(NETWORK SECURITY AND CRYPTOGRAPHY)

Abstract
For every consumer and business that is on
the Internet, viruses, worms and crackers are a few
security threats. There are the obvious tools that aid
information security professionals against these

1
problems such as anti-virus software, firewalls and WHAT IS A HONEYPOT?
intrusion detection systems, but these systems can
only react to or prevent attacks-they cannot give us A honeypot is primarily an instrument for information
information about the attacker, the tools used or even gathering and learning. A honeypot is an information
the methods employed. Given all of these security system resource whose value lies in the unauthorized zed
questions, honeypots are a novel approach to network or illicit use of that resource. More generally a honeypot
security and security research alike. is a trap set to deflect or detect attempts at unauthorized
use of information systems. Essentially; honeypots are
A honeypot is used in the area of computer resources that allow anyone or anything to access it and
and Internet security. It is a resource, which is
intended to be attacked and compromised to gain
more information about the attacker and the used
tools. It can also be deployed to attract and divert an
attacker from their real targets. One goal of this
paper is to show the possibilities of honeypots and
their use in a research as well as productive
environment.
Compared to an intrusion detection system,
honeypots have the big advantage that they do not
generate false alerts as each observed traffic is
suspicious, because no productive components are
running on the system. This fact enables the system to
log every byte that flows through the network to and
from the honeypot, and to correlate this data with
other sources to draw a picture of an attack and the
attacker. al production value. More often than not, a honeypot is
more importantly, honeypots do not have any resimply
This paper will first give an introduction to an unprotected, unpatched, unused workstation on a
honeypots-the types and uses. We will then look at the network being closely watched by administrators.
nuts and bolts of honeypots and how to put them
together. With a more advanced idea of how Its primary purpose is not to be an ambush for the
honeypots work, we will then look at the possible legal blackhat community to catch them in action and to press
ramifications for those who deploy them. Finally we charges against them. The focus lies on a silent
shall conclude by looking at what the future holds for collection of as much information as possible about their
the honeypots and honeynets. attack patterns, used programs, purpose of attack and the
blackhat community itself. All this information is used to
learn more about the blackhat proceedings and motives,
1. INTRODUCTION as well as their technical knowledge and abilities. This is
just a primary purpose of a honeypot. There are a lot
Global communication is getting more important every other possibilities for a honeypot - divert hackers from
day. At the same time, computer crimes are increasing. productive systems or catch a hacker while conducting
an attack are just two possible examples.
Countermeasures are developed to detect or prevent
attacks - most of these measures are based on known
facts, known attack patterns. As in the military, it is
important to know, who your enemy is, what kind of
strategy he uses, what tools he utilizes and what he is
aiming for. Gathering this kind of information is not easy WHAT IS A HONEYNET?
but important. By knowing attack strategies,
countermeasures can be improved and vulnerabilities can Two or more honeypots on a network form a honeynet.
be fixed. To gather as much information as possible is Typically, a honeynet is used for monitoring and/or more
one main goal of a honeypot. diverse network in which one honeypot may not be
sufficient. Honeynets (and honeypots) are usually
Generally, such information gathering should be implemented as parts of larger network intrusion-
done silently, without alarming an attacker. All the detection systems. Honeynet is a network of production
gathered information leads to an advantage on the systems. Honeynets represent the extreme of research
defending side and can therefore be used on productive honeypots. Their primary value lies in research, gaining
systems to prevent attacks. information on threats that exist in the Internet
community today.

2
The two main reasons why honeypots are deployed We will break honeypots into
are: two broad categories, as defined by Snort ,two types
of honeypots are:
1. To learn how intruders probe and attempt to gain
• Production honeypots
access to your systems and gain insight into attack
methodologies to better protect real production systems. • Research honeypots
2. To gather forensic information required to aid in the The purpose of a production honeypot is to help
apprehension or prosecution of intruders. mitigate risk in an organization. The honeypot adds
value to the security measures of an organization. Think
of them as 'law enforcement', their job is to detect and
TYPES OF HONEYPOTS: deal with bad guys. Traditionally, commercial
Honeypots came in two flavors: organizations use production honeypots to help protect
their networks. The second category, research, is
• Low-interaction honeypots designed to gain information on the blackhat
community. These honeypots do not add direct value to
• High-interaction. a specific organization. Instead they are used to research
the threats organizations face, and how to better protect
Interaction measures the amount of activity that an against those threats.
intruder may have with honeypot.In addition, honeypots
can be used to combat spam.
HONEYPOT ARCHITECTURE:

Spammers are constantly searching for sites with

vulnerable open relays to forward spam on the other 1. Structure of a LOW-INTERACTION HONEYPOT
networks. Honeypots can be set up as open proxies or (GEN-I):-
A typical low-interaction honeypot is also known as
GEN-I honeypot. This is a simple system which is very
effective against automated attacks or beginner level
attacks.

Honeyd is one such GEN-I honeypot which emulates

services and their responses for typical network
functions from a single machine, while at the same time
making the intruder believe that there are numerous
different operating systems .It also allows the simulation
of virtual network topologies using a routing mechanism
that mimics various network parameters such as delay,
latency and ICMP error messages.

relays to
allow spammers to use their sites .This in turn allows for
identification of spammers.

3
 A typical high-interaction honeypot consists of the
following elements: resource of interest, data control,

data capture and external logs

The primary architecture consists of a routing

mechanism, a personality engine, a packet dispatcher
and the service simulators. The most important of these
is the personality engine, which gives services a different
‘avatar’ for every operating system that they emulate.

(“known
your enemy:
Learning
with Vmware,
DRAWBACKS:
Honeynet project”); these are also known as GEN-II
1. This architecture provides a restricted framework honeypots and started development in 2002.They
within which emulation is carried out. Due to the limited provide better data capture and control mechanisms.
number of services and functionality that it emulates, it This makes them more complex to deploy and maintain
is very easy to fingerprint. in comparison to low-interaction honeypots.

2. A flawed implementation (a behavior not shown by a High interaction honeypots are very useful in their
real service) can also render ability to identify vulnerable services and applications
itself to alerting the attacker. for a
particular
3. It has constrained applications in research, since every target
service which is to be studied will have to be re-built operating
for the honeypot. system.
Since the
honeypots
2. Structure of a HIGH INTERACTION have full
HONEYPOT (GEN-II):- fledged
operating
systems,

4
attackers attempt various attacks providing connections. This firewall would typically be configured
administrators with very detailed information on in Layer 2 bridging mode, rendering it transparent to the
attackers and their methodologies. This is essential for attacker.
researchers to identify new and unknown attack, by
studying patterns generated by these honeypots
DRAWBACKS: The final step is data capture, for which tools such as
Sebek and Term Log can be used. Once data has been
However, GEN-II honeypots do have their drawbacks as captured, analysis on the data can be performed using
well. tools such as Honey Inspector, PrivMsg and SleuthKit.
1. To simulate an entire network, with routers and Honeypot technology under development will eventually
gateways, would require an extensive computing allow for a large scale honeypot deployment that
infrastructure, since each virtual element would have to redirects suspected attack traffic to honeypot. In the
be installed in it entirely. In addition this setup is figure an external attacker: 1.penetrates DMZ and scans
comprehensive: the attacker can know that the network the network IP address 2.the redirection appliance
he is on is not the real one. This is one primary drawback 3.monitors all unused addresses, and uses Layer 2 VPN
of GEN-II. technology to enable firewall 4.to redirect the intruder to
honeypot 5.which may have honeypot computers
2. The number of honeypots in the network is limited. mirroring all types of real network devices. 6. Scanning
the network for vulnerable systems is redirected 7. By
3. The risk associated with GEN-II honeypots is higher the honeypot appliance when he probes unused IP
because they can be used easily as launch pads for addresses
attacks.

COMPARISON: RESEARCH USING HONEYPOTS:

Honeypots are also used for research purposes to gain

extensive information on threats, information few other
technologies are capable of gathering. One of the
FEATURE GEN-I GEN-II greatest problems security professionals face is lack of
information or intelligence on cyber threats. How can
Large Small your organization defend itself against an enemy when
Number of
virtual you do not know who the enemy is? Research honeypots
systems/ address this problem by collecting information on
services that threats. Organizations can then use this information for a
can be variety of purposes including analyzing trends,
deployed identifying new methods or tools, identifying the
attackers and their communities, ensuring early warning
Limited Extensive
Data Control and prediction or understanding attackers motivation.
Low High
Level of
Interaction
ADVANTAGES OF HONEYPOTS:
Low High
Ability to
discover new
attacks
1. They collect small amounts of information that have
Low High great value. This captured information provides an in-
Risk
depth look at attacks that very few other technologies
BUILDING A HONEYPOT: offer.

To build a honeypot, a set of Virtual Machines are 2. Honeypots are designed to capture any activity and
created. They are then setup on a private network with can work in encrypted networks.
the host operating system. To facilitate data control, a
stateful firewall such as IP Tables can be used to log 3. They can lure the intruders very easily.

5
4. Honeypots are relatively simple to create and 3. LIABILITY:
maintain.
Is the owner of the honeypot liable for any damage done
by that honeypot? They will be safe as long as honeypots
are used for directly securing the network.
DISADVANTAGES OF HONEYPOTS:
SOME COMMERCIAL HONEYPOTS AND
1. Honeypots add complexity to the network. Increased HELPFUL SOFTWARE:
complexity may lead to increased exposure to
exploitation.

2. There is also a level of risk to consider, since a 1. CYBERCOP STING BY NETWORK

honeypot may be comprised and used as a platform to ASSOCIATES:
attack another network. However this risk can be
mitigated by controlling the level of interaction that This product is designed to run on Windows NT and is
attackers have with the honeypot. able to emulate several different systems including
LINUX, SOLARIS, CISCO IOS and NT. It is made to
3. It is an expensive resource for some corporations. appeal to hackers for looking as if it has several well-
Since building honeypots requires that you have at least known vulnerabilities.
a whole system dedicated to it and this may be
expensive.

LEGAL ISSUES PERTAINING HONEYPOTS: 2. BACK OFFICER FRIENDLY BY NFR:

Most of the research found in this area concluded that This product is designed to emulate a Back Orifice
there are three major legal spectrums concerning server. BOF (as it is commonly called) is a very simple
honeypots: but highly useful honeypot developed by Marcus Ranum
and crew at NFR. It is an excellent example of a low
• Entrapment, interaction honeypot. . It is a great way to introduce a
beginner to the concepts and value of honeypots. BOF is
• Liability a program that runs on most Windows based operating
system. All it can do is emulate some basic services,
• Privacy. such as http, ftp, telnet, mail, or BackOrrifice.
1. ENTRAPMENT:

Entrapment is when somebody induces the criminal to 3. TRIPWIRE BY TRIPWIRE:

do something he was not otherwise supposed to
do.Honeypots should generally be used as defensive This product is for use on NT and UNIX machines and is
detection tools, not an offensive approach to luring designed to compare binaries, and inform the server
intruders. operator, which has been altered. This helps to protect
machines from would be hackers and is an excellent way
to determine if a system has been compromised.
2. PRIVACY:

The second major concern is what information is being 4. SPECTER:

tracked: operational data and transactional data.
Operational data includes things like addresses of user, Specter is a commercial product and low interaction
header information etc while transactional data includes production honeypot. It is similar to BOF, but it can
key strokes, pages visited, information downloaded, chat emulate a far greater range of services and a wide variety
records, e-mails etc. Operational data is safe to track of operating systems. Similar to BOF, it is easy to
without threats of security concern because IDS system implement and low risk. Specter works by installing on a
routers and firewalls already track it. The major concern Windows system. The risk is reduced as there is no real
is transactional data. The more contents a honeypot operating system for the attacker to interact with.
tracks, more privacy concerns get generated. Specters value lies in detection. It can quickly and easily

6
determine who is looking for what. As a honeypot, it concept is especially useful in preventing larger classes
reduces both of attacks.

false positives and false negatives, simplifying the

detection process, supporting a variety of alerting and
logging mechanisms. One of the unique features of FUTURE WORK:
Specter is that it also allows for information gathering,
or the automated ability to gather more information Honeypots are a new field in the sector of network
about the attacker security. Currently there is a lot of ongoing research and
discussions all around the world. Several companies
5. MANTRAP: have already launched commercial products. A
comparison of available products showed that there are
some usable low- to high-involvement honeypots on the
Mantrap is a commercial honeypot. Instead of emulating market. In the sector of research honeypots, self-made
services, Mantrap creates up to four sub-systems, often solutions have to be developed as only these solutions
called 'jails'. These 'jails' are logically discrete operating can provide a certain amount of freedom and flexibility
systems separated from a master operating system. which is needed to cover a wide range of possible attacks
Security administrators can modify these jails just as and attackers. Each research honeypot normally has its
they normally would with any operating system, to own goals or different emphasis on the subject.
include installing applications of their choice, such as an Developing a self-made solution needs a good technical
Oracle database or Apache web server, thus making the understanding as well as a time intensive development
honeypot far more flexible. The attacker has a full phase.
operating system to interact with, and a variety of
applications to attack. All of this activity is then There is an inherent scope for the research
captured and recorded. Currently, Mantrap only exists on community to be misled by script kiddies, while
Solaris operating system. sophisticated attackers plan more devastating attacks on
computer systems across the globe. Although
fingerprinting a honeypot is easier said than done, most
attackers worth their salt would stay away from any
RELATED WORK: computer system that they deem to be monitoring their
activities. Thus in reality, for honeypots to be truly
Much work has been performed using the concept of effective, they require to be residing very close to a
honeypots i.e., an illicit resource to which any and all legitimate resource, probably even on the same network.
traffic or access is deemed to be suspect.
This would definitely serve as a precursor to any attacks
on the production system making honeypots a true
window to the future.
1. TARPITS:

One of the easiest ways to identify vulnerable systems is

by using a tool called a scanner or a spider .This brute CONCLUSION:
forces attacks on a whole range of IP addresses,
attempting to find vulnerable hosts. This is where a tarpit Honeypots are positioned to become a key tool to defend
comes handy. A tarpit blocks a scanner by responding to the corporate enterprise from hacker attacks it’s a way to
its first TCP setup message, but ignoring the rest .This spy on your enemy; it might even be a form of
simple approach causes the scanner to allocate buffers, camouflage. Hackers could be fooled into thinking
start timers and retry, since it believes it has found a they've accessed a corporate network, when actually
valid host .This process repeats until the scanner they're just banging around in a honeypot -- while the
exhausts its memory and CPU resources and crashes or real network remains safe and sound.
slows down to an almost unproductive speed.

2. HONEY TOKENS:
Honeypots have gained a significant place in the overall
It is a data entity whose value lies in the inherent use of intrusion protection strategy of the enterprise. Security
data. Honey tokens are entities such as false medical experts do not recommend that these systems replace
records, incorrect credit card numbers and invalid social existing intrusion detection security technologies; they
security numbers. The very act of accessing these see honeypots as complementary technology to network-
numbers, even by legitimate entities is suspect. This and host-based intrusion protection.

7
The advantages that honeypots bring to intrusion
protection strategies are hard to ignore. In time, as
security managers understand the benefits, honeypots
will become an essential ingredient in an enterprise-level
security operation.

We do believe that although honeypots have legal issues

now, they do provide beneficial information regarding
the security of a network .It is important that new legal
policies be formulated to foster and support research in
this area. This will help to solve the current challenges
and make it possible to use honeypots for the benefit of
the broader internet community.

BIBLIOGRAPHY:

1)<http://www.macom.com/

2)<http://www.enteract.com/honepot.html

3)<http://project.honeypot.org/