28-03-2011, 11:31 AM
SUBMITTED BY
M.Bhanu Prasanthi
honey pots new.doc (Size: 544.5 KB / Downloads: 77)
Abstract
For every consumer and business that is on the Internet, viruses, worms and crackers are a few security threats. There are the obvious tools that aid information security professionals against these problems such as anti-virus software, firewalls and intrusion detection systems, but these systems can only react to or prevent attacks-they cannot give us information about the attacker, the tools used or even the methods employed. Given all of these security questions, honeypots are a novel approach to network security and security research alike.
A honeypot is used in the area of computer and Internet security. It is a resource, which is intended to be attacked and compromised to gain more information about the attacker and the used tools. It can also be deployed to attract and divert an attacker from their real targets. One goal of this paper is to show the possibilities of honeypots and their use in a research as well as productive environment.
Compared to an intrusion detection system, honeypots have the big advantage that they do not generate false alerts as each observed traffic is suspicious, because no productive components are running on the system. This fact enables the system to log every byte that flows through the network to and from the honeypot, and to correlate this data with other sources to draw a picture of an attack and the attacker.
This paper will first give an introduction to honeypots-the types and uses. We will then look at the nuts and bolts of honeypots and how to put them together. With a more advanced idea of how honeypots work, we will then look at the possible legal ramifications for those who deploy them. Finally we shall conclude by looking at what the future holds for the honeypots and honeynets.
INTRODUCTION
Global communication is getting more important every day. At the same time, computer crimes are increasing.
Countermeasures are developed to detect or prevent attacks - most of these measures are based on known facts, known attack patterns. As in the military, it is important to know, who your enemy is, what kind of strategy he uses, what tools he utilizes and what he is aiming for. Gathering this kind of information is not easy but important. By knowing attack strategies, countermeasures can be improved and vulnerabilities can be fixed. To gather as much information as possible is one main goal of a honeypot.
Generally, such information gathering should be done silently, without alarming an attacker. All the gathered information leads to an advantage on the defending side and can therefore be used on productive systems to prevent attacks.
WHAT IS A HONEYPOT?
A honeypot is primarily an instrument for information gathering and learning. A honeypot is an information system resource whose value lies in the unauthorized or illicit use of that resource. More generally a honeypot is a trap set to detect attempts at unauthorized use of information systems. Essentially; honeypots are resources that allow anyone or anything to access it and al production value. More often than not, a honeypot is more importantly, honeypots do not have any resimply an unprotected, unpatched, unused workstation on a network being closely watched by administrators.
Its primary purpose is not to be an ambush for the blackhat community to catch them in action and to press charges against them. The focus lies on a silent collection of as much information as possible about their attack patterns, used programs, purpose of attack and the blackhat community itself. All this information is used to learn more about the blackhat proceedings and motives, as well as their technical knowledge and abilities. This is just a primary purpose of a honeypot. There are a lot other possibilities for a honeypot - divert hackers
from productive systems or catch a hacker while conducting an attack are just two possible examples.
WHAT IS A HONEYNET?
Two or more honeypots on a network form a honeynet.Typically, a honeynet is used for monitoring and/or more diverse network in which one honeypot may not be sufficient. Honeynets (and honeypots) are usually implemented as parts of larger network intrusion-detection systems.
Honeynet is a network of production systems. Honeynets represent the extreme of research honeypots. Their primary value lies in research, gaining information on threats that exist in the Internet community today.
The two main reasons why honeypots are deployed are:
1. To learn how intruders probe and attempt to gain access to your systems and gain insight into attack methodologies to better protect real production systems.
2. To gather forensic information required to aid in the apprehension or prosecution of intruders.
TYPES OF HONEYPOTS:
Honeypots came in two flavors:
• Low-interaction
• High-interaction.
Interaction measures the amount of activity that an intruder may have with honeypot.In addition, honeypots can be used to combat spam.
Spammers are constantly searching for sites with vulnerable open relays to forward spam on the other networks. Honeypots can be set up as open proxies or relays to allow spammers to use their sites .This in turn allows for identification of spammers
We will break honeypots into two broad categories, as defined by Snort ,two types of honeypots are:
• Production honeypots
• Research honeypots
The purpose of a production honeypot is to help mitigate risk in an organization. The honeypot adds value to the security measures of an organization. Think of them as 'law enforcement', their job is to detect and deal with bad guys. Traditionally, commercial organizations use production honeypots to help protect their networks. The second category, research, is honeypots designed to gain information on the blackhat community. These honeypots do not add direct value to a specific organization. Instead they are used to research the threats organizations face, and how to better protect against those threats.
HONEYPOT ARCHITECTURE:
1. STRUCTURE OF A LOW-INTERACTION HONEYPOT (GEN-I):-
A typical low-interaction honeypot is also known as GEN-I honeypot. This is a simple system which is very effective against automated attacks or beginner level attacks.
Honeyd is one such GEN-I honeypot which emulates services and their responses for typical network functions from a single machine, while at the same time making the intruder believe that there are numerous different operating systems .It also allows the simulation of virtual network topologies using a routing mechanism that mimics various network parameters such as delay, latency and ICMP error messages.
The primary architecture consists of a routing mechanism, a personality engine, a packet dispatcher and the service simulators. The most
important of these is the personality engine, which gives services a different ‘avatar’ for every operating system that they emulate.
DRAWBACKS:
1. This architecture provides a restricted framework within which emulation is carried out. Due to the limited number of services and functionality that it emulates, it is very easy to fingerprint.
2. A flawed implementation (a behavior not shown by a real service) can also render itself to alerting the attacker.
3. It has constrained applications in research, since every service which is to be studied will have to be re-built for the honeypot.
2. STRUCTURE OF A HIGH INTERACTION HONEYPOT (GEN-II):-
A typical high-interaction honeypot consists of the following elements: resource of interest, data control, data capture and external logs (“known your enemy: Learning with Vmware, Honeynet project”); these are also known as GEN-II honeypots and started development in 2002.They provide better data capture and control mechanisms. This makes them more complex to deploy and maintain in comparison to low-interaction honeypots.
High interaction honeypots are very useful in their ability to identify vulnerable services and applications for a particular target operating system. Since the honeypots have full fledged operating systems, attackers attempt various attacks providing administrators with very detailed information on attackers and their methodologies. This is essential for researchers to identify new and unknown attack, by studying patterns generated by these honeypots
DRAWBACKS:
However, GEN-II honeypots do have their drawbacks as well.
1. To simulate an entire network, with routers and gateways, would require an extensive computing infrastructure, since each virtual element would have to be installed in it entirely. In addition this setup is comprehensive: the attacker can know that the network he is on is not the real one. This is one primary drawback of GEN-II.
2. The number of honeypots in the network is limited.
3. The risk associated with GEN-II honeypots is higher because they can be used easily as launch pads for attacks.
COMPARISON:
BUILDING A HONEYPOT:
To build a honeypot, a set of Virtual Machines are created. They are then setup on a private network with the host operating system. To facilitate data control, a stateful firewall such as IP Tables can be used to log connections. This firewall would typically be configured in Layer 2 bridging mode, rendering it transparent to the attacker.
The final step is data capture, for which tools such as Sebek and Term Log can be used. Once data has been captured, analysis on the data can be performed using tools such as Honey Inspector, PrivMsg and SleuthKit.
Honeypot technology under development will eventually allow for a large scale honeypot deployment that redirects suspected attack traffic to honeypot. In the figure an external attacker: 1.penetrates DMZ and scans the network IP address 2.the redirection appliance 3.monitors all unused addresses, and uses Layer 2 VPN technology to enable firewall 4.to redirect the intruder to honeypot 5.which may have honeypot computers mirroring all types of real network devices. 6. Scanning the network for vulnerable systems is redirected 7. By the honeypot appliance when he probes unused IP addresses
RESEARCH USING HONEYPOTS:
Honeypots are also used for research purposes to gain extensive information on threats, information few other technologies are capable of gathering. One of the greatest problems security professionals face is lack of information or intelligence on cyber threats. How can your organization defend itself against an enemy when you do not know who the enemy is? Research honeypots address this problem by collecting information on threats. Organizations can then use this information for a variety of purposes including analyzing trends, identifying new methods or tools, identifying the attackers and their communities, ensuring early warning and prediction or understanding attackers motivation.
ADVANTAGES OF HONEYPOTS:
1. They collect small amounts of information that have great value. This captured information provides an in-depth look at attacks that very few other technologies offer.
2. Honeypots are designed to capture any activity and can work in encrypted networks.
3. They can lure the intruders very easily.
4. Honeypots are relatively simple to create and maintain.
M.Bhanu Prasanthi
honey pots new.doc (Size: 544.5 KB / Downloads: 77)
Abstract
For every consumer and business that is on the Internet, viruses, worms and crackers are a few security threats. There are the obvious tools that aid information security professionals against these problems such as anti-virus software, firewalls and intrusion detection systems, but these systems can only react to or prevent attacks-they cannot give us information about the attacker, the tools used or even the methods employed. Given all of these security questions, honeypots are a novel approach to network security and security research alike.
A honeypot is used in the area of computer and Internet security. It is a resource, which is intended to be attacked and compromised to gain more information about the attacker and the used tools. It can also be deployed to attract and divert an attacker from their real targets. One goal of this paper is to show the possibilities of honeypots and their use in a research as well as productive environment.
Compared to an intrusion detection system, honeypots have the big advantage that they do not generate false alerts as each observed traffic is suspicious, because no productive components are running on the system. This fact enables the system to log every byte that flows through the network to and from the honeypot, and to correlate this data with other sources to draw a picture of an attack and the attacker.
This paper will first give an introduction to honeypots-the types and uses. We will then look at the nuts and bolts of honeypots and how to put them together. With a more advanced idea of how honeypots work, we will then look at the possible legal ramifications for those who deploy them. Finally we shall conclude by looking at what the future holds for the honeypots and honeynets.
INTRODUCTION
Global communication is getting more important every day. At the same time, computer crimes are increasing.
Countermeasures are developed to detect or prevent attacks - most of these measures are based on known facts, known attack patterns. As in the military, it is important to know, who your enemy is, what kind of strategy he uses, what tools he utilizes and what he is aiming for. Gathering this kind of information is not easy but important. By knowing attack strategies, countermeasures can be improved and vulnerabilities can be fixed. To gather as much information as possible is one main goal of a honeypot.
Generally, such information gathering should be done silently, without alarming an attacker. All the gathered information leads to an advantage on the defending side and can therefore be used on productive systems to prevent attacks.
WHAT IS A HONEYPOT?
A honeypot is primarily an instrument for information gathering and learning. A honeypot is an information system resource whose value lies in the unauthorized or illicit use of that resource. More generally a honeypot is a trap set to detect attempts at unauthorized use of information systems. Essentially; honeypots are resources that allow anyone or anything to access it and al production value. More often than not, a honeypot is more importantly, honeypots do not have any resimply an unprotected, unpatched, unused workstation on a network being closely watched by administrators.
Its primary purpose is not to be an ambush for the blackhat community to catch them in action and to press charges against them. The focus lies on a silent collection of as much information as possible about their attack patterns, used programs, purpose of attack and the blackhat community itself. All this information is used to learn more about the blackhat proceedings and motives, as well as their technical knowledge and abilities. This is just a primary purpose of a honeypot. There are a lot other possibilities for a honeypot - divert hackers
from productive systems or catch a hacker while conducting an attack are just two possible examples.
WHAT IS A HONEYNET?
Two or more honeypots on a network form a honeynet.Typically, a honeynet is used for monitoring and/or more diverse network in which one honeypot may not be sufficient. Honeynets (and honeypots) are usually implemented as parts of larger network intrusion-detection systems.
Honeynet is a network of production systems. Honeynets represent the extreme of research honeypots. Their primary value lies in research, gaining information on threats that exist in the Internet community today.
The two main reasons why honeypots are deployed are:
1. To learn how intruders probe and attempt to gain access to your systems and gain insight into attack methodologies to better protect real production systems.
2. To gather forensic information required to aid in the apprehension or prosecution of intruders.
TYPES OF HONEYPOTS:
Honeypots came in two flavors:
• Low-interaction
• High-interaction.
Interaction measures the amount of activity that an intruder may have with honeypot.In addition, honeypots can be used to combat spam.
Spammers are constantly searching for sites with vulnerable open relays to forward spam on the other networks. Honeypots can be set up as open proxies or relays to allow spammers to use their sites .This in turn allows for identification of spammers
We will break honeypots into two broad categories, as defined by Snort ,two types of honeypots are:
• Production honeypots
• Research honeypots
The purpose of a production honeypot is to help mitigate risk in an organization. The honeypot adds value to the security measures of an organization. Think of them as 'law enforcement', their job is to detect and deal with bad guys. Traditionally, commercial organizations use production honeypots to help protect their networks. The second category, research, is honeypots designed to gain information on the blackhat community. These honeypots do not add direct value to a specific organization. Instead they are used to research the threats organizations face, and how to better protect against those threats.
HONEYPOT ARCHITECTURE:
1. STRUCTURE OF A LOW-INTERACTION HONEYPOT (GEN-I):-
A typical low-interaction honeypot is also known as GEN-I honeypot. This is a simple system which is very effective against automated attacks or beginner level attacks.
Honeyd is one such GEN-I honeypot which emulates services and their responses for typical network functions from a single machine, while at the same time making the intruder believe that there are numerous different operating systems .It also allows the simulation of virtual network topologies using a routing mechanism that mimics various network parameters such as delay, latency and ICMP error messages.
The primary architecture consists of a routing mechanism, a personality engine, a packet dispatcher and the service simulators. The most
important of these is the personality engine, which gives services a different ‘avatar’ for every operating system that they emulate.
DRAWBACKS:
1. This architecture provides a restricted framework within which emulation is carried out. Due to the limited number of services and functionality that it emulates, it is very easy to fingerprint.
2. A flawed implementation (a behavior not shown by a real service) can also render itself to alerting the attacker.
3. It has constrained applications in research, since every service which is to be studied will have to be re-built for the honeypot.
2. STRUCTURE OF A HIGH INTERACTION HONEYPOT (GEN-II):-
A typical high-interaction honeypot consists of the following elements: resource of interest, data control, data capture and external logs (“known your enemy: Learning with Vmware, Honeynet project”); these are also known as GEN-II honeypots and started development in 2002.They provide better data capture and control mechanisms. This makes them more complex to deploy and maintain in comparison to low-interaction honeypots.
High interaction honeypots are very useful in their ability to identify vulnerable services and applications for a particular target operating system. Since the honeypots have full fledged operating systems, attackers attempt various attacks providing administrators with very detailed information on attackers and their methodologies. This is essential for researchers to identify new and unknown attack, by studying patterns generated by these honeypots
DRAWBACKS:
However, GEN-II honeypots do have their drawbacks as well.
1. To simulate an entire network, with routers and gateways, would require an extensive computing infrastructure, since each virtual element would have to be installed in it entirely. In addition this setup is comprehensive: the attacker can know that the network he is on is not the real one. This is one primary drawback of GEN-II.
2. The number of honeypots in the network is limited.
3. The risk associated with GEN-II honeypots is higher because they can be used easily as launch pads for attacks.
COMPARISON:
BUILDING A HONEYPOT:
To build a honeypot, a set of Virtual Machines are created. They are then setup on a private network with the host operating system. To facilitate data control, a stateful firewall such as IP Tables can be used to log connections. This firewall would typically be configured in Layer 2 bridging mode, rendering it transparent to the attacker.
The final step is data capture, for which tools such as Sebek and Term Log can be used. Once data has been captured, analysis on the data can be performed using tools such as Honey Inspector, PrivMsg and SleuthKit.
Honeypot technology under development will eventually allow for a large scale honeypot deployment that redirects suspected attack traffic to honeypot. In the figure an external attacker: 1.penetrates DMZ and scans the network IP address 2.the redirection appliance 3.monitors all unused addresses, and uses Layer 2 VPN technology to enable firewall 4.to redirect the intruder to honeypot 5.which may have honeypot computers mirroring all types of real network devices. 6. Scanning the network for vulnerable systems is redirected 7. By the honeypot appliance when he probes unused IP addresses
RESEARCH USING HONEYPOTS:
Honeypots are also used for research purposes to gain extensive information on threats, information few other technologies are capable of gathering. One of the greatest problems security professionals face is lack of information or intelligence on cyber threats. How can your organization defend itself against an enemy when you do not know who the enemy is? Research honeypots address this problem by collecting information on threats. Organizations can then use this information for a variety of purposes including analyzing trends, identifying new methods or tools, identifying the attackers and their communities, ensuring early warning and prediction or understanding attackers motivation.
ADVANTAGES OF HONEYPOTS:
1. They collect small amounts of information that have great value. This captured information provides an in-depth look at attacks that very few other technologies offer.
2. Honeypots are designed to capture any activity and can work in encrypted networks.
3. They can lure the intruders very easily.
4. Honeypots are relatively simple to create and maintain.