HONEYPOT - Clemson
Download
Report
Transcript HONEYPOT - Clemson
CLEMSON UNIVERSITY
HONEYPOT
By SIDDARTHA ELETI
Introduction
•
Introduced in 1990/1991 by Clifford Stoll’™
s in his book “The Cuckoo’s Egg”
and by Bill Cheswick’€
™
s in his paper “€
A
œn Evening With Berferd.”
• A honeypot is an information system resource whose value lies in
unauthorized or illicit use of that resource.
• Acts as a Decoy or a Bait to lure attackers .
• They are designed to be attacked.
• Its about spying the spy i.e. attacker.
Working
• Uses the concept of deception.
• Honeypots work on the idea that all traffic to a honey pot should be deemed
suspicious.
• Designed to audit the activity of an intruder, save log files, and record events
– Processes started
– Adding, deleting, changing of files
– even key strokes
Location
• Honeypots are usually placed somewhere in the DMZ. This ensures that
the internal network is not exposed to the hacker.
• Most honeypots are installed inside firewalls so that they can be better
controlled.
• But a firewall that is placed in a honeypot works exactly the opposite to
how a normal firewall works.
Types of Honeypots
• Based on level of Deployment:
– Production Honeypots
– Research Honeypots
• Based on Design:
– Pure
– High Interaction
– Low Interaction
Levels of Deployment
•
Production :
– Its easy and captures only limited info.
– Adds value to the security measures of an organization.
– Used by companies and large corporations
• Research :
–
–
–
–
Collects a lot of info i.e. attackers tools, intent, identity etc.
Does not directly add value to an organization
Researches the threats and tries to come up with better measures
Used by military, government organizations and research
Interaction
• What is Interaction?
– Level of Interaction determines amount of functionality a honeypot
provides.
– The greater the interaction, the more you can learn.
– The greater the interaction, greater the complexity.
– The greater the interaction, greater the risk.
• High Interaction:
– Imitates the services and actions of a real system.
– Gives vast amount of information.
– Involves an operating system.
• This involves risk
– Multiple honeypots can be hosted with the use of VM’s
– Difficult to detect
– Expensive to maintain
– Example : Honeynet
• Low Interaction Honeypots:
– It simulates the services of a system.
– Predetermined set of responses
– Not good for interacting with unexpected attacks
– Gives less information. Usually
• Time of attack
• IP and port of attacker
• Destination IP and Port of attack
– Does not involve an operating system
– Easy to Detect
– Cheaper to maintain
Commercial Honeypot Systems
• There are a variety of commercial Honey Pot systems available.
– Deception ToolKit (DTK)
– Specter
• Supported OS’s
– Microsoft NT
– Unix.
Deception Toolkit
• First free Honeypot by Fred Cohen in 1997
• Suite of applications that listen to inbound traffic.
– FTP,
– Telnet,
– HTTP
• Uses scripted responses.
• Experienced attackers can quickly realize that they are in a
Honeypot.
SPECTER
• SPECTER is a smart honeypot-based intrusion detection system.
• A Production Honeypot and easy to configure.
• Provides Real-time counterintelligence against hackers.
• It simulates a vulnerable computer with various operating systems like
Windows, Mac, Linux, Solaris etc.
• Offers common Internet services such as SMTP, FTP, POP3, HTTP and
TELNET.
• These services appear perfectly normal to the attackers but in fact are
traps for them to mess around and leave traces.
• Offers Intelligent systems like TRACER, TRACE ROUTE, DNS, FTP Banner
etc.
Advantages
• The administrator can learn about vulnerabilities in his system
• Intent of the attackers
• Simple design and implementation
• Less resources
• Cheaper to analyze collected information
Disadvantages
• Has to be attacked directly.
• Can be avoided.
• Honeypots can be detected as they have expected characteristics or
behavior.
• They can introduce risk to the environment.
• They don’t prevent or stop an attack.
Conclusion
• It’s a tool to learn and understand the how the attack is being executed
and motives of the attackers.
• Not a solution.
• Provide important information about
– The attacker
– The tools being used by attacker
– What the attacker is after
References
• http://www.techrepublic.com/article/which-honeypot-should-iuse/1042527
• http://www.specter.com/default50.htm
• http://en.wikipedia.org/wiki/Honeypot_(computing)
• http://www.tracking-hackers.com/papers/honeypots.html
• http://www.sans.org/security-resources/idfaq/honeypot3.php
• Honeypots: Tracking Hackers By Lance Spitzner
THANK YOU