Seminar Report On

HONEYPOTS
Submitted for the partial fulfillment For the Award of Degree of

Master of Computer Applications

Fourth semester By CH.KAMALAKAR
Regno:

2903110

Under the guidance Of

Mrs. Sreelakshmi

Geethanjali Institute of P.G. Studies

Nellore

CONTENTS

INTRODUCTION
WHAT IS A HONEYPOT? VALUE OF HONEYPOT HOW DO HONEYPOTS WORK?

DATA CONTROL

DATA CAPTURING

DATA COLLECTION

INTEGRATING HONEY POT BUILDING A HONEYPOT ADVANTAGES DISADVANTAGES CONCLUSION

INTRODUCTION
One of the greatest challenges the security community faces is lack of information on the enemy. Questions like who is the threat, why do they attack, and possibly when will they attack? It is questions like these the security community often cannot answer. Now a new tool called Honeypots has came together information about enemy. Over the past several years there has been a growing interest in honeypots and honeypot related technologies. Honeypots are an exciting new technology with enormous potential for the security community. Unlike firewalls or Intrusion Detection Systems, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud.This flexibility gives honeypots their true power. In one way the honeypot is defined as. A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. Honeypots are a resource that has no authorized activity, they do not have any production value.This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise.The glory of a honeypot is that it lets you catch unknown attacks as well. Setup a server and fill it with tempting files. Make it hard but not impossible to break into. Then sit back and wait for the crackers to show up. Observe them as they cavort around in the server. Log their conversations with each other. Study them like like youd watch insects under a magnifying glass.

WHAT IS A HONEYPOT ?
A Honeynet is a type of honeypot designed specifically for research. A honeypot is a resource who's value is being probed, attacked, or compromised. Traditionally their value has been for deception or detecting attacks. They are usually single systems that emulate other systems, emulate known services or vulnerabilities, or create jailed environments. Some excellent examples of honeypots include Specter, Mantrap, or The Deception Toolkit.

It is not a single system but a network of multiple systems. This network sits behind an access control device where all inbound and outbound data is controlled and captured. This captured information is then analyzed to learn the tools, tactics, and motives of the blackhat community. Honeynets can utilize multiple systems at the same time, such as Solaris, Linux, Windows NT, Cisco router, Alteon switch, etc. This creates a network environment that more realistically mirrors a production network. Also, by having different systems with different applications, such as a Linux DNS server, a Windows IIS web server, and a Solaris Database server, we can learn about different tools and tactics. Perhaps certain blackhats target specific systems, applications, or vulnerabilities. By having a variety of operating systems and applications, we are able to accurately profile specific blackhat trends and signatures.

All systems placed within the Honeynet are standard production systems. These are real systems and applications, the same you find on the Internet. Nothing is emulated nor is anything done to make the systems less secure. The risks and vulnerabilities discovered within a Honeynet are the same that exist in many organizations today. One can simply take a system from a production environment and place it within the Honeynet. It is these two design differences that make a Honeynet primarily a

tool for research. It can be used as a traditional honeypot, such as detecting unauthorized activity, however a Honeynet requires a great deal more work, risk and administration. Its simply not worth all the effort of building and maintaining a Honeynet just to detect attacks. You are far better off with the simpler honeypot solutions mentioned above.

Often organizations are so overwhelmed with production activity, such as GBs of system logging, that it can be extremely difficult to detect when a system is attacked, or even when successfully compromised.Instruction detection Systems are one solution designed for detecting attacks. Isolated honeypots have a much easier time because they are systems that should not normally be accessed. IDS administrators can be overwhelmed with alerts that were generated whenthe sensor recognized the configuired signature of an attack. The problem here is that system administrator may receive so many alerts on a daily basis that they cannot respond to all of them. Another risk is false negatives, when IDS systems fail to detect a valid attack.honeypots happily capture any attacks thrown their way. Honeypots can simplify the detection process. Since honeypots have no production activity, all connections to an from the honeypot are suspect by nature.

VALUE OF A HONEYPOT
Traditionally, information security has been purely defensive. Firewalls, Intrusion Detection Systems, encryption; all of these mechanisms are used defensively to protect one's resources. The strategy is to defend one's organization as best as possible, detect any failures in the defense, and then react to those failures. The problem with this approach is it purely defensive, the enemy is on the attack. Honeynets attempt to change that, they give organizations the ability to take the initiative. The primary purpose of a Honeynet is to gather information about threats that exist. New tools can be discovered, worms can be captured and analyzed, attack patterns can be determined, and attacker motives studied. Captured information can also be used as an early indications and warning system, alerting to attacks before they happen. The ultimate goal of Honeynets is to provide information that can be used to protect against threats. Honeynets can be compared to the Navy's use of SOSUS during the Cold War. During the 19501980's, enemy submarines posed a threat as they could silently approach and attack from anywhere in the world's oceans. To detect these threats, devices were placed throughout the ocean's floor to passively capture the activity of enemy

submarines. Honeynets can be considered the SOSUS of cyber space, passively gathering information on threats. The only difference is, for a Honeynet to passively gather information, blackhats have to probe, attack, or exploit Honeynet systems.

HOW DO HONEYPOTS WORK?

Traditionally, the greatest problem security professionals face in detecting and capturing blackhat activity is information overload. The challenge for most organizations is determining from vast amounts of information what production traffic is and what is malicious activity. The Honeynet solves this problem of data overload through simplicity. A Honeynet is a network designed to be compromised, not to be used for production traffic. Any traffic entering or leaving the network is suspicious by definition. Any connection initiated from outside the Honeynet into the network is most likely some type of probe, attack, or other malicious activity. Any connection initiated from the Honeynet to an outside network indicates that a system was compromised. An attacker has initiated a connection from his newly hacked computer and is now going out to the Internet. This concept of no production traffic greatly simplifies the data capture and analysis. There are three critical requirements that define every Honeynet, they are Data Control Data Capture.

Data Collection.

Data Control Data Control is what mitigates risk. It controls the attacker's activity by limiting what can happen inbound and outbound. The risk is that once an attacker compromises a system within the Honeynet, they can use that system to attack other non-Honeynet systems, such as organizations on the Internet. The attacker has to be controlled so they cannot do that. They can attack other systems within the Honeynet, but we have to protect non-Honeynet systems.

It took the blackhat only fifteen minutes to figure out something was wrong, wipe the system drive, and leave the network. So, the trick is to give the blackhat flexibility to execute whatever they need, but without allowing them to use the compromised system to attacks others.

Data Capture

Data Capture is what collecting all the activity that happens inbound, outbound, or within the Honeynet. This is how we learn, by capturing the attackers's activities. The trick to these requirements is meeting them without the attacker knowing. Our goal is to both control and capture all of the attacker's activity, without them realizing they are within a Honeynet. Data captured cannot be stored on locally on the honeypot. Information stored locally can potentially be detected by the blackhat, alerting them the system is a Honeynet. The stored data can also be lost or destroyed. Not only do we have to capture the blackhats every move without them knowing, but we have to store the information remotely. The key to this is capturing data in layers. You cannot depend on a single layer for information. You gather data from a variety of resources. Combined, these layers then allow you to paint the big picture. We will now discuss these layers and there uses.

Data Collection There is a third requirement, Data Collection, but this is only for organizations that have multiple Honeynets in distributed environments. Many organizations will have only one single Honeynet, so all they need to do is both Control and Capture data. However, organizations that have multiple Honeynets logically or physically distributed around the world have to collect all of the captured data and store it in a central location. This way the captured data can be combined, exponentially increasing its value. The Data Collection requirement provides the secure means of centrally collecting all of the captured information from distributed Honeynets.

INTEGRATING HONEYPOTS
The integration of honey pot into network is a great determining factor into how effective it will be. You should position the decoy system close to your production servers to tempt intruders that are targeting production servers. One such possibility is to emulate non-production services on production servers. By using port redirection on an upstream ruter or firewall, it will appear that honeypot services are running on production systems. This would require an upstream router or firewall capable of performing port/service redirection; in this case the upstream device is responsible for transparently handling the address translation of the honeypot in order to help conceal its real destination IP address. One example of this is if you run a production web server (port 80), telnet (port 23) and SMTP (port 25) could then be redirected to a honeypot. Because these services should not be accessed on a production system, the honeypot should send off an immediate alert or at the very least, log (record, register) the incident. In the scenario listed above, you can detect probing and tampering on production systems but only on non-production services so you would not be alserted to tampering on the production server because the service is not redirected to the honey pot. It is also important to realize the limitaions of service emulation. Intrusion detection systems must know about the vulnerability prior the exploitaion in order for it to emulate properly. Another way to deploy a honey pot is to place it logically between production servers. If production servers are addressed as .9,.10,.11, and .13 it is ideal to address the honeypt as .12. the idea behind this is to catch intruders that sweep scan entire network ranges looking for vulnerable services. This is achieved by straight network addressing of the honey pot. You can even make the honey pot appear as multiple hosts by using IP aliasing (assigning multiple IP addresses to the same host). Because this method uses standard network addressing, you dont need any special configuratins on your upstream router or firewall.

The goal in this setup is to catch intruders who will sweep (scan) an entire network range, looking for vunerable services. If your production servers are running the DNS service, so should your honey pot, an intruder scanning for the latest DNS servcice vulnerability will hone (break up) right in. however, if the intruder focuses only on your production systems, he or she will avoid the honey pot, rendering it useless. Any existing system can also be honeypotized, for example, on winNT, it is possible to rename the default administrator account, then create a dummy account called admininstrator with no password. winNT allows extensive logging of a persons activities, so this honey pot will track users attempting to gain administrator access and exploit that access.

BULIDING A HONEYPOT
When building a honeypot you should begin by loading an operating system whether it is NT, Linux, Solaris, etc as you would any other system. Do not do anything special to the system, as you want it to be easily compromis so you can collect information about the intruder. Otherwise, hackers will easily identify the honeypot and go after other servers on the same network. The Idea is, the fewer modifications made to the machine, the less chance the intruder will find something suspicious about the box. Throughout the process of setting up a honeypota few points must be considered. How to track the intruders moves. How to be alerted of a compromise, and how to stp a hacker from compromising production servers on your network. One simple solution to this is to place the honeypot on its own subnet behind a firewall. By doing

this you can log traffic, this becoming a first layer in tracking an intruders moves. Most firewall come with an alerting capacity so you can setup an alert system when you decoy system is compromised.

Lastly, you can control incoming and outgoing traffic. In this case you could allow all internet traffic in but limit outgoing traffic so the intruder cannot attack other business or machines from your location. Keeping system logs is an important part of using a honeypot because

of they are full of valuable data. Generally speaking it is not a good idea to keep log information on the honetpot, as sooner or later the intruder will most likely have the ability to change the data. This is why, if you want to track the intruders moves, it is important to logging his or her activity on different server.

ADVANTAGES

Small data sets of high value: Honeypots collect small amounts of information. Instead of logging a one GB of data a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day. Remember, honeypots only capture bad activity, any interaction with a honeypot is most likely unauthorized or malicious activity. As such, honeypots reduce 'noise' by collecting only small data sets. New tools and tactics: Honeypots are designed to capture anything thrown at them, including tools or tactics never seen before. Minimal resources: Honeypots require minimal resources, they only capture bad activity. This means an old Pentium computer with 128MB of RAM can easily handle an entire class B network sitting off an OC-12 network. Encryption or IPv6: Unlike most security technologies (such as IDS systems) honeypots work fine in encrypted or IPv6 environments. It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it. Information: Honeypots can collect in-depth information that few, if any other technologies can match. Simplicty: Finally, honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update.

DISADVANTAGES
Like any technology, honeypots also have their weaknesses. It is because of this they do not replace any current technology, but work with existing technologies.

Limited view: Honeypots can only track and capture activity that directly interacts with them. Honeypots will not capture attacks against other systems, unless the attacker or threat interacts with the honeypots also. Risk: All security technologies have risk. Firewalls have risk of being penetrated, encryption has the risk of being broken, IDS sensors have the risk of failing to detect attacks. Honeypots are no different, they have risk also. Specifically, honeypots have the risk of being taken over by the bad guy and being used to harm other systems.

CONCLUSION
In general, honeypots do not reduce the risk of an oraganization. The lessons learned from a honeypot can be applied, such as how to improve prevention,detection or reaction. How ever, honeypots contribute little to the direct security of an organization. They can only add value by working with existing security mechanisms. A honeypot complements IDS by providing you with a way to contain the attaker while you gather evidence and attempt to identify him. Decoy are setup not to capture the bad guy but to monitor and learn from their moves, find how they probe and exploit the system and how those exploitations can be prevented in production systems and doing this all without detection from the hacker.