Intrusion Detection
using Honeypots
Patrick Brannan
Honeyd with virtual machines
What is a honeypot?

A closely monitored network decoy serving
several purposes



Distract adversaries from vulnerable machines
Provide early warning (new attack &exploits)
Allow in-depth examination of adversaries during
and after exploitation
Problems and Solution


Physical machines are expensive and
costly to maintain
Attacks can corrupt machines



Destroy box
Destroy software
Solution

Honeyd or similar product
Honeyd






A program that can simulate multiple
operating systems and multiple IPs
One box can run many honeypots
Simulate network stack of all OS
Provide arbitrary routing
Simulate stack
Can only monitor connection and
compromise
Why Honeyd is better?



NIDS requires signatures of known attack
With Honeyd all traffic is saved and can be
viewed later so there is no worries about
new means of exploit being unregistered
Honeypot has no value so all traffic is
suspect therefore less false positives are
found
Honeyd + Virtual Machine



Honeyd can only simulate the TCP/IP stack
Combined with a virtual machine the
hacker now can try exploits on the whole
operating system
Can detect and learn about all new types of
exploits and dangers as opposed to just
connection
Design



Honeyd will reply to network packets whose
destination IP address belongs to one of
the simulated honeypots
Router receives packet and sends it on via
iptables
Honeypots can be set behind multiple
firewalls
Combination



Honeyd alone cannot provide us with
enough information to prevent future
attacks
Combined with a VM we can now register
the new method of the attack and what
attacker was after
New attack methods can potentially lead to
more violent attacks
Conclusion



Since all traffic is monitored no attack goes
unnoticed
With VM we can build new defense for real
systems
Great flexibility and record keeping is
possible