The honeypot is a system designed to teachhow black-hats probe for and exploit a system. By learning their tools and methods, you can then better protect your network and systems. I do not use honeypots to capture the bad guy. I want to learn how they work without them knowing they are being watched. For me, a well designed honeypot means the black-hat never knew he was being tracked. There are a variety of different approaches on how you can do this. Mine is only one of many.
Before I continue, I would like to post a disclaimer. No honeypot can catch/capture all the bad guys out there. There are too many ways to spoof/hide your actions. Instead of going into detail on how this is possible, I highly recommend you check out Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection or Bane software,. Also, throughout this paper I use the term black-hat. To me, a black-hat is anyone who is attempting un-authorized access to a system.
A honeynet [4,5,6] is a network of computers running honeypots. A honeypot is a closely monitored system that is intended to be attacked and or compromised, which can then be used to study the attack methods and patterns. Normally a honeynet has no roduction value and therefore any traffic entering or leaving the honeynet is an unauthorized activity. An outbound connection from a honeynet machine is an indication of a compromised honeypot system. Honeynets play a key role in a defensive strategy.
Feasibility Study is a compressed capsule version of scope and objectives is confirmed and corrected and any constraint imposed on the systems are identified. Heuristics are searched as analyzed for feasibility. To yield a successful to the organization that can be obtained through efficient feasibility study. These are a number of feasibility studies to be conducted by the three equally important tests of feasibility studies are:
- Technical Feasibility
- Operational Feasibility
- Economical Feasibility
Evaluating the technical feasibility is the trickiest part of a feasibility study. This is because, at this point in time, not too many detailed design of the system, making it difficult to access issues like performance, costs on (on account of the kind of technology to be deployed) etc. A number of issues have to be considered while doing a technical analysis.
- Understand the different technologies involved in the proposed system
- Find out whether the organization currently possesses the required technologies
Before commencing the project, we have to be very clear about what are the technologies that are required for the development of new system.
Is the required technology available with the organization?
If so is the capacity sufficient?
For instance - "Will the current printer be able to handle the new reports and forms required for the new system?"
As discussed in [PoDa03a], there is no commonly agreed definition of the term honeypot. To make a long stay short, we can say that, typically, a honeypot is characterized by the fact that its implementation resides on a single machine. This is to be compared with honeynets, whose implementation requires a set of machines.
As presented in [Honey1, Honey2], a typical Honeynet consists of multiple honeypot machines and a firewall to limit and log network traffic. An IDS is often used to watch for potential attacks and decode and store network traffic on the system.
By placing a firewall in front of the honeypots, it is possible to control the network flow, the inbound as well as the outbound connections.
Michael Clark is giving in [Clark01] the common elements of a Honeynet:
- A firewall computer which logs all incoming/outcoming connections and sometimes provides NAT service and protection against some Denial of Service attacks;
- An Intrusion Detection computer (IDS). The IDS box can be on the same box as the firewall but it should be on an entirely separate computer that can see all of the network traffic. It also logs all the network traffic and looks for known exploits and attacks;
- A remote syslog computer. The honeypot is slightly modified so that all commands an intruder would issue are sent to syslog. Syslog is configured to send the logs to a remote syslog box;
- The honeypot itself. It can be anything from a default installation to the tools presented before and a mirror of one of the production systems.
This list is not definitive and the Honeynet word interpretation can be slightly different. Won- Seok Lee wrote in his course slides that "Honeynet is nothing more than a high-involvement Honeypot within which risks and vulnerabilities are the same that exist in many organizations today" [Lee02]. According to his presentation, a honeynet also consists on a network of multiple systems but no further description is given at this point.
Proposed projects are beneficial only if they can be turned into information systems that will meet the organizations operating requirements. Simply stated, this test of feasibility asks if the system will work when it is developed and installed. Are there major barriers to Implementation? Here are questions that will help test the operational feasibility of a project:
- Is there sufficient support for the project from management from users? If the current system is well liked and used to the extent that persons will not be able to see reasons for change, there may be resistance.
- Are the current business methods acceptable to the user? If they are not, users may welcome a change that will bring about a more operational and useful systems.
- Have the user been involved in the planning and development of the project? Early involvement reduces the chances of resistance to the system and in General and increases the likelihood of successful project.
Since the proposed system was to help reduce the hardships encountered In the existing manual system, the new system was considered to be operational feasible.
Economic feasibility attempts 2 weigh the costs of developing and implementing a new system, against the benefits that would accrue from having the new system in place. This feasibility study gives the top management the economic justification for the new system.
A simple economic analysis which gives the actual comparison of costs and benefits are much more meaningful in this case. In addition, this proves to be a useful point of reference to compare actual costs as the project progresses. There could be various types of intangible benefits on account of automation. These could include increased customer satisfaction, improvement in product quality better decision making timeliness of information, expediting activities, improved accuracy of operations, better documentation and record keeping, faster retrieval of information, better employee morale.
There are several free and a few commercial honeypots available on the market. Their functionality differs greatly, as well as their complexity and ease of use.
In this section a close look will be taken at today's available solutions. This is for information only and many changes are possible within the next few months.
- Symantec Decoy Server is the successor of ManTrapTM, a commercially honeypot implementation by Recourse Technologies. Symantec Corp. acquired Recourse Technologies in July 2002. This acquisition brought Recourse's Mantrap into the Symantec portfolio with a new commercial name: Symantec Decoy Server. Consequently both names refer to the same product, which is characterized on its home page by:
"Symantec Decoy Server can create a virtual minefield that an internal attacker must successfully navigate in order to reach his target. One step in the wrong direction and the attacker is exposed" [ManT03]
The main concepts of Symantec Decoy Server are so-called cages (see figure 1). A cage is basically a copy of the host operating system connected to a dedicated network interface card. During installation the operating environments inside the cages are generated to be essentially the same that of the host. The Symantec Decoy Server software also installs a kernel wrapper that controls the interaction between the cages and the host kernel. Consequently the cages are presented on the network as four individual systems, each with its own network interface. All relevant activities in the cages are logged, such as keystrokes, process invocation and file accesses for later analysis.
- Deception Toolkit (DTK) is a set of free scripts written in Perl by Fred Cohen [Coh99]. "DTK is a toolkit designed to give defenders a couple of orders of magnitude advantage over attackers."
It uses deception to counter attacks. The basic idea is to make it appear to attackers as if the system running DTK has a large number of vulnerabilities. One very interesting feature of the DTK is the so-called deception port. Fred Cohen proposes that a listener on TCP port 365 should indicate whether a machine one is trying to connect to is running a deception defense in the hope that attackers who wish to avoid deceptive defenses will check there first.
- Specter is a commercially available honeypot by NeoWorx, a Swiss group [Spec03]. It simulates a complete machine, providing an interesting target for hackers to lure them away from the real machines.
- BackOfficer Friendly (or simple BOF) was developed by Marcus Ranum and Andrew Lambeth. They are members of the team that created the NFR -Network Flight Recorder- a commercially available IDS [Bof03].
- HoneyWeb by Kevin Timm is a deception based web server program that can be used as a standalone server or in conjunction with Honeyd (see 4.3 for Honeyd information). This http server written in Python returns different server versions depending on http requests listened on port 80 and logs activity detected on it. It does basic regex comparison to incoming request to determine what associated headers to return. HoneyWeb works in two modes "Persistent" and "Non- Persistent". In "Non-persistent" mode HoneyWeb is basically a more intelligent netcat and returns back 200 OK for every request, unless defined otherwise, along with the other associated headers for that type of server. In "Persistent" mode HoneyWeb remembers the IP and always returns the same server version to the same IP for a specified period of time, in addition it does basic request comparisons between server families to determine if a 404 should be sent back or not. For example a host whose requests are distinctly Unix like requests receives 404 for distinctly Microsoft style requests. Moreover, HoneyWeb does some bogus request checking and sends back server specific error pages on bogus requests. Attack specific pages can be specified to make HoneyWeb appear more real for interactive attackers.
- KFSensor is developed by Keyfocus [KFsens]. It is a host based Intrusion Detection System (IDS). It acts as a honeypot to attract and detect hackers by simulating vulnerable system services and Trojans by opening ports on the machine it is installed on and waiting for connections to be made to these ports. It does this in exactly the same way as conventional server software, such as a web server or an SMTP server. By doing this it sets up a target, or a honey pot server, that will record the actions of a hacker. KFSensor has begun an open beta testing program and is currently available for free.
- The Bait N Switch Honeypot developed by Team Violating is defined as "an active and aggressive part of the network security infrastructure" [BaitSw]. It reacts to intrusion attempts by redirecting all traffic from 'bad' IP addresses to a honeypot that is partially mirroring the production server. Once switched, the hacker is unknowingly attacking the honeypot instead of the real data while the client and/or users still safely accessing the real system. This is not a honeypot use. It is based on snort, linux iproute2 and netfilter [Lin03]. The honeypot component itself can be chosen independently. Whereas its installation is quite arduous, its concept is very promising.
- Big Eye developed by Team Violating is a network utility (dump), which can be run in different modes. It can run as a sniffer, as a tcp/udp/icmp connection logger, be bound to a port and listen for tcp/udp incoming connections, or as a honeypot. The honeypot mode is an emulation scheme to mimic applications protocols such as: ftp or http. This is a low to medium interaction honeypot [BigEye].
- Smoke Detector is a commercially available hardware honeypot by Palisade [Smok03]. It is a drop-in network appliance that provides defensive decoy and detection capabilities including alerting and reporting of unauthorized access attempts. It mimics interesting or potentially vulnerable elements on a network for the purpose of attracting and detecting inappropriate activities. It can be configured to emulate up to 19 distinct networked machines in varying configurations of operating systems and services. Some complementary tools for analyzing logs are also available.
- Tiny Honeypot (also called THP) is developed by George Bakos. "The goal isn't to fool a skilled, determined attacker...merely to cloud the playing field with tens of thousands of fake services, all without causing unreasonable stress on the [tiny honeypot] host". It is a simple honeypot program based on IPTables redirects, an xinetd listener. It listens on every TCP port not currently in use, logging all activity. Furthermore, it is possible to attach to various ports so called 'responders' which are simple scripts that provide limited interaction to fool most automated attack tools, as well as quite a few humans, at least for a little while. So it can be used as an addition to the state and content-aware Intrusion Detection System Snort [Snort03], insofar as it allows nearly every connection attempt to complete. Thus the content rules have a chance to actually fire, rather than depending on simple port and protocol "context" filters [THP03].
- NetFacade is a commercially available honeypot produced by Verizon since 1999 [NetF03]. The Verizon NetFacade Intrusion Detection service creates a Honeynet that exists to alert network security or management personnel of an intrusion. In addition, it distracts intruders from probing and attacking the real targets on a network. NetFacade can simulate a network of hosts running seemingly vulnerable services. A scan of the range of IP addresses the NetFacade is simulating will return information on the simulated services as if they were real network services running on actual hosts. Since there are no actual users of this virtual network of simulated hosts, all traffic to it is considered to be suspicious. All traffic to the NetFacade Intrusion Detection service on the virtual network is logged. Little information is currently available since it uses mostly proprietary techniques.
- Honeyd developed by Niels Provos and LaBrea Tarpit developed by Tom Liston will be presented in the next chapter. They are two promising mid-interaction honeypots.
BOF works basically like Specter with the difference that the program is much simpler. It was released in 1998 and it is freely available for personal use on the NFR website.
Table 1 summarizes some honeypot functionalities which have been discussed previously. It is not exhaustive and information may change over time. However, it gives a first approach for today's available tools and some of their characteristics. The column 'Maintained' gives an indication of the dynamism concerning the tool updates and public discussions about its evolution.
Though the project is less than a year old, we have learned several lessons that we would like to share with you.
- We underestimated the amount of time required to set up the laboratory. We initially budgeted two months for one graduate student to set up the laboratory; in fact it took three students almost three months to complete the initial setup.
- The close cooperation between us and the security officers at the OTS was crucial to the success of the project.
- We decided to use an isolated stand-alone blog server in the laboratory to facilitate documentation and communication among the team members. We also have weekly meetings to review and share progress reports.
- We found out that some of the widely published scripts, such as honeyd script, still contain problems with running on the windows environment.
- Our students first installed and upgraded Analysis Console for Intrusion Databases (ACID). They then found it very challenging to implement Basic Analysis and Security Engine (BASE) which is another front end for snort IDS system.