In computer terminology, a honeypot is a trap
set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of
information systems. Generally, a honeypot consists of a computer, data, or a network
site that appears to be part of a network, but is actually isolated and monitored, and
which seems to contain information or a resource of value to attackers. This is similar to
the police baiting a criminal and then conducting undercover surveillance. Types
Honeypots can be classified based on their deployment and based on their level of involvement.
Based on deployment, honeypots may be classified as:
production honeypots research honeypots
Production honeypots are easy to use, capture only limited information, and are used primarily
by companies or corporations. Production honeypots are placed inside the production network with
other production servers by an organization to improve their overall state of security.
Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They
give less information about the attacks or attackers than research honeypots do.
Research honeypots are run to gather information about the motives and tactics of the Blackhat
community targeting different networks. These honeypots do not add direct value to a specific
organization; instead, they are used to research the threats that organizations face and to
learn how to better protect against those threats. Research honeypots are complex to
deploy and maintain, capture extensive information, and are used primarily by research, military,
or government organizations. Based on design criteria, honeypots can be
classified as:- pure honeypots
high-interaction honeypots low-interaction honeypots
Pure honeypots are full-fledged production systems. The activities of the attacker are
monitored by using a casual tap that has been installed on the honeypot’s link to the network.
No other software needs to be installed. Even though a pure honeypot is useful, stealthiness
of the defense mechanisms can be ensured by a more controlled mechanism.
High-interaction honeypots imitate the activities of the production systems that host a variety
of services and, therefore, an attacker may be allowed a lot of services to waste his
time. By employing virtual machines, multiple honeypots can be hosted on a single physical
machine. Therefore, even if the honeypot is compromised, it can be restored more quickly.
In general, high-interaction honeypots provide more security by being difficult to detect,
but they are highly expensive to maintain. If virtual machines are not available, one
honeypot must be maintained for each physical computer, which can be exorbitantly expensive.
Example: Honeynet. Low-interaction honeypots simulate only the
services frequently requested by attackers. Since they consume relatively few resources,
multiple virtual machines can easily be hosted on one physical system, the virtual systems
have a short response time, and less code is required, reducing the complexity of the
virtual system’s security. Example: Honeyd. Malware Honeypots
Malware honeypots are used to detect malware, by exploiting the known replication and attack
vectors of malware. Replication vectors such as USB flash drives can easily be verified
for evidence of modifications, either through manual means or utilizing special purpose
honeypots that emulate drives. Malware increasingly is used to search for, and steal cryptocurrencies,
which provides an opportunities for services such as Bitcoin Vigil to create and monitor
honey pots by using small amount of money to provide early warning alerts of malware
infection. Spam versions
Spammers abuse vulnerable resources such as open mail relays and open proxies. Some system
administrators have created honeypot programs that masquerade as these abusable resources
to discover spammer activity. There are several capabilities such honeypots provide to these
administrators and the existence of such fake abusable systems makes abuse more difficult
or risky. Honeypots can be a powerful countermeasure to abuse from those who rely on very high
volume abuse. These honeypots can reveal the apparent IP
address of the abuse and provide bulk spam capture. For open relay honeypots, it is possible
to determine the e-mail addresses spammers use as targets for their test messages, which
are the tool they use to detect open relays. It is then simple to deceive the spammer:
transmit any illicit relay e-mail received addressed to that dropbox e-mail address.
That tells the spammer the honeypot is a genuine abusable open relay, and they often respond
by sending large quantities of relay spam to that honeypot, which stops it. The apparent
source may be another abused system—spammers and other abusers may use a chain of abused
systems to make detection of the original starting point of the abuse traffic difficult.
This in itself is indicative of the power of honeypots as anti-spam tools. In the early
days of anti-spam honeypots, spammers, with little concern for hiding their location,
felt safe testing for vulnerabilities and sending spam directly from their own systems.
Honeypots made the abuse riskier and more difficult.
Spam still flows through open relays, but the volume is much smaller than in 2001 to
2002. While most spam originates in the U.S., spammers hop through open relays across political
boundaries to mask their origin. Honeypot operators may use intercepted relay tests
to recognize and thwart attempts to relay spam through their honeypots. “Thwart” may
mean “accept the relay spam but decline to deliver it.” Honeypot operators may discover
other details concerning the spam and the spammer by examining the captured spam messages.
Open relay honeypots include Jackpot, written in Java by Jack Cleaver; smtpot.py, written
in Python by Karl A. Krueger; and spamhole, written in C. The Bubblegum Proxypot is an
open source honeypot. Email trap An email address that is not used for any
other purpose than to receive spam can also be considered a spam honeypot. Compared with
the term “spamtrap”, the term “honeypot” might be more suitable for systems and techniques
that are used to detect or counterattacks and probes. With a spamtrap, spam arrives
at its destination “legitimately”—exactly as non-spam email would arrive.
An amalgam of these techniques is Project Honey Pot, a distributed, open source project
that uses honeypot pages installed on websites around the world. These honeypot pages disseminate
uniquely tagged spamtrap email addresses and spammers can then be tracked—the corresponding
spam mail is subsequently sent to these spamtrap e-mail addresses.
Database honeypot Databases often get attacked by intruders
using SQL Injection. As such activities are not recognized by basic firewalls, companies
often use database firewalls for protection. Some of the available SQL database firewalls
provide/support honeypot architectures so that the intruder runs against a trap database
while the web application remains functional. Detection
Just as honeypots are weapons against spammers, honeypot detection systems are spammer-employed
counter-weapons. As detection systems would likely use unique characteristics of specific
honeypots to identify them, a great deal of honeypots in use makes the set of unique characteristics
larger and more daunting to those seeking to detect and thereby identify them. This
is an unusual circumstance in software: a situation in which “versionitis” can be beneficial.
There’s also an advantage in having some easy-to-detect honeypots deployed. Fred Cohen, the inventor
of the Deception Toolkit, even argues that every system running his honeypot should have
a deception port that adversaries can use to detect the honeypot. Cohen believes that
this might deter adversaries. Honeynets
Two or more honeypots on a network form a honeynet. Typically, a honeynet is used for
monitoring a larger and/or more diverse network in which one honeypot may not be sufficient.
Honeynets and honeypots are usually implemented as parts of larger network intrusion detection
systems. A honeyfarm is a centralized collection of honeypots and analysis tools.
The concept of the honeynet first began in 1999 when Lance Spitzner, founder of the Honeynet
Project, published the paper “To Build a Honeypot”: “A honeynet is a network of high interaction
honeypots that simulates a production network and configured such that all activity is monitored,
recorded and in a degree, discreetly regulated.” Metaphor
The metaphor of a bear being attracted to and stealing honey is common in many traditions,
including Germanic and Slavic. Bears were at one time called “honey eaters” instead
of by their true name for fear of attracting the threatening animals. The tradition of
bears stealing honey has been passed down through stories and folklore, including the
well known Winnie the Pooh. See also
Canary trap Client honeypot
Network telescope Pseudoserver
Tarpit Trust Operation
References and notes Further reading
Lance Spitzner. Honeypots tracking hackers. Addison-Wesley. ISBN 0-321-10895-7.
External links Distributed Open Proxy Honeypots Project:
WASC SANS Institute: What is a Honey Pot?
SANS Institute: Fundamental Honeypotting Simwood eSMS SIP Honeypot Project
PodCast – Episode #2: “HoneyMonkeys” from Security Now!
Project Honeypot The Honeynet Project