEVEL OF INTERACTION:

12 To describe honeypots in greater attacker never has access to an operating detail it is necessary to explain the level system to attack or harm others. The main of interaction with the attacker. disadvantages with low interaction honeypots is that they log only limited 12.1 Low-interaction Honeypots: information and are designed to capture Low-interaction Honeypots are used known activity. The emulated services can only for detection and serve as only do so much. Also, it’s easier for an production Honeypots.This is very attacker to detect a low-interaction secure solution which promotes little honeypot, no matter how good the emulation risk to the environment where it is is, skilled attacker can eventually detect installed in. their presence. Examples of low-interaction Low-interaction honeypots have honeypots include Specter, Honeyd, and limited interaction, they normally work KFSensor. by emulating services and operating Honeyd: Low Interaction Honeypot systems. Attacker activity is limited to Honeyd is a low-interaction the level of emulation by the honeypot. honeypot. Developed by Niels Provos, For example, an emulated FTP service Honeyd is OpenSource and designed to run listening on port 21 may just emulate a primarily on Unix systems (though it has FTP login, or it may support a variety of been ported to Windows). Honeyd works on additional FTP commands. The the concept of monitoring unused IP space. advantage of a low-interaction honeypot Anytime it sees a connection attempt to an is their simplicity. These honeypots tend unused IP, it intercepts the connection and to be easier to deploy and maintain, with then interacts with the attacker, pretending minimal risk. Usually they involve to be the victim. By default, Honeyd detects installing software, selecting the and logs any connection to any UDP or TCP operating systems and services you want port. In addition, you can configure to emulate and monitor, and letting the emulated services to monitor specific ports, honeypot go from there. This plug and such as an emulated FTP server monitoring play approach makes deploying them TCP port 21. When an attacker connects to very easy for most organizations. Also, the emulated service, not only does the the emulated services mitigate risk by honeypot detect and log the activity, but it containing the attacker's activity, the captures all of the attacker's interaction with

13 the emulated service. In the case of the 12.3 High-interaction Honeypots: emulated FTP server, we can potentially They either emulate a full operating capture the attacker's login and system or use a real installation of an password, the commands they issue, and operating system with additional monitoring perhaps even learn what they are looking which involves high risk factor also. High- for or their identity. It all depends on the interaction Honeypots are used primarily as level of emulation by the honeypot. research and production Honeypots. Most emulated services work the same High-interaction honeypots are different, way. They expect a specific type of they are usually complex solutions as they behavior, and then are programmed to involve real operating systems and react in a predetermined way. If attack A applications. Nothing is emulated, we give does this, then react this way. If attack B attackers the real thing. If you want a Linux does this, then respond this way. The honeypot running an FTP server, you build a limitation is if the attacker does real Linux system running a real FTP server. something that the emulation does not The advantages with such a solution are expect, then it does not know how to two fold. First, you can capture extensive respond.Most low-interaction honeypots, amounts of information. By giving attackers including Honeyd, simply generate an real systems to interact with, you can learn error message. Some honeypots, such as the full extent of their behavior, everything Honeyd, can not only emulate services, from new root kits to international IRC but emulate actual operating systems. In sessions. The second advantage is high- other words, Honeyd can appear to the interaction honeypots make no assumptions attacker to be a Cisco router, WinXP on how an attacker will behave. Instead, webserver, or Linux DNS server. they provide an open environment that 12.2 Medium-interaction captures all activity. This allows high- Honeypots: interaction solutions to learn behavior we Medium-interaction Honeypots would not expect. An excellent example of are further capable of emulating full this is how a Honeynet captured encoded services or specific vulnerabilities. Their back door commands on a non-standard IP primary purpose is detection and they protocol (specifically IP protocol 11, are used as production Honeypots but Network Voice Protocol). However, this the chance of failure is higher. also increases the risk of the honeypot as

14 attackers can use these real operating encrypted SSH sessions to emails and files system to attack non-honeypot systems. uploads, are captured without them knowing As result, additional technologies have it. This is done by inserting kernel modules to be implement that prevent the attacker on the victim systems that capture all of the from harming other non-honeypot attacker's actions. At the same time, the systems. In general, high-interaction Honeynet controls the attacker's activity. honeypots can do everything low- Honeynets do this using a Honeywall interaction honeypots can do and much gateway. This gateway allows inbound more. However, they can be more traffic to the victim systems, but controls the complext to deploy and maintain. outbound traffic using intrusion prevention Examples of high-interaction honeypots technologies. This gives the attacker the include Symantec Decoy Server and flexibility to interact with the victim Honeynets. systems, but prevents the attacker from Honeynets: High Interaction harming other non-Honeynet computers. Honeypots Honeynets are a prime example of high-interaction honeypot. Honeynets 13. TYPES OF ATTACKS: are not a product, they are not a software There are a lot of attacks on networks, solution that you install on a computer. but there are only two main categories of Instead, Honeyents are an architecture, attacks. an entire network of computers designed to attacked. The idea is to have an architecture that creates a highly 13.1 Random attacks: controlled network, one where all Most attacks on the internet are activity is controlled and captured. performed by automated tools. Often used Within this network we place our by unskilled users who search for intended victims, real computers running vulnerabilities or already installed real applications. The bad guys find, Backdoors. Most of these attacks are attack, and break into these systems on preceded by scans on the entire IP address their own initiative. When they do, they range, which means that any device on the do not realize they are within a net is a possible target. Honeynet. All of their activity, from 13.2 Direct attacks:

15 A direct attack occurs when a Honeywall. The Honeypot is accessible Blackhat wants to break into a system of within the entire internet. choice. Here only one system is touched An adequate setup needs to ensure and often with unknown vulnerabilities. that the monitoring and logging capabilities Direct attacks are performed by skilled are sufficient of handling large numbers of hackers; it requires experienced packets. knowledge. The tools used by experienced Blackhats are not common. Often the attacker uses a tool which is not published in the Blackhat community. This increases the threat of those attacks.

Figure9: Unprotected Environment

14. FIELD OF APPLICATION OF 14.2 Protected Environment: HONEYPOTS: In this scenario the Honeypot is It investigates different environments connected to the internet by a firewall. The and explains their individual attributes. firewall limits the access to the Honeypot. Five scenarios have been developed to Not every port is accessible from the separate the demands to Honeypots. internet and not every IP address on the internet is able to initiate connections to the 14.1 Unprotected Environment: Honeypot. This scenario does not state the The use of a Honeypot poses risk degree of connectivity except some and needs exact planning ahead to avoid limitations. However those limitations can damage. Therefore it is necessary to be either strict, allowing almost no consider what environment will be basis connection, or loose, only denying a few for installation. According to the setup connections. the results are quite different and need to be analyzed separately.

In an unprotected environment any IP address on the internet is able to initiate connections to any port on the

16 is used. This hides the addresses of the internal network behind a single public IP. 14.4 Risk Assessment:

A Honeypot allows external addresses to establish a connection. This means that packets from the outside are Figure 10: Protected Environment replied. Without a Honeypot there would be no such response. So a Honeypot increases traffic on purpose, especially traffic which is 14.3 Public and Private Addresses: suspicious to be malicious.

This scenario focuses on the IP address Security mechanisms need to make on the Honeypot. sure, that this traffic is not affecting the production systems. Moreover the amount of If the Honeypot is assigned a traffic needs to be controlled. public address, Applications on the Honeypot can directly communicate As hacking techniques evolve, an with the internet as they have experienced Blackhat could launch a new information of the public internet kind of attack which is not recognized address. automatically. It could be possible to bypass the controlling functions of the Honeypot In contrast to public addresses, and misuse it which may become a severe private IPs can not be addressed from threat. A Honeypot operator needs to be the internet. Packets with private aware of this risk and therefore control the addresses are discarded on internet Honeypot on regular basis. gateways routers. To connect to a private 14.5 Honeypot-Out-Of-The-Box: address, the host needs to be located A Honeypot-out-of-the-box is a within the same address range or it needs ready-to-use solution, which also could be provision of a gateway with a route to thought as a commercial product. This the target network. features a wide range of eventualities. A For interconnecting private and complete product needs to cover security, public networks an intermediate device hide from the attacker, good analyzability,

17 easy access to captured data and of information. Instead of logging a automatic alerting functions to be one GB of data a day, they can log sufficient. only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a 15. USES OF HONEYPOTS: day. Remember, honeypots only Honeypots have several applications capture bad activity, any interaction to the world of network security. They with a honeypot is most likely serve as unauthorized or malicious activity. network decoys to prevent attacks on an As such, honeypots reduce 'noise' by organization’s real network by appearing collectin only small data sets, but to be information of high value, as it is easy targets. By tracking all activity on a only the bad guys. This means it’s honeypot, viruses and worms can easily much easier (and cheaper) to analyze be detected. the data a honeypot collects and In addition, honeypots can be derives value from it. used to combat spam. Spammers are • New tools and tactics: Honeypots are constantly searching for sites with designed to capture anything thrown vulnerable open relays to forward spam at them, including tools or tactics on to other networks. Honeypots can be never seen before. set up as open proxies or relays to allow • Minimal resources: Honeypots spammers to use their sites. This in turn require minimal resources, they only allows for identification of spammers. capture bad activity. This means an old Pentium computer with 128MB 16. ADVANTAGES OF of RAM can easily handle an entire HONEYPOTS: class B network sitting off an OC-12 network. Honeypots are a tremendously • Encryption or IPv6: Unlike most simply concept, which gives them some security technologies (such as IDS very powerful strengths. systems) honeypots work fine in encrypted or IPv6 environments. It • Small data sets of high value: does not matter what the bad guys Honeypots collect small amounts

18 throw at a honeypot, the • Risk: All security technologies have honeypot will detect and capture risk. Firewalls have risk of being it. penetrated, encryption has the risk of • Information: Honeypots can being broken, IDS sensors have the collect in-depth information that risk of failing to detect attacks. few, if any other technologies Honeypots are no different, they can match. have risk also. Specifically, • Simplicty: Finally, honeypots are honeypots have the risk of being conceptually very simple. There taken over by the bad guy and being are no fancy algorithms to used to harm other systems. This risk develop, state tables to maintain, varies for different honeypots. or signatures to update. The Depending on the type of honeypot, simpler a technology, the less it can have no more risk then an IDS likely there will be mistakes or sensor, while somehoneypots have a misconfigurations. great deal of risk.

17. DISADVANTAGES OF 18. LEGAL ISSUES CONCERNING HONEYPOTS: HONEYPOTS: Like any technology, honeypots also Security professionals concluded that have their weaknesses. It is because of there are three main legal issues possibly this they do not replace any current effect the owners of honeypots namely, technology, but work with existing entrapment, privacy, and liability. There technologies. is no definitive legislation or litigation • Limited view: Honeypots can setting clear boundaries on what a honeypot only track and capture activity can and cannot be used for. However, it can that directly interacts with them. be stated that owners of honeypots will be Honeypots will not capture safe as long as honeypots are used for attacks against other systems, directly securing the network. It is hard to unless the attacker or threat argue against someone protecting their own interacts with the honeypots also. network from unwanted use and abuse. 18.1 Entrapment:

19 Entrapment can be claimed by a Operational data includes such things as defendant when he would not have the address of the user, header information, broken the law if not tricked into doing it etc, while the transactional data includes by law enforcement officials. In other such information key strokes, pages visited, words, entrapment is a defense against information downloaded, chat records, criminal prosecution. An example would emails, etc. Most operational data is safe to be a police officer asking us if we track without the threat of privacy concerns wished to buy illegal drugs from him. as there are several different systems out Honeypots do not coerce people to use there that track this information already such them like the police officer does with the as IDS systems, routers, and firewalls. The drugs. Honeypots are much like homes; major concern is the transactional data. The if someone wishes to break in, they have obvious comparison is to the phone to do all the work. They have to open the company. The phone company has every door, they have to look around the right to privately track what phone calls you house, and they have to steal the items. make and for how long; however, it would While honeypots do not necessarily fall be illegal for them, without a federal into the entrapment category, they do warrant, to listen to or tape your phone have many privacy concerns. conversation. The more content a honeypot 18.2 Privacy: tracks, the more privacy concerns that are The Federal Wiretap act makes it generated. One solution to such a problem is illegal to gather data on an individual in a banner as shown in the figure 11. real time without their knowledge, i.e. hidden cameras in hotel rooms. When determining whether a honeypot breaks any privacy rules, several different pieces of information are considered including how the honeypot is being used, who is using it, and how much information is being collected. In general, there are two types of information to track, operational data and transactional data. Figure 11

20 Companies throughout the world install A honeytoken is a data entity whose value welcome banners to their websites and lies in the inherent use of that data. Similar services to be viewed by all users prior in concept to a honeypot, where the use of to using their services. The major the honeypot itself is subject to scrutiny, disadvantage to a banner is that is honeytokens are entities such as false difficult to know where to display the medical records, incorrect credit card banner. numbers and invalid social security Given all of the advantages to numbers. The very act of accessing these deploying a honeypot, there is a large numbers, even by legitimate entities, is amount of liability and risk assumed by suspect. We believe that this concept is the owner. especially useful in preventing large classes Most attackers and malicious coders of attacks. do not attack other machines from their Top 6 Honey tokens personal computers. Instead, they find Simple tripwires to alert the user of an remote vulnerable machines, gain attacker are: control of them, and then hack their 1. Don’t hand session credentials to original stronger target through the automated clients: Whenever a intermediary machines. Since honeypots browser identifies itself a “wget”, or are obvious vulnerable targets, there is a search engine, don’t bother setting an enormous risk of a company's a session cookie for them. They honeypot being used to attack a larger shouldn’t log in. Yes, it is easy to target. fake the user agent. 18.3 Liability: 2. Add fake admin pages to The question then becomes, is the owner robots.txt: Add a fake admin page of the honeypot liable for any damage as “Disallowed” to your robots.txt done by that honeypot. The current file. We all know of course that answer is, we do not know. A court case robots.txt should not be used as a has not been presented yet, but this is security tool. But many websites still likely to happen in the near future. use it that way and as a result, attackers use it as a road map to attack a site. Whenever someone hits 19. HONEYTOKENS:

21 your fake “admin” page, you way, the form field will not be know they are up to no good. visible to normal browsers. But 3. Add fake cookies: Add a fake vulnerability scanners will happily “admin” cookie and set it to fill it in. Note that this can be a “FALSE”, or “No”. This is a problem for “audio browsers” used classic mistake attackers are by the blind. You may want to pre- looking for. But you are of fill the form with something like “do course not using this cookie to not change this field”. assign admin privileges. Instead, you detect attacks whenever the 20. THE FUTURE: cookies value changes. Project Honeypot software is now 4. Add “spider loops”: Little being used to find spammers. The website redirect loops to send spiders in a attacks the spammers inside, then once the loop. Be nice, and add site detects them they will make a fake email “NOFOLLOW” tags to not address for them to take. Once the email is annoy legit search engines too grabbed, the email disappears from the site much. See if anybody falls for it. so no valid mail comes, only the mail from It is kind of like a La Brea tarpit the spammer. After all of this, detectives can for web application vulnerability start building evidence against the spammer. scanners. The people of Project Honeypot are ready 5. Add fake hidden passwords as for spammers to be able to detect the fake HTML comments: On your email address, but Project Honeypot is ready login page, add a comment like with countermeasures of their own. … Wait for someone to use it spammer found guilty in Virginia State 6. “Hidden” form fields: This is Court. He was found guilty for sending 10 different from the form field. using pornography, work-at-home schemes, Instead, add a regular form field and stock-picking software to make a nice but set the $750,000 a month. He is on $1 million bail style to “display: none”. That and he is forbidden to use the internet and he

22 is waiting for his sentence. The jury is and IPv6 is slowly but inevitably being looking at giving him nine years in jail. adopted. Similarly web applications are the This judgment is just the beginning to most critical of the cross-platform catching spammers and hackers. vulnerabilities in the same list. We may also see newer applications, such as VoIP and Using honeypot software on your SCADA honeypots starting to become own is possible but also dangerous. widespread (although a few groups are There is free software out there that you already deploying these) as abuse of these can put on your home computer, but protocols becomes more important to the people need to be careful using it. People community. need to be aware that some skilled hackers can find this software in a matter As honeypots are gaining importance to of hours after it is installed, and these detect and analyze attacks, it is suspected hackers can cause an assortment of that the attackers will develop techniques to problems. People who are choosing to identify and avoid honeypots. The MPack use this software should be prepared for web exploitation framework already is going what could happen. down this route. As these techniques become more prevalent, Honeynet A large amount of data about technology is likely to respond to make such attackers and their methods has been detection more difficult. Distributed gathered by the use of honeypots of honeynets and honeynet implementations various sorts over many years, and we that are not based on virtualization expect to see this trend continuing. technology, which is another vector to detect Honeypots are now being used honeypots, are likely to gain importance. increasingly in mainstream applications The arms race between attackers and and ever increasing arrays of tools are security researchers is continuing, but at this available to the amateur and point in time, honeypots still provide us with professional. In particular, we expect to invaluable data about the attackers and see significant developments in the field attacks of the real world. of client honeypots this year, as Internet Explorer flaws continue to remain one of 21. RECOMMENDATIONS: the most critical Windows vulnerabilities according to the current SANS Top 20

23 There are a few improvements that money. This especially happens in the should be made with the use of such business executive world. devices such as: These efforts should not prove to be too 1) Before downloading or purchasing demanding as far as time or money and we honeypot software, one should be more feel they would be rather popular in the informed on the subject. Perhaps world of computers as a whole. If these preliminary tests should be required or issues were brought to people’s attention we informative sessions should be feel the time could be found and the money mandatory. This would avoid the issue could be raised to make a change. of “under the radar” entrapment. Meaning, ordinary citizens who cannot 22. CONCLUSION: be accused of entrapment cannot entrap In this paper, we looked at various people not knowingly. aspects of Honeypots. A honeypot is just a tool. How we use that tool is up to us. There 2) Honeypots themselves have vast are a variety of honeypot options, each room for improvement and we believe having different value to organizations. We that time spent in the lab to improve have discussed the value of the honeypot these would be beneficial as well. Ways and how they reduce the attacks. We have to make them more error free, although categorized two types of honeypots, one hundred per cent error free is nearly production and research. Production impossible, a little fine tuning could do honeypots help reduce risk in an these devices a great deal. organization. While they do little for prevention, they can greatly contribute to 3) Expansion will eventually be another detection or reaction. Research honeypots option in the honeypot arena. Right now are different in that they are not used to honeypots are only available in regular protect a specific organization. Instead they computers but down the road we would are used as a research tool to study and like to see them available in other identify the threats in the Internet sources such as cash registers. There is a community. Regardless of what type of huge window of opportunity for thieves honeypot we use, keep in mind the 'level of to get a lot of money through incorrectly interaction'. This means that the more the balancing registers and pocketing the honeypot can do and the more we can learn

24 from it, the more risk that potentially 6. www.trackinghackers.com/ honeypots exists. We will have to determine what is the best relationship of risk to capabilities that exist for us. Honeypots will not solve an organization's security problems. Only best practices can do that. However, honeypots may be a tool to help contribute to those best practices. Although Honeypots have legal issues now, they do provide beneficial information regarding the security of a network. We think it is important that new legal policies be formulated to foster and support research in this area. With the different types of honeypots such as BOF, Honeyd, Specter etc we can solve the current challenges and make it possible to use Honeypots for the benefit of the broader Internet community.

23. REFERENCES:

1. http://www.rbaumann.net 2. http://www.christianplattner.net 3. http://www.honeynet.org 4. www.top site .com/best/ honeypot 5. www.en.wikipedia.org/Honeypot

25