CmpE-220 Honeypots Final

8/6/2019 CmpE-220 Honeypots Final

1/30

DEPARTMENT OF COMPUTER ENGINEERING

CMPE 220 System Software Design

(Fall 2007)

Special Topic Report

On

Honeypots

Submitted by

ISHLEEN KOUR SUDAN (2350)

PALAK PANDYA (5902)

Submitted to

Prof. Weider Yu


2/30

Table of Contents

0 Abstract...................................................................................................................... 11 Background................................................................................................................ 2

1.1 Definition ........................................................................................................... 2

1.2 History of Honeypots ....................................................................................... 31.3 Classification of Honeypots ............................................................................ 4

1.3.1 Based on deployment .............................................................................. 41.3.2 Based on level of interaction................................................................. 41.3.3 Physical and Virtual Honeypots ............................................................. 5

1.4 Uses of Honeypots............................................................................................ 62 Honeypots.................................................................................................................. 7

2.1 Honeyd ............................................................................................................... 72.1.1 Configuring Honeyd: ................................................................................ 82.1.2 Honeyd Architecture................................................................................ 9

2.2 Honeynet ......................................................................................................... 11

2.2.1 Honeynet Architecture.......................................................................... 122.2.2 Key Requirements .................................................................................. 13

3 Advanced Honeypots ............................................................................................. 153.1 Honey Farm ..................................................................................................... 15

3.1.1 Values of Honey Farm ........................................................................... 153.1.2 Honey Farm Architecture ..................................................................... 16

3.2 Honeytoken ..................................................................................................... 173.2.1 Values of Honeytoken............................................................................ 173.2.2 Working of Honeytoken......................................................................... 17

4 Issues with Honeypots ........................................................................................... 194.1 Identifying honeypots.................................................................................... 19

4.2 Exploiting honeypots ..................................................................................... 194.3 Nature of attack ............................................................................................. 20

5 Current challenges to Honeypots ........................................................................ 215.1 Network Issues ................................................................................................ 215.2 System Issues .................................................................................................. 22

6 Suggestion for future Honeypots ......................................................................... 236.1 From Misunderstanding to Acceptance ...................................................... 236.2 Suggestions ...................................................................................................... 23

6.2.1 Making Easy to Use................................................................................. 236.2.2 Integrating with Technologies ............................................................. 236.2.3 Studying Advanced Attackers............................................................... 24

6.2.4 Protecting against Honeypot Hunter .................................................. 246.2.5 Deploying in Distributed Environment ............................................... 24

7 Schedule .................................................................................................................. 258 Lesson Learned ....................................................................................................... 269 References............................................................................................................... 27


3/30

List of Figures

Figure 1 History of Honeypots ...................................................................................... 3Figure 2 Honeyd Architecture -1 .................................................................................. 7Figure 3 Honeyd Architecture -2 .................................................................................. 9

Figure 4 Architecture of Honeynet ............................................................................ 12Figure 5 Data Control without any restriction......................................................... 13Figure 6 Data Control with the Honeywall............................................................... 14Figure 7 Concept of redirecting attackers to the Honey Farm............................. 16Figure 8 Schedule.......................................................................................................... 25


4/30

Honeypots Ishleen Kour Sudan/Palak Pandya

-1-

0 Abstract

Computer technology and inter-networking has been evolving at a faster pace.Threats and vulnerabilities have been mounting in the network systems acrossthe internet. The threats include spam, viruses, phishing and other maliciousactivities. Due to an increase in black hat community, need to develop anefficient and robust system to thwart the unsolicited intrusion, has becomeextremely necessary. Intrusion detection and prevention systems (IDS and IPS)help to manage and prevent these threats in this ever changing environment.Intrusion detection is the art of detecting in appropriate, incorrect, oranomalous activity[1]. These systems principally work on a host to discovermalicious activities. There are basically two systems, first is a host-based andsecond is a network-based system. There are many approaches to intrusiondetection, but most common are statistical anomaly detection and patternmatching detection. These systems are used to identify and stop intruders.Then correction is applied to whole computer project to remove all similarproblems. Honeypot is very efficient technology concluded for the intrusiondetection.

However, this vast topic has been the subject of an entire book but here wehave collected some important information. We have discuss the mostimportant concepts and related issues related to Honeypots. This reportdiscusses Honeypots intrusion detection system, different types of honeypots,their working and deployment; issues and challenges to honeypots and some

suggestion for future use. This report also provides references for furtherreading.


5/30


-2-

1 Background

1.1 Definition

According to Lance Spitzner, founder of the Honeypot project, a Honeypot is asecurity resource whose value lies in being probed, attacked, or compromised[7]. Honeypot can be viewed as an Internet-attached server which acts like adecoy, alluring in potential hackers. It helps to study attackers activities andmonitor their ways of breaking into a system. It is designed to simulate systemsthat attracts intruder to break into it but limit him from having access to anentire network. If a honeypot is successful, the intruder will be unaware of thefact that he is being tricked and monitored.

Honeypots provides following purposes by luring an attacker into a system:

The system administrator can observe an attackers activities; utilize thevulnerabilities of the system. This will help to learn where the systemhas weaknesses and how it can be redesigned.

The hacker can be prevented or caught, when he tries to access root ofthe system.

By studying the nature of the black-hat community, designers can buildmore secure systems that are potentially invulnerable to future hackers.


6/30


-3-

1.2 History of Honeypots

The word honeypot originally came from an espionage technique which wasused during the Cold War. It was based on sexual entrapment. The term"honeypot" was used to depict the use of female agent entrapment of a male

official of the other side for the purpose to gain information [11].

Honeypot was a relatively undocumented and misunderstood technology so in19th of November, 2001 by Security-Focus Inc. has started Honeypot mail list.It was hoped that this forum will help to create better understanding aboutHoneypot and their real value to the network security.

Year Development

1990/1991First public works documenting honeypot conceptsClifford Stoll's TheCuckoo's Egg and Bill Cheswick's "An Evening With Berferd" [4].

1997Version 0.1 of Fred Cohen's Deception Toolkit was released, one of the firsthoneypot solutions available to the security community [4].

1998Development began on CyberCop Sting, one of the first commercial honeypotssold to the public. CyberCop Sting introduces the concept of multiple, virtualsystems bound to a single honeypot [4].

1998Marty Roesch and GTE Internetworking begin development on a honeypotsolution that eventually becomes Net Facade. This work also begins theconcept of Snort [4].

1998Back Officer Friendly is releaseda free, simple-to-use Windows-basedhoneypot that introduced many people, including me, to honeypot concepts[4].

1999Formation of the Honeynet Project and publication of the "Know Your Enemy"series of papers [4]. This work helped increase awareness and validate thevalue of honeypots and honeypot technologies [4].

2000/2001Use of honeypots to capture and study worm activity. More organizationsadopting honeypots for both detecting attacks and for researching new threats[4].

2002 A honeypot is used to detect and capture in the wild a new and unknownattack, specifically the Solaris dtspcd exploit [4].

Figure 1 History of Honeypots


7/30


-4-

1.3 Classification of Honeypots

Honeypots can be classified based on their deployment and their level ofinvolvement.

1.3.1 Based on deploymentAccording to Honeypots deployment, they can be further classified intoProduction Honeypots and Research Honeypot.

1.3.1.1Production Honeypots

As name suggested Production Honeypots are positioned inside the productionnetwork along with other production servers by organization to improve theiroverall state of security. The Production Honeypots describe lesser informationabout the attacks or attackers as compare to the Research Honeypots. Themain goal of the Production Honeypot is to help mitigate risk in an organization[7].

1.3.1.2Research Honeypots

Volunteers from research, government organizations, or military run theResearch Honeypots [7]. It is a non-profit research organization and aneducational institution. It collects information about the nature and tactics ofthe attackers. They concentrate more to learn how to better protect againstthreats rather than to research the threats organizations face. The Researchhoneypots are more complex to deploy and maintain [5].

1.3.2Based on level of interaction

Interaction can be described as the level of activity that Honeypots permit anattacker. Level of interaction provides a scale with which one can measure andcompare the strengths and weaknesses of various types. The more a honeypotcan do and the more an attacker can do to a honeypot, the greater theinformation that can be derived from it [4]. Same way, the more an attackercan do to the honeypot, the more potential damage an attacker can do [4].Based on this theory, Honeypots can be classified as

1.3.2.1Low-interaction Honeypots

Low interaction honeypots, as name suggests have low or say limitedinteractions. Basically they emulate the operating systems and services. This

causes the hackers activities to be restricted by the level of emulation. Anemulated FTP service listening on port 21 emulating FTP login and variety ifFTP commands, serves as a low interaction honeypot [19].Examples: Spector, Honeyd and KFsensorFeatures:

Simplicity: They are easy to install and deploy. It involves plug and playapproach which requires installing software and selecting the operatingsystems and services, required to be emulated and monitored.


8/30


-5-

Less Risky: Due to the emulated services control to the attackers itinvolves minimum risk. Risk is mitigated by controlling the attackersactivity, the attacker never has an access to an operating system toattack or harm others.

Captures limited information: This is the main disadvantage as they areable to capture limited information. According to that they can design tocapture only the known activity, mainly transactional data.

Easy detection: No matter how keen the emulation is, a skilled hackers/attackers can easily identify their presence [19].

1.3.2.2High-interaction Honeypots

High interaction honeypots are complex solutions enabling high level ofinteractions. They are not the emulations; instead, they involve real operatingsystems and applications. Linux honeypot running an FTP server serves as ahigh interaction honeypot as it is built using real Linux system running a realFTP server [19].Examples: Symantec Decoy Server and Honeynets.Features:

Captures extensive amount of information: By providing attackers a realsystem to interact with, full extent of attack behavior can be studied.Attack behavior including new tools (e.g. Rootkits), communications(international IRC sessions), keystrokes etc can be captured andanalyzed.

No assumptions made: They provide an open environment which canarrest all kind of activities, thus, without any assumptions of how ahacker will interact. This allows learning unexpected behaviors.

Increased risk: They increase the risk of honeypots as the attackers canuse real operating system to attack non-honeypot systems. Complex: They are more complex to deploy. Maintenance is also one

issue [19].

1.3.3 Physical and Virtual Honeypots

1.3.3.1Physical Honeypot

A physical honeypot is a real machine on the network with its own IP address.They are high interaction honeypots, therefore, allowing the system tocompletely compromised. Also, they are expensive to install and maintain. It is

impractical to deploy a physical honeypot for each IP address.

1.3.3.2Virtual Honeypots

In contrast to physical honeypots which is typically a hardware device, a virtualhoneypot uses software to emulate a network. It is simulated by anothermachine that responds to network traffic sent to the virtual honeypots. [6]


9/30


-6-

1.4 Uses of Honeypots

1.4.1Intrusion Detection and Prevention:As mentioned earlier, honeypots serve as Intrusion detection and preventionsystems. The whole purpose of honeypots is to catch the intruders by observing

their activities and interaction with honeypots; understanding thevulnerabilities of the organizational networks and thus, taking measures toimprove the security.

1.4.2Attack AnalysisHoneypots can be used observe adversarys attack behavior and develop toolsto guard against them in future.

1.4.3Decoys:All the unused address space on a particular network is are populated with thehoneypots. This makes attacker waste its time by attacking honeypots. This

slows downs and annoys human attacker. Also, slows down the spread ofworms.

1.4.4 Tarpits:These are use to slow down the attacker. One of the examples is Labrea Tarpit.Here an attacker is allowed to open a TCP connection and then the window sizeis reduced to zero. By this attacker cannot send the data across and not evenclose the connection. Gradually, the connection uses up recourses on theattackers system. The other example is, Open Mail Relays, where a honeypotoffers an anonymous mail relay to attract the spammer. This mail relay is thenmade to respond very slowly to SMTP commands, thus, forcing spammers towaste time interacting with the honeypot. Here, the honeypot might pretendto forward the mail but actually drops it.

1.4.5Burglar Alarms:When a honeypot is compromised, the network administrator can get to knowthat an attack is happening on their network. This acts like a burglar alarm.The detailed information of the attack can be attained by the logs maintainedby the honeypots. Also based on some abnormal activities going on in thehoneypots, attacks can be predicted few days in advance.

1.4.6Automatic Signature Generation:Example is Honeycomb which acts as a plug-in for honeyd. It is employed todetect patterns in the logged data and creates Snort and signature. It worksquite well with no human input and is much faster than manual signaturegeneration.


10/30


-7-

2 Honeypots

2.1 Honeyd

Honeyd is a type of low-interaction honeypot in which an attacker interactswith a simulated machine. It runs on a single machine which simulates agroup of virtual machines and physical network between them [13]. Out ofvarious simulations possible, like, operating system, services and networkstack, only the network stack of each machine is simulated.The figure below shows the architecture of Honeyd.

Figure 2 Honeyd Architecture -1

Only one real machine can simulate a whole network of honeypots. In thefigure 2 only the router and the honeyd machine (10.0.0.2) are realcomputers [13]. A central machine intercepts the network traffic intendedfor the IP addresses of the configured honeypots and simulates theirresponses. Honeyd receives traffic for its virtual honeypots via a router or


11/30


-8-

Proxy ARP [9]. Honeyd can simulate network stack behavior of a differentoperating system [9].

According to a standard definition, Honeyd can be defined

As a small daemon that creates virtual hosts on a network [6]. The hosts can be configured to run arbitrary services, and their

personality can be adapted so that they appear to be running certainoperating systems [6].

Honeyd enables a single host to claim multiple addresses - up to65536 have been tested - on a LAN for network simulation [9].

Honeyd improves cyber security by providing mechanisms for threatdetection and assessment [9].

It also deters adversaries by hiding real systems in the middle ofvirtual systems [6].

It is possible to ping the virtual machines, or to trace route them[9].

Any type of service on the virtual machine can be simulatedaccording to a simple configuration file [6].

Instead of simulating a service, it is also possible to proxy it toanother machine [9].

2.1.1Configuring Honeyd:

Honeyd is designed in such a way that it is able to reply to all those packetswhose destination IP addresses belongs to one of the simulated honeypot. Forhoneyd to receive correct packets, network needs to be configured properly.Some of the ways to accomplish this are:

Network Tunneling: In this case, the tunnel network address space to ahoneyd host [9]. For this Generic Routing Encapsulation (GRE) tunnelingprotocol is used.

Adding Routes: The IP addresses of virtual honey pots lie within the localnetwork range, denoted by v1.vn. If A be the IP address of theRouter and B be the IP address of the honeyd host, the entries ofhoneypots v1 ---vn are configured in as routing table. The Router Athen promotes the packets for virtual honeypots straight to the honeydhost B.

Proxy ARP: If no route has been configured, the router ARPs todetermine the MAC address of the virtual honeypot [9]. Since there is nophysical machine, the request does not get a response, the router dropsthe packet after a few drops. To solve this, honeyd host is configured toreply to ARP request for Vi with its own MAC address. This is called ProxyARP and allows router to send packets for vi to Bs MAC address.


12/30


-9-

2.1.2Honeyd Architecture

Honeyd is a low-interaction virtual honeypot that simulated TCP and UDPservices and also responds back correctly to ICMP packets [9]. The architectureconsists of following components:

Configuration database Central packet dispatcher Protocol handler Personality engine Optional routing component

Figure 3 Honeyd Architecture -2

Configuration database:It is a database which maintains a list linking the virtual machines to IP

addresses. It uses a default template if no specific configuration isavailable.


13/30


-10-

Central Packet Dispatcher:The packets received by Honeyd daemon for one of the virtual honeypots,

are processed by the central packet dispatcher [9]. The dispatcher checksthe length of the IP packet and verifies its checksum [9]. Since, the daemonknows only three protocols: ICMP, TCP and UDP; packets for otherprotocols are discarded. The dispatcher queries the configuration database

for a honeypot configuration that corresponds to the destination IP address,using a default one if none matches.

Protocol Handler:The dispatcher calls the protocol specific handler with the received packetand the corresponding honeypot configuration [9].

ICMP Handler:It supports the packet with the ICMP ECHO request. The daemon answerswith an ICMP ECHO reply packet.

TCP and UDP Handlers:For TCP and UDP, the daemon can establish connections to arbitraryservices which are external programs that receive data on stdin and sendtheir output to stdout. When a connection request is received, the daemonchecks if the packet is part of an established connection [9]. In that case,any new data is sent to the already started service program. If the packetcontains a connection request, a new process is created to run theappropriate service [9]. Honeyd contains a simplified TCP state machine,i.e the three-way handshake for connection establishment and connectionteardown via FIN or RST are fully supported [9]. A UDP packet to a closedport is correctly answered with an ICMP port unreachable message. Thisallows tools like trace route to work correctly. Instead of establishing aconnection with a service program, the daemon also supports dynamicredirection of the service [9]. This allows user to forward a connectionrequest for a web server running on a virtual honeypot to a real web server[9]. It is also possible to redirect connections to the adversary himself, e.g.a redirected SSH connection might cause an adversary to attempt tocompromise his own SSH server.

Personality Engine:Before any packet is sent to the network, it is processed by the personality

engine [9]. It adjusts the packets content so that it seems to originatefrom the network stack of the configured operating system [9]. Adversariescommonly run fingerprinting tools like together information about a targetsystem [16]. It becomes important that honeypots do not stand out whenfingerprinted [9]. To make them appear real to a probe, Honeyd simulatesthe network stack behavior of a given operating system [16]. Generally itis called as the personality of a virtual honeypot. Different personalitiescan be assigned to different virtual honeypots [9]. The personality enginemakes a honeypots network stack behave as specified by the personality


14/30


-11-

by introducing changes into the protocol headers of every outgoing packetso that they match the characteristics of the configured operating system[9]. The daemon uses the NMaps fingerprinting for TCP and UDP and Xprobefor ICMP, as a reference.

Routing:Honeyd can also supports virtual routing topologies. The Proxy ARP fails toroute, in this case. The router needs to be configured in order to delegatea network range to a host. This network range can be split into sub-networks. The virtual routing topology is implemented by rooted tree, theroot of the tree being point at which packets enter the virtual routingtopology [9]. Each non-terminal node of the tree represents a router andeach edge a link that contains latency and packet loss as attributes [9].Each terminal node of the tree corresponds to a network. When thedaemon receives a packet, it traverses the tree starting at the root until itfinds a node that contains the destination IP address of the packet [9]. Thepacket loss and latency of all edges on the path is accumulated and

determines if the packet is dropped and for how long its delivery should bedelayed [16]. The daemon also decrements time to live (TTL) of the packetfor each traversed router. If the TTL reaches zero, the daemon sends anICMP time exceeded message with the source IP address of the router thatcauses the TTL to reach zero [9].

2.2 Honeynet

Honeynet is a high-interaction honeypot serves real systems, applications, andservices for attackers to interact with [8]. It is specially designed to captureextensive information on threats, both external and internal to an organization[8]. Honeynet is a network which contains one or more than one honeypots.The honeynet is not productive activity on its own and does not provide anyauthorized services. Only the malicious interaction and unauthorized activitywith honeynet, is of value. As with any other security technologies, one needsto sift through gigabytes of data, or thousands of alerts. Since a honeynet isnothing more than a network of honeypots, all captured activity is assumed tobe unauthorized or malicious [8].Honeynet is an architecture which constructs a highly controlled network. Withhelp of this architecture one can control and monitor all activity that happenswithin it [8]. In some paths a honeynet is like a fishbowl. One can generate anenvironment which is totally transparent. However, this different kind of afishbowl contains Linux DNS servers, HP printers, and Juniper routers inhoneynet architecture [8]. Same as a fish interacts with the elements of afishbowl; intruders interact with the honeypots [8].

A crucial advantage of the Honeynets is their ability to gather extensiveinformation. With help of this type of architecture one can set up any type of


15/30


-12-

system or desired application luring the attackers to use them, thus gatheringenough data and information.

In addition to being useful, honeynets have some negative points though.Firstly, honeynets are more difficult to set up. Secondly, they are tooexpensive to set up as well as to maintain. Sometimes the honeynets put other

machines in danger which are connected along with them. Moreover, they needcontinuous monitoring so that they are more time-intensive.

2.2.1Honeynet Architecture

As explained earlier, the honeynets are nothing more than architecture. Themain key of this architecture is a honeywall. The honeywall can be defined as agateway device which separates the honeypots from the rest of the world. Anytraffic going to or from the honeypots must go through the honeywall [8]. Thehoneywall is traditionally a layer-2 bridging device [8]. The concept of layer-2bridging device is that the device should be hidden from anyone who interacts

with the honeypots [8].

Figure 4 Architecture of Honeynet


16/30


-13-

Figure 4 demonstrates architecture of the Honeynets. As shown in Figure 4, inhoneynet architecture, there are three honeypot systems, three productionsystems and a router connected along with a honeywall system. Practically,one can add multiple systems but for basic understanding only three systemsare shown. Basically, a honeywall has three interfaces. Interfaces eth0 and

eth1 (indicated with red-lines) separate the honeypots from the rest world.These are bridged interfaces and these types of bridges dont have any IPstack. The third interface is eth2. This interface consists of an IP stack whichallows remote administration. Interface eth2 is optional. This architectureprovides a highly controlled network. With help of it one can control andmonitor all activity that happens within it.

2.2.2 Key Requirements

There are some key requirements which must be implemented by a honeywall.Some of the key requirements must be implemented like Data Control, Data

Capture, Data Analysis, and Data Collection. Of all these requirements, dataControl is essential. Data Control has always highest priority as its role is tomitigate risk [8].

2.2.2.1Data Control

Data control explains how malicious activity is contained within the honeynetwithout an attackers knowledge. The Data control mitigates risk. It isnecessary to ensure that once attacker comes within the Honeynet system, hecannot accidentally or purposefully damage the non-Honeynet systems. For

that first system has to allow the attackers some degree of freedom and it willhelp to learn characteristics of the attackers. Most important is the balance,how much freedom to offer vs. how much restriction to place. Data Controlshould operate in a fail closed manner. If there is any failure in anymechanism, the honeynet architecture should block all outbound activity, asopposed to allowing it, thus, minimizing risks [8]. The Honeypots with norestrictions and with the Honeywall are illustrated by Figure 5 and Figure 6.

Figure 5 Data Control without any restriction

Internet

No Restrictions

No Restrictions

Honeypot

Honeypot


17/30


-14-

Figure 6 Data Control with the Honeywall

2.2.2.2Data Capture

As name suggests, data capture monitors all of the attacker's activity withoutthe attacker knowing it, within the Honeynets [8]. This captured data helps to

investigate the tools, tactics and motives of the intruders. It is very importantto understand the use of layers in Data Captures. If captured information hasmore of the layer information, at both the network and the host level thencharacteristics of the attackers can be studied and discovered very easily. Onemore challenge with Data Capture is that large portion of the attackeractivities happen over encrypted channels such as IPSec, SSH, SSL, etc.; so itmust take encryption into consideration[8].

Moreover, the captured data must not be stored on the local honeypotsbecause if it is detected by the attacker then it could be easily modified ordeleted by the attackers. One more possibility is that the attackers may

identify the ways of Data Capture mechanism. Then the black-hat communitycould develop some methods which bypass or disable the mechanism [8].

2.2.2.3Data Analysis

Data Analysis is the ability to analyze the captured data and that is the wholepurpose of the Honeynets. A Honeynet is useless if it doesnt have ability totranslate captured data to information.

2.2.2.4Data Collection

A function of the Data Collection is to collect data from multiple Honeynets toa single source. It applies only those organizations which have multipleHoneynets in distributed environment [8]. Organizations which have multipleHoneynets are logically or physically distributed all over the world [8]. Theyhave to collect all of the captured data and store them to some centrallocation [8]. The captured data can be combined and thus, can exponentiallyincrease the value of honeynets.

Internet

Honeywall

Honeypot

Honeypot

No Restrictions

Connections Limited Packet Scrubbed


18/30


-15-

3 Advanced Honeypots

3.1 Honey Farm

Honey Farm is an extended technology of the Honeypots which works on theconcept of farming. Instead of installing large numbers of honeypots, orhoneypots on every network, the Honey Farm simply deploy the honeypots in asingle, consolidated location [12]. This single network of honeypots becomesyour honeypot farm, a dedicated security resource [12]. With help of this typeof network the attackers are forwarded to the farm, regardless of whatnetwork they are on or investigating. Honey farm is very new concept withtremendous potential [12]. It serves one of the excellent methods for largedeployments of distributed honeypots, especially high interaction honeypotslike Honeynets [12].

3.1.1Values of Honey Farm

The potential advantages of the Honey Farm are enormous. With help of thistechnology, deployments of the Honeypots become an extremely easy concern.The Honey Farm could develop into any SOC (Security Operations Center)where the manpower and resources have been already dedicated to build sucha solution[12]. Once redirectors are physically placed on a network then theyredirect all attackers or unauthorized activity to the centralized honeypotfarms and at the same time SOC personnel monitors and analyzes all of thecaptured data[12].

The Honey Farm is also easier for high-interaction honeypots. Instead ofmaintaining multiple Honeynets distributed around the world, they have onlyone physical Honeynet to maintain [12]. It saves lots of maintenance cost and agreat deal of time. The Honey Farm exponentially increases the effectivenesshigh-interaction honeypots like the Honeynets.

The concept of honeypot farms is exceptionally powerful, however few off theshelf solutions exist as well as it is really challenging to implement it. Manyother Honeypot Farm solutions are still under active development and somesolutions have already been released [12]. One of the simplest commercial

solutions that implements Honey Farm is NetBait. It is also called Server-Farms.Within these farms one can set any desired systems. It has redirectors whichwill capture an attacker's activity. Then it redirects this activity to pre-determined systems within the ServerFarm. An attacker tries to probe or attacka specific IP and that attacker continues to interact with that same IP. Duringthis redirection, the attacker does not realize the system he is working.NetBait maintains a farm for an organization. All the organization have todeploy redirectors on their networks and which ultimately direct allunauthorized activity to NetBait's farms. The Honey Farm works as a service


19/30


-16-

rather than a tool. So now Organizations dont need to maintain or analyze thedata from the Honeypots. Additionally, they dont have to worry about liabilityor risk. They have gained the power and advantages of the Honeypots, withoutresource or risk issues [12].

3.1.2Honey Farm Architecture

The main function of the Honey Farm is, deploying redirectors. A redirectoracts as a proxy or 'worm hole'[10]. It transports an attacker's probes to ahoneypot within the Honey Farm, without the attacker ever knowing it [12].The attacker thinks they are interacting with a victim on a local network, whenin reality they have been transported to the Honeypot Farm [12]. Figure 7shows the concept of redirecting attackers to the Honey Farms.

Figure 7 Concept of redirecting attackers to the Honey Farm


20/30


-17-

3.2 Honeytoken

It is not always necessary that a honeypot has to be a computer or just aresource with that one can interact with black-hat community. A Honeytoken isa honeypot but not a computer. It is simply digital entity like a credit cardnumber, Excel spreadsheet, PowerPoint presentation, a database entry, oreven a bogus login [10]. Honeytokens come in many shapes and sizes but theyall have same basic concept; a digital or information system resource whosevalue lies in the unauthorized use of that resource [17]. Same as a honeypotcomputer has no authorized value it has not any authorized use too [17].

3.2.1Values of Honeytoken

Identical to traditional honeypots, honeytokens can not solve any problem.Specifically, they are not designed to detect attackers or prevent attacks.However, they are very efficient and a tool with multiple applications forsecurity has strength to detect or identify who are threat as well as theirmotives. Due to the simplicity of the Honeytoken they are widely used. TheHoneytokens are influenced the fact that the insider attacker might be awarewith the internal environment of the same system and has access to files,information and records including the Honeytokens. A real truth for anytechnology, their dynamic value is when they are merged with other solutions.For an example, in many cases honeytokens may not prove unauthorizedactivity [10]. Instead, they may simply specify about any unauthorizedbehavior. Again other tools are required to confirm hackers malicious intent.

For an example, an employee may access a honeytoken that is a Microsoft

Word file posing as some X company's Research and Development plans onwhich he is working on. If an employee attempts to copy and transfer the file,the company X identified a problem. Regardless, once the company X hasidentified this activity, it can use other measures to prove the individuals goal.

3.2.2Working of Honeytoken

As discussed above, a honeytoken techonology is just like a honeypot, but onlydifference is no one should interact with it. If any interaction with ahoneytoken is done then it represents unauthorized or malicious activity [10].The Honeytokens have broad flexibility. Way one can use as a Honeytoken and

how, all these are up to imaginations of the users. A model example of aworking of the honeytoken could work is the "John F. Kennedy" medical recordsexample [17]. Under HIPAA, it is necessary that hospitals are required toenforce patient privacy and for that only certain authorized people have accessto patient data such as doctors, nurses, etc. If a hospital be unsuccessful toprotect patient data then that hospital have not only face civil liability, butalso chances of criminal liability. To solve this problem they found very simplesolution. A bogus medical record called "John F. Kennedy was generated andloaded into their database. Due to there is no real patient with that name this


21/30


-18-

medical record has no real value. With help of this hospital gets two majoradvantages. One is if any employee is trying to look for interesting patient datathen record will definitely stand out and second is if the employee is trying toattempt to access this record, hospital probably has an employee violatingpatient privacy.

Now days there are numerous incidents happened of large databasescompromised with millions of SSNs or credit card numbers. Honeytokens canresolve this problem by embedding a bogus number in a database. If someoneaccesses this bogus number then the system indicates a violation of security.

For an example, the credit card number 960329790458425 could be embeddedinto database, file server, or some other type of repository. The number isunique enough that there will be minimal, if any, false positives [10]. An IDSsignature, such as Snort, could be used to detect when that honeytoken isaccessed. Such a simple signature could look as follows [10].

alert ip any -> any (msg:"Honeytoken Access Unauthorized Activity";

content:" 960329790458425 ";)

Honeytokens surpass as a detection mechanism. It is used to not only to detectan attacker, but potentially to identify who that attacker is and what they areafter [10]. Let's assume a company-I is fretful about internal employeesattempting to find company secrets for an example a senior managementsletter. Honeytokens can be used to identify who they are [10]. To track suchunauthorized activity the company-I can create a bogus email, or honeytoken,and plant that in management's email. The email could look like this:

To: Chief Financial Director

From: Security help desk

Subject: Access to financial database

Sir,

The security team has updated your account to the company's financial records. Your new login and

password to the system are as below.

If you need any help or assistance, do not hesitate to contact us.

https://finance.sjsucompany.com

login: calI0 password: H0n3y_t0k3n

Security Help Desk

Honeytoken doesnt need fancy algorithms, signatures to update, rules toconfigure. It doesnt need any technology to deploy, no vendors to contact, nolicenses to update. Generally, one has to generate fake documents, create aunique PowerPoint file, an image, or bogus record. As compare with othersecurity technologies, it provides simplest and most cost effective solution.


22/30


-19-

4 Issues with Honeypots

Honeypots offer tremendous potential to the security community,

accomplishing the goal it is intended for. Like any other new technology, theyhave some challenges that need to be overcome to make honeypots a strongertechnology. The problems can be categorized into three points-

4.1 Identifying honeypots

All types of honeypots share a common trait - there values diminish upondetection [18]. The detection helps attacker know the systems to avoid, evenworse, to feed false and spurious information to the honeypot. There arealready many tools and techniques being devised to counter and detecthoneypots. One of the examples is Honeypot Hunter, used by spammingindustry to identify honeypots [18]. There are other tools to detect the virtual

honeypots. It implies that, if the adversary has necessary skills and propertools, any kind of honeypot can eventually be detected.The problem can be addressed in two steps. First, determining how doesdetection affect the value of honeypot and how long it needs to remainundetected. For example, honeypot employed as burglar alarm to detectunauthorized access, upon detection does not lose its value as does its job byalerting the threat. But for other honeypots, like honeynets employed to gatherinformation, the case is different as the detection compromises the ability tocollect accurate data. Here the honeypot needs to work for days togetherbefore detection.The second step is to customize the honeypot by changing its behavior or

appearance so as it does not look like any other honeypot in the network anddefeat tools like Nmap that remotely fingerprints the idiosyncrasies of eachIPstack. Advanced users can modify the source code altering the ways packetsare created. Chances of detection are minimized if the honeypot behaves andreacts in a way unexpected by the attacker.

4.2 Exploiting honeypots

For every honeypot released it needs to be assumed the known and unknownvulnerabilities and thus, steps should be taken to protect against unknown

attacks.For low interaction honey pots the risk is low as the attacker has only theemulated services to interact with and have limited ability to exploit the realapplications and real operating systems to gain an access into[18]. But it shouldbe assumed that the attacker can bypass the controlled emulated service andsteps should be taken to secure the application [18]. For example, for win32honeypots like KFsensors secure base OS with latest patches can be build, hostbased firewalls installed that blocks inbound connections to ports other than


23/30


-20-

those protected by honeypots . For UNIX, Chroot() improves containmentagainst attacked processes , Jail(), restricts what could be seen by processes.Low level kernel patches like Systrace, Grsecurity, SE Linux should be used toprotect against low level honeypots against known and unknown attacks [18].High-interaction honeypots run a greater risk as they offer real operatingsystems and applications to be interacted. Since attackers can gain privileged

control of the honeypots, external data control measures such as IPS andbandwidth limiting must be applied. The problem can be dealt in two ways,first being, implementing several layers of control to prevent having the risk ofsingle point of failure, second being human intervention and monitor. Anyanomalous activity should then be controlled by the human and appropriatesteps be taken.

4.3 Nature of attack

One of the greatest challenges of honeypots is their proper deployment todetect, identify and capture the activity specific to the kind of the threat, bothinternal and external to the company. Traditionally, the honeypot deploymenthas not been specific to the threat, instead they are common systemsemployed external to the networks where they can very easily capture thehighly active attacks of opportunity. But unfortunately, there are moreadvanced attackers targeting the organizations critical systems or employeessteeling their confidential information. For honeypots to capture such threats,they need to be customized for individual threat and at proper location andtime [18]. For example, high value targets, such as, CVS honeypots should bedeployed instead of Red Hat 7.3 honeypot on the external network to prevent

external threats. For internal threats, honeypot that has an appearance ofinterest, such as databases, should deployed and tuned to the specific threatfrom specific individual.


24/30


-21-

5 Current challenges to Honeypots

In order to delude the attackers and to improve network security, engineersdeploy honeypots and in response to that black hats devise ways to defeat

these tools. They behave in some typical ways in an attempt to identify anddefeat the honey pots. This is exemplified with the help of following practicalissues relating to both networks and system.

5.1 Network Issues

Tarpits, as discussed earlier, is a computer entity designed to intentionallyrespond slowly to the incoming requests, with the goal to trap the attacker sothat unauthorized use of services (fake) be logged and slowed down. These canoperate both at layer 7, for example to fight off spammer by responding slowly

to SMTP commands, and in layer 4, where incoming clients socket ismaintained open while forbidding any data to be received. Labrea Tarpit dealswith TCP/IP stack and is used to slow down worms in the internet.

From an attacker point of view, for layer 7 tarpit, the latency from the serviceafter multiple attempts, hints him that he is dealing with the fake system.For layer 4 tarpit, TCP window size is reduced to zero and still the tarpitcontinues to acknowledge incoming packets [14]. This signature is enough toalert a vigilant attacker.

Labrea can also answer the ARP requests send for non existant computers. It

can be configured to simulate unused IP addresses. If the attacker is on thesame network segment as labrea, fingerprinting can be done at layer 2 as italways answers with the unique MAC address, 0:0:f:ff:ff:ff. The attacker candetect the honeypot easily.

VMware, a virtual machine software, allows multiple instances of differentoperating systems on a single hardware and is used by honeypot operators as itallows for easy deployment [14]. But a look at MAC addresses (specific toVMware) shows that a system is running on top of VMware, thus making theattacker suspicious of honeypots.


25/30


-22-

5.2 System Issues

UML, user mode Linux, is a way to have Linux system (host OS) running insideanother Linux system (guest OS) and can be used as a honeypot [15]. Bydefault, UML executes in Tracing Thread mode where one main thread will

ptrace() every process spawned in guest OS. On the host OS, this tracing can beviewed using ps command.

Thus, by default UML is not designed to be hidden. Also, the network device 0,uses TUN/TAP which is not common in real systems, thus, giving attacker theclue of honeynet system. Another issue is that UML does not use real hard diskinstead, it used a fake IDE device called ubd, which can easily be viewed andUML detected. UML can also be found at the address space of a process. Onhost , the top most address is 0Xc0000000 and on UML is 0xbefff000 and thespace between the two being the mapping of UML kernel, imply that anyprocess can access and/or change UML kernel.


26/30


-23-

6 Suggestion for future Honeypots

As discussed earlier, Honeypots technology fulfils security purposes and has

been adopted slowly by the security community. First time the concept of theHoneypots was introduced in 1990 so a question is, why has it taken so long erato become popular and recognized as a justifiable security solution? Reasonsand solutions for this question are addressed in this section.

6.1 From Misunderstanding to Acceptance

Many people or organizations have different understanding and definitions ofthe Honeypots. As stated before, documentation of this technology was notproper so some believe that it is a device to lure and deceive an attacker, atthe same time some consider that a technology which detects an attacker.

Honeypots are exceptionally flexible technology. They can be developed from asimple Windows system providing a many services to a full-fledge network ofany organization. Now days more and more people are recognizing thedefinition, values and uses of Honeypots. Due to it Honeypots have a verygrowing and exciting future ahead.

6.2 Suggestions

6.2.1Making Easy to Use

Honeypots technologies like Honeynets or Deception Toolkit (not discussed inthis report) are very thorny to maintain. Extensive knowledge of the operating

system is required to play with this type of technology. By making user-friendlytechnology, it would provide easier access to administrator. Graphical userinterface (GUI) is very popular to make things user-friendly and these straight-forward GUIs will formulate Honeypots technology simpler to access. It will alsohelp to reduce mistake and help to reduce the risk.

6.2.2Integrating with Technologies

Current Honeypots technology works standalone and just collects informationbut doesnt collaborate with other technologies. By combining other securityservices like IDS sensors or firewall it will be more efficient. Firewall blocks allsuspicious activities. If Firewall will be integrated with Honeypots then alldropped traffic from the Firewall will interact with Honeypots. Honeypots caneasily identify characteristic of an attacker. An integration these twotechnologies fulfils both the purposes, block incredible amount of activity aswell as recognize an attacker.


27/30


-24-

6.2.3 Studying Advanced Attackers

Basically, the research honeypots are installed on used system. The usedsystems are generally Windows, Linux, or Solaris so an attacker can easilycapture information. By this the research honeypots provide nature of anattacker. To get information of advanced attackers it is necessary to set goal ofthe research honeypots high. The high value of the research honeypots willhelp to protect e-commerce sites, government confidential information as wellas militarys strategies and secrets.

6.2.4Protecting against Honeypot Hunter

A spammer always tries to scan open proxy relays. The spammer uses theseopen relays to obscure his original IP address and remains unidentified.Whenever this spammer arrives across the honeypots, the honeypots collectimportant information about this spammer's true identity. It helps to unmaskthe spammer. In response to this, an anti-honeypot technology has been

discovered which is Send-Safe's Honeypot Hunter (www.send-safe.com)attempts to detect "safe" proxies for use with bulk-mailing tools. FutureHoneypots should be sufficient enough for these types of hunters. Honeypotsshould also detect the Send-Safes Honeypot Hunter.

6.2.5 Deploying in Distributed Environment

As discussed earlier, Honeypot is very efficient technology to capture validinformation of an attacker. The research honeypots can gather excellentinformation about threats of the internet. The internet is very complex

structure so large number of research honeypots, more valid information iscollected. The Honeynet Research Alliance demonstrates the tremendouspotential of honeypots in distributed environments [4]. Right now, it hasvarious members located in India, Mexico, and other places. These distributedHoneypots are gathering information and recording in to a central database.Since collected information comes from different source so it has a highsignificant value. Same way distributed honeypots can be established all overthe world and collected information can be analyzed at a single point.


28/30


-25-

7 Schedule

Figure 8 shows schedule for development of this report. Tasks were distributed

among both of us and integrated later. However, we both have involved in eachand every topic of this report.

ID Task Task Lead Start End Days

1 Topic Selection Ishleen,Palak 8/29/07 9/08/07 11

2 Honeypot Research Ishleen,Palak 9 /0 9/ 07 9/ 17 /0 7 9

3 Background Ishleen,Palak 9 /1 8/ 07 9/ 22 /0 7 5

3.1 Definition

3.2 History

3.3 Classification

3.4 Uses

4 Honeyd Ishleen 9/23/07 10/03/07 11

4.1 Configuring Honeyd

4.2 Honeyd Architecture

5 Honeynet Palak 9/23/07 10/04/07 12

5.1 Honeynet Architecture5.2 Key Requirements

6 Advanced Topic Palak 10/05/07 10/14/07 10

6.1 HoneyFarm

6.2 HoneyToken

7 Current Problems & Issues Ishleen 10/04/07 10/15/07 12

8 Suggestions for future Ishleen,Palak 10/16/07 10/26/07 10

9 Lesson Learned Ishleen,Palak 11/08/07 11/11/07 5

22-Oct 29-Oct 5-Nov 24-Sep 1-Oct 8-Oct 15-Oct27-Aug 3-Sep 10-Sep 17-Sep

Figure 8 Schedule


29/30


-26-

8 Lesson Learned

After accomplishing our research on honeypots, we have gained a thorough

knowledge about this security technology. We now know about the concept,deployment, implementation and the mechanics of honeypots. By researchingthe different kinds of honeypots in the market, how they are deployed and howthey help in achieving what they are designed for; has helped us in envisioninghow various security tools and technologies( honeypots in particular)helpcombat the unwanted and malicious activities doing rounds in our networks.There are several issues and risks being posed to honeypots though, which wehave come to know through our study. We have listed some of the challengesthat have been observed (by various workers) and the solutions to overcomethem. Overall, it was a good learning experience. With this basic and in-depthknowledge about this security technology, we are now prepared (and

inquisitive) to have a hands on experience with honeypots.

To conclude, we would mention that co-operatively working on a researchtopic of our choice, has benefited both of us.


30/30


9 References

[1] www.honeypots.net/

[2] Honeypots FAQ 2004[3] www.webopedia.com[4] Honeypots: Tracking Hackers by Lance Spitzner[5] www.wikipedia.com[6] www.honeyd.org/background[7] http://students.kennesaw.edu/~hmm5659/formal%20report.htm[8] www.honeynet.org/papers/honeynet[9] www.citi.umich.edu/techreports/reports/citi-tr-03-1.pdf[10] www.securityfocus.com/infocus/1713[11] http://honeynet.ca/[12] www.securityfocus.com/infocus/1720

[13] www.cs.unc.edu/~jeffay/courses/nidsS05/slides/12-Honeypots.pdf[14] www.securityfocus.com/infocus/1803[15] www.securityfocus.com/infocus/1826#ref1[16]www.usenix.org/publications/library/proceedings/sec04/tech/full_papers/provos/provos_html/index.html[17] www.eurecom.fr/util/publidownload.fr.htm?id=1275[18] www.securityfocus.com/infocus/1757[19] www.spitzner.net/honeypots.html

CmpE-220 Honeypots Final

Documents

Transcript of CmpE-220 Honeypots Final