THE HONEYPOT

CONTENTS
 Introduction
 What is honeypot?
 Advantages
 Disadvatages
 Types
 Architecture
 Deployment procedures
 Legal issues
 Summary
 references
INTRODUCTION

 The best defense of our security is to have

best offense
 The idea behind the honeypot is to create a
virtual or in some scenario a real system, put
the system visible to the attackers so that
they can compromised and probe.
 The system will keep track of the activities
and later the logged information is analyzed
to make sure the production services and
network are secured with new threats.
What is a Honeypot?

Lance Spitzner
– A honeypot is a security resource whose
value lies in being probed, attacked, or
compromised
Honeypot Overview
HoneyPots are not a single tool but a
highly flexible technology.

HoneyPots come in variety of shapes

and sizes.

HoneyPots have a variety of values.

Values of honeypot
The main value of honeypot lies on
being attacked so that the
administraor can study their attacks
and kinds of attacks
Honeypots are apply to three areas of
security
 Prevention
 Detection
 Reaction
Advantages
Small data sets of high value
Very flexible
– does not rely on a fixed database. Allows
the detection of new and unknown
methods and tools
Minimal resources
Honeypot typically dosnt have problems of
resources exhaustion
Simple
– Honeypots are simple to install and
maintain
Disadvantages
Limited view
– A Honeypot can observe only interaction
with itself. It is not a sniffer and cannot
log actions against other functional
systems in the network
Risk
– Some introduce very little risk, while
others give the attacker entire platforms
from which to launch new attacks. Risk is
variable, depending on how one builds and
deploys the honeypot.
Classifications of Honeypots

Classification is based on their

deployment and based on their level of
involvement

Production honeypots
Research honeypots
Production Honeypots

Mitigates risks in organization

Adds valuue to the security measures
of an organisation
Job is to detect and deal with bad guys
Easy to use
Capture only limited information
Used by commercial organisations to
help to protect their networks
Research Honeypots

Give us the platform to study the

threats.
The jog is to gain information of bad
guys
Complex to deploy and maintain.
Captures extensive information.
organizations such as universities,
government, military, or security
research organizations use them.
Classification is based on their
interaction with the intruder

Low-interaction
High-interaction

Note: Interaction measures the amount of activity an

attacker can have with a honeypot.
Low-Interaction Honeypots

Give outsider as much as less number

of activity to perform on the system.
Limited number of access and
interaction with operating systems.
Easier to deploy and maintain.
Less risky as hackers wont have much
to ineract to the main os
Can be easily detected by experience
hackers
High-Interaction Honeypots

The main objective is to do full study

of the attackers.
They involve real operating systems
and applications.
They are complex to implement
Extensive amount of information is
captured.
But what good is it?
Collect data
– Allows researching attackers methods and
tools and developing counter-tools.
Prevention
– “Sticky” Honeypots slow down scanning
capabilities of attackers by slow response
times
– If the usage of Honeypots is publicly
known it might deter hackers from
attacking the network for fear of being
caught
Detection and Response
– If a Honeypot detects suspicious activity it
can send an e-mail or sms to a network
administrator
– A Honeypot is a non essential system, so
taking it offline in order to analyze damage
done by an attack will be less harmful and
disruptive to the functionality of the
network
 Our Solution
The path to implementation
Implement
Honeypot Architecture
The program is divided into two main
applications.
– GUI – Allows an easy way of starting and
stopping the servers, searching through
collected data and displaying statistics
– Honeypot_Core – Creates and maintains
the servers. Collects the data from the
users and updates the databases
 How do HPs work?

Prevent
Detect
No connection
Response Attackers

Monitor

Attack Data

HoneyPot A

Gateway
Honeypot Architecture
Block Diagram

Honeypot Medium
Core (WinSock) GUI

HTTP Server Telnet Server

Malicious
String DB

HTTP
Telnet Login
Transactions
DB
DB
Honeypot Architecture
Communication between GUI and core
is done over Winsock
Why Winsock?
Answer:
– We wanted to allow for the expansion of
the deployment scheme. Suppose you
want to run multiple instances of the core
on different computers.
– Using Winsock allows running the GUI on
one machine while controlling others over
the network
Deplyoment procedures
Deploying a physical Honeypot can be very time
intensive and expensive as different operating
systems may require specialized hardware.
Additionally, every Honeypot requires its own physical
system and numerous configuration settings. Below
are some generalized steps used to deploy a basic
Honeypot.

 Select Hardware for the Host

finding a machine that you are willing to sacrifice for
the cause of being exploited, hacked and potentially
purged of all data. This can be any computer capable
of running the software for data capture and control.
 Operating system installation
includes either making the necessary modifications to
the current Operating System or performing a clean
installation of a base operating system onto the
machine.
 Network architecture
involves determining strategic network architecture
designed to capture, log, and prevent unauthorized
access to other machines on your LAN, as well as
capture data to analyze. You want to strategically
place and connect your network devices so that there
are defined areas of your network where intruder
traffic is expected and where intruder traffic is not
allowed.
Legal issues

There are three main issues that are

commonly discussed:

 Liability
 Privacy
 Entrapment
Summery
Honeypots are good resources for
tracing hackers.
The value of Honeypots is in being
Hacked.
Honeypots have their own pros and
cons and this technology is still
developing.
REFRENCES
http://project.honeynet.org/papers/honeyn
et/ .
www.securityfocus.com
http://www.honeypots.com
http://www.spitzner.net
Title : “Understanding Network Threats
through Honeypot Deployment” Author :
Greg M and Jake branson.
THANKS!