A honeypot is used in the area of computer and Internet security. It is a security resource, whose value lies in being probed, attacked or compromised. They are special decoy servers to catch the Blackhats (people with evil and illegal intents). Honeypots attract the hackers to attack a vulnerable computer system, which is under observation, by a security team. All the information about the attackers is logged and monitored. A honeypot is a relatively new concept in network security and researchers all over the world, are making it more independent and secure. Compared to an Intrusion Detection System (IDS) or Firewalls, honeypots have the big advantage that they do not generate false alerts as each observed traffic is suspicious because no productive components are running on the system. This paper aims at giving a detailed description of honeypots, their types, other advantages of honeypots over currently existing IDS.
Global communication is getting more important every day. At the same time, computer crimes are increasing. Countermeasures are developed to detect or prevent attacks most of these measures are based on known facts, known attack patterns. It is important to know, what kind of strategy an attacker uses, what tools he utilizes and his intention. By knowing attack strategies, countermeasures can be improved and vulnerabilities can be fixed. To gather such information is one main goal of a honeypot.
A honeypot is primarily an instrument for information gathering and learning. Its purpose is not to be an ambush for the blackhat community to catch them in action. The focus lies on a silent collection of information about their attack patterns, used programs, purpose of attack and the blackhat community itself. All this information is used to learn more about the blackhat proceedings and motives, as well as their technical knowledge and abilities. There are a lot of other possibilities for a honeypot divert hackers from productive systems or catch a hacker while conducting an attack are few examples.
Types of Honeypots
1) Low-Involvement Honeypot
A low-involvement honeypot typically only provides certain fake services. In a basic form, these services could be implemented by having a listener on a specific port. For example a simple netcat -l -p 80 > /log/honeypot/port 80.log could be used to listen on port 80 (HTTP) and log all incoming traffic to a log file. In such a way, all incoming traffic can easily be recognized and stored. On a low involvement honeypot, there is no real operating system that an attacker can operate on. This will minimize the risk significantly because the complexity of an operating system is eliminated. On the other hand, this is also a disadvantage. It is not possible to watch an attacker interacting with the operating system, which could be really interesting.
2) Mid-Involvement Honeypot
A mid-involvement honeypot provides more to interact with but still does not provide a real underlying operating system. The fake daemons are more sophisticated and have deeper knowledge about the specific services they provide. At the same moment, the risk increases. Through the higher level of interaction, more complex attacks are possible and can, therefore, be logged and analyzed. The attacker gets a better illusion of a real operating system. He has more possibilities to interact and probe the system. Developing mid-involvement honeypot is complex and time-consuming. Special care has to be taken for security checks as all developed fake daemons need to be as secure as possible.
3) High-Involvement Honeypot
A high-involvement honeypot has a real underlying operating system. This leads to a much higher risk as the complexity increases rapidly. At the same time, the possibilities to gather information, the possible attacks as well as the attractiveness increase a lot. One goal of a hacker is to gain root and to have access to a machine, which is connected to the Internet. A high involvement honeypot does offer such an environment. A high involvement honeypot is very time-consuming. The system should be constantly under surveillance. By providing a full operating system to the attacker, he has the possibilities to upload and install new files. This is where a high-involvement honeypot can show its strength, as all actions can be recorded and analyzed. Unfortunately, the attacker has to compromise the system to get this level of freedom. He will then have root rights on the system and can do everything at any moment on the compromised system. This system is no longer secure.
Advantages of Honeypots
Small Data Sets
Honeypots only collect data when someone or something is interacting with them. Organizations that may log thousands of alerts a day may only log a hundred alerts with honeypots. This makes the data honeypots collect much easier to manage and analyze.
Reduced False Positives
Honeypots dramatically reduce false positives. Any activity with honeypots is by definition unauthorized, making it extremely effective at detecting attacks. This allows organizations to quickly and easily reduce, if not eliminate, false alerts, allowing organizations to focus on other security priorities, such as patching.
Catching False Negatives
Honeypots can easily identify and capture new attacks or actions against them. Any activity with the honeypot is an anomaly, making new or unseen attacks easily stand out.
Honeypots require minimal resources, even on the largest of networks. A simple Pentium computer can monitor literally millions of IP addresses on an OC-12 network.
It does not matter if an attack is encrypted, the honeypot will capture the activity.
It does not matter which IP protocol an attacker uses, honeypots will detect, capture and log all IP activity. In one documented case, a Solaris honeypot detected and captured an attack where attackers attempted to hide their communications using IPv6 tunneling within IPv4. On the other hand, there are almost no NIDS (Network intrusion detection system) technologies that can decode IPv6 or IPv6-tunneled traffic.
Honeypots can gather a lot of valuable information about the attackers, and also the nature of their attacks, which can be used to take appropriate action against them. A honeypot is a valuable resource, especially to collect information about proceedings of attackers as well as their deployed tools.
Honeypots are a new field in the sector of network security. Currently, there is a lot of ongoing research and discussions all around the world. No other mechanism is comparable in the efficiency of a honeypot if gathering information is a primary goal, especially if the tools an attacker uses are of interest. As honeypots are getting more advanced, hackers will also develop methods to detect such systems. A regular arms race could start between the good people and the blackhat community.