Merkur Maclang
John Luzzi
CMPT 495-01
Monday, December 13, 2004
Honeypots
How to build a Honeypot
The wave of interest behind honeypots has grown to epic proportions recently.
Besides the significant information that can be gained from them, honeypots have gained notoriety because some of the consequences of deployment have been brought into the limelight. In this paper, we will look at all aspects of honeypots: what they are, how to deploy them, and what should be considered before deploying them.
A honeypot is an Internet attached server that acts as a decoy, luring in potential hackers in order to study their activities and monitor how they are able to break into a system. Other terms that are associated with honeypots are honeynets (decoy networks, and honey tokens (decoy information hidden in areas like databases).
Uses and Types
There are many uses for honeypots, including pure research. Many new types of attacks and malware can be studied in isolation on these systems, unbeknownst to attackers. Another use is as a decoy system on a production network to divert an attacker from the true information assets with your network. Other uses include a version of an intrusion detection system, a forensic tool for dissecting attacks after the fact, and a tool to fight spam.
A honeypot can be almost any type of server or application that is meant as a tool to catch or trap an attacker. A further distinction within honeypots is the honeypot vs. the virtual honeypot. The former is typically a hardware device of some sort, whereas the other is a software implementation.
Honeypots Resources
Many tools are available, both in freeware and commercial packages, with which to build a honey pot on UNIX. A good listing of tools are LaBrea Tarpit, Tiny Honeypot, and Honeyd. http://labrea.sourceforge.net/labrea-info.html
http://www.derkeiler.com/Mailing-Lists/Securiteam/2002-07/0105.html
http://www.citi.umich.edu/u/provos/honeyd/
An interesting feature of honeypots is that most of the available packages differ greatly, offering you many options in your honey pursuit. For instances, LaBrea Tarpit is more of a diversion tool, making it appear that there are more devices on a network than
there really are, whereas honeyd is an OS deception tool that can obscure the true operating system and confuse attackers.
Considerations
Before you set up a honeypot, you must consider what you want out of it. If you are purely interested in the research aspect of honey pots, it is not recommended trying this at work unless research is part of your job. If you wish to purposely trap intruders for the purpose of legal recourse, you should reconsider using a honey pot at all. A honeypot is best used for the purpose of having another layer of security to help mitigate risks within your company.
After you determined the goal, you should now focus on how the network environment of the honeypot should be established. It can be very dangerous to leave an intentionally fake system called “Investment” or “Payroll” in a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network (DMZ). If the honeypot is revealed for its true purpose and is compromised, then you run the risk of compromising the other systems within your
DMZ, or worse, ultimately your corporate network.
Out of this consideration the “honeynet” was born. A honeynet is actually an isolated network that holds your honeypot. If the honeypot is compromised, then the danger of anything of value being accessible is lessened. If a honeynet is not possible to implement, they you can lock down the honeypot host using such tools as firewalls, chroot jails, and host-based intrusion detection.
The key to implementing a honey pot correctly is to ensure that its architecture is carefully thought out, and to ensure that your honeypot meets the requirements of your information security policies. Even when implementing a honeypot on your home network, you should strongly consider a secure architecture because you could possibly violate the Acceptable Use policies of your ISP by having your compromised honeypot attack its other customers. Do your homework and implement wisely. Honeypots are not to be taken lightly.
Legal Issues
Before implementing a honeypot, you must understand the legal issues involved as well. In addition to becoming popular, honeypots have also come under a lot of criticism recently. Two packages discussed in this paper have been subject to distribution limitations because of U.S. state law adoption of the S-DMCA legislation, defining unlawful communication devices as “any communication device which is capable of facilitating the disruption of a communication service without the express consent of express authorization of the communication service provider.” Neils Provos, the creator of honeyd, had to move all of his research on the topics of steganograhpy and honeypots to a location outside of the United States because of Michigan state laws put into effect this last year. Tom Liston, the creator of LaBrea Tarpit, who is a resident to Illinois, stopped distributing his software for the same reason.
It is still unclear and untested that honeypots in fact violate the law. It is important to keep in mind that these restrictions may apply depending on where you live. Other
areas that may apply when implementing a honey include peripheral attack. This is when your compromised honeypot is used to attack others. Also, honeypots can also be considered a means of entrapment.
To ensure that you’re covered, implement the most verbose log servers available.
The best scenario is a secure, remote log server, with whatever honeypot that you choose, to properly preserve and evidence that might be needed. This will also help you in your research of the attack.
LaBrea Tarpit
The LaBrea Tarpit is a freeware honeypot created by Tom Liston that will run on any flavor of OpenBSD, Linux, Solaris, or Windows. LeBrea describes itself as a “sticky honeypot”, where LaBrea borrows unassigned IP addresses on the network it resides in and acts like hosts on those address that will respond to connection attempts. LaBrea uses a technique to slow the connection attempts so the attacking machine becomes “stuck”.
The general focus of this honeypot is to slow down hackers and worm viruses by keeping the connections alive for indefinite periods of time.
Tiny Honeypot
Tiny Honeypot was written by George Bakos. This program is similar in concept to
LaBrea and works as an addition to the intrusion detection software Snort. It will listen on ports that are not in use and respond with spoofed information. It is not meant to be foolproof but just enough to provide enough confusion.
Honeyd
This honeypot is a versatile freeware honeypot that pretends to be another operating system at the TCP/IP stack. Other features that it includes are the simulation of many virtual hosts concurrently, simulation of operating system services, as well as simulate various routing topologies. You can even set up fakeWeb or ftp servers in a virtual environment. Honeyd is lightweight and runs as a daemon on the operating system of choice (BSD, GNU Linux and Solaris) http://freshmeat.net/releases/81199/
Conclusion
With any security tool that you implement in your environment, a honeypot must be continually monitored, and you must incorporate this aspect into your incident handling process. Monitoring the honeypot not only includes proactive monitoring, such as checking all log files, checking active connections, and looking at active processes for things out of the ordinary, but it also involves reactive measures. These must be outside of the attackers’ visibility to ensure that they work. Giving notice to the administrator in a timely fashion is imperative because you must be able to react quickly in the case of an incident. Types of reactive measure include alerts, e-mail, or paging.
Honeypots are rapidly gaining a place in defense strategies, while they maintain an important status in the security research community. Consideration of goals must be thoroughly examined, and a cost/benefit analysis must be completed. Extreme care must be taken when implementing and it should be treated like any other security device, with constant care and feeding to ensure that its standards are kept up to date.
Resources
Know Your Enemy: Honeynets in Universities http://www.honeynet.org/papers/edu/
SecurityDocs http://www.securitydocs.com/Intrusion_Detection/Honeypots
HONEYPOTS REVEALED http://www.astalavista.com/data/honeypots.pdf
Computer Network Defense http://www.networkintrusion.co.uk/honeypots.htm
The Honey Net Project http://www.honeynet.org/
“How to build a Honeypot”; SysAdmin Sept 2003 Volume 12 – 9 http://sysadminmag.com