Honeypot

By | July 12, 2015

             A honeypot is used in the area of computer and Internet security. It is a security resource, whose value lies in being probed, attacked or compromised. They are special decoy servers to catch the Blackhats (people with evil and illegal intents). Honeypots attract the hackers to attack a vulnerable computer system, which is under observation, by a security team. All the information about the attackers is logged, and monitored. Honeypot is a relatively new concept in network  security and researchers all over the world, are making it more independent and secure. Compared to an intrusion detection system (IDS) or Firewalls, honeypots have the big advantage that they do not generate False alerts as each observed traffic is suspicious, because no productive components are running on the system. This paper aims at giving a detailed description of honeypots, their types, other advantages of honeypots over currently existing IDS.

Introduction:

Global communication is getting more important everyday. At the same time, computer crimes are increasing. Countermeasures are developed to detect or prevent attacks- most of these measures are based on known facts, known attack patterns. It is important to know, what kind of

strategy an attacker uses, what tools he utilizes and his intension .By knowing attack strategies, countermeasures can be improved and vulnerabilities can be fixed. To gather such information is one main goal of a honeypot. A honeypot is primarily an instrument for information gathering and learning. Its purpose is not to be an ambush for the blackhat community to catch them inaction. The focus lies on a silent collection of information about their attack patterns, used programs, purpose of attack and the blackhat community itself. All this information is used to learn more about the blackhat proceedings and motives, as well as their technical knowledge and abilities. There are a lot of other possibilities for a honeypot divert hackers from productive systems or catch a hacker while conducting an attack are few examples.

Types of Honeypots

1) Low-Involvement Honeypot

A low-involvement honeypot typically only provides certain fake services. In a basic form, these services could be implementted by having a listener on a specific port. For example a simple netcat -l -p 80 > /log/honeypot/port 80.log could be used to listen on port 80 (HTTP) and log all incoming traffic to a logfile. In such a way, all incoming traffic can easily be recognized and stored. On a lowinvolvement honeypot there is no real operating system that an attacker can operate on. This will minimize the risk significantly because the complexity of an operating system is eliminated. On the other hand, this is also a disadvantage. It is not possible to watch an attacker interacting with the operating system, which could be really interesting.

2) Mid-Involvement Honeypot

A mid-involvement honeypot provides more to interact with, but still does not provide a real

underlying operating system. The fake daemons are more sophisticated and have deeper knowledge about the specific services they provide. At the same moment, the

risk increases. Through the higher level of interaction, more complex attacks are possible and can therefore be logged and analyzed. The attacker gets a better illusion of a real operating system. He has more possibilities to interact and probe the system. Developing a  idinvolvement

honeypot is complex and time consuming. Special care has to be taken for security checks as all developed fake daemons need to be as secure as possible.

3) High-Involvement Honeypot

A high-involvement honeypot has a real underlying operating system. This leads to a much higher risk as the complexity increases rapidly. At the same time, the possibilities to gather information, the possible attacks as well as the attractiveness increase a lot. One goal of a hacker is to gain root and to have access to a machine, which is connected to the Internet. A high involvement honeypot does offer such an environment. A highinvolvement honeypot is very time consuming. The system should be constantly under surveillance. By providing a full operating system to the attacker, he has the possibilities to upload and install new files. This is where a high-involvement honeypot can show its strength, as all actions can be recorded and analyzed. Unfortunately the attacker has to compromise the system to get this level of freedom. He will then have root rights on the system and can do everything at any moment on the compromised system. This system is no longer secure.

ADVANTAGES OF HONEYPOTS:

Small Data Sets

Honeypots only collect data when someone or something is interacting with them. Organizations that may log thousands of alerts a day may only log a hundred alerts with honeypots. This makes the data honeypots collect much easier to manage and analyze.

Reduced False Positives

Honeypots dramatically reduce false positives. Any activity with honeypots is by definition unauthorized, making it extremely effective at detecting attacks. This allows organizations to quickly and easily reduce, if not eliminate, false alerts, allowing organizations to focus on other security priorities, such as patching.

Catching False Negatives-

Honeypots can easily identify and capture new attacks or activity against them. Any activity with the honeypot is an anomaly, making new or unseen attacks easily stand out.

Minimal Resources

Honeypots require minimal resources, even on the largest of networks. A simple Pentium computer can monitor literally millions of IP addresses on an OC-12 network.

Encryption

It does not matter if an attack is encrypted, the honeypot will capture the activity.

Protocol Independent

It does not matter which IP protocol an attacker uses, honeypots will detect, capture and log all IP activity. In one documented case, a Solaris honeypot detected and captured an attack where attackers attempted to hide their communications using IPv6 tunneling within IPv4. On the other hand, there are almost no NIDS (Network intrusion detection system) technologies that can decode IPv6 or IPv6-tunneled traffic.

Intelligence Gathering-

Honeypots can gather a lot of valuable information about the attackers, and also the nature of their attacks, which can be used to take appropriate action against them.. Honeypots are a new field in the sector of network security. Currently there is a lot of ongoing research and discussions all around the world. A honeypot is a valuable resource, especially to collect information about proceedings of attackers as well as their deployed tools.

Conclusion

Honeypots are a new field in the sector of network security. Currently there is a lot of ongoing research and discussions all around the world. A honeypot is a valuable resource, especially to collect information about proceedings of attackers as well as their deployed tools. No other mechanism is comparable in the efficiency of a honeypot if gathering information is a primary goal, especially if the tools an attacker uses are of interest. As honeypots are getting more advanced, hackers will also develop methods to detect such systems. A regular arms race could start between the good people and the blackhat community.

Please Share: Tweet about this on TwitterShare on FacebookShare on Google+Share on RedditPin on PinterestShare on LinkedInDigg thisShare on StumbleUponShare on TumblrBuffer this pageShare on VKEmail this to someone

10 thoughts on “Honeypot

  1. harsha

    Thank you!!! its very interesting to learn about this…helped me a lot

    Reply
  2. kayal

    the above information gives me a clear information about honeypot can you explain the advantages of honeypot by comparing it to each and every IDS

    Reply
    1. Ravi Bandakkanavar Post author

      Hi Kayal,

      Compared to an intrusion detection system (IDS) or Firewalls, honeypots have the big advantage that they do not generate False alerts as each observed traffic is suspicious, because no productive components are running on the system.

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *