Anda di halaman 1dari 6

Honeypot: A Survey of Technologies, Tools and Deployment.

Anita Borkar Akshaya Salunke

UG student (PVPPCOE) UG student (PVPPCOE)

Ankita Barabde Karlekar N. P.

UG student (PVPPCOE) Lecturer (I.T.) PVPPCOE

Abstract: controlling what traffic can flow where. They are used as an
Honeypots are closely monitored decoys that are employed in a access control device. Firewalls are most commonly deployed
network to study the trail of hackers and to alert network around an organization's perimeter to block unauthorized
administrators of a possible intrusion. Using honeypots provides activity. Network Intrusion Detection Systems are designed to
a cost-effective solution to increase the security posture of an detect attacks by monitoring either system or network activity.
organization. Even though it is not a panacea for security They are used to identify unauthorized activity.
breaches, it is useful as a tool for network forensics and
intrusion detection. Nowadays, they are also being extensively Honeypot can be of any computer resource type, such as a
used by the research community to study issues in network firewall, a web server, or even an entire site it runs no real
security, such as Internet worms, spam control, DoS attacks, etc. production services any contact with it is considered potentially
In this paper, we survey the types of honeypot technologies and malicious traffic sent to or from a honeypot is considered either
their deployments as an effective educational tool to study issues an attack or a result of the honeypot being compromised
in network security. In addition to survey of honeypot
classifications, we present a primary tool for each type. Notable features of honeypots include: collect small volumes of
higher value traffic are capable of observing previously
Introduction unknown attacks detect and capture all attackers’ activities
including encrypted traffic and commands, and require minimal
Honeypots are used for some time in computing systems for resources.
detection of intrusion and tracking the attackers. A honeypot is a
deception trap, designed to attract an attacker into attempting to
compromise the information systems in an organization. A
Honeypot Technologies
honeypot can serve as an early-warning and advanced security 1) Types by level of interactions:
surveillance tool, minimizing the risks from attacks on IT
systems and networks. Honeypots can also analyze the ways in a. The Low-Interaction Honeypots (Specter)
which attackers try to compromise an information system,
providing valuable information into potential system loopholes.
b. The High-Interaction Honeypots (Symantec
Decoy Server)
Honeypot definition: A honeypot as a security resource whose
value lies in being probed, attacked, or compromised[1]. A
2) Types by their intended use:
closely monitored computing resource that we want to be
probed, attacked, or compromised[2].
a. Production honeypots (Honeynets)
This means that expectations and goals of a honeypot are to
have the system probed, attacked, and potentially exploited. It b. Research honeypots (
does not matter what the resource is (a router, scripts running
emulated services, a jail, or an actual production system). The 3) Types by attack role:
resource's value lies in its being attacked. If the system is never
probed or attacked, then it has little or no value. This is the exact a. Server side honeypots (Honeyd)
opposite of most production systems, which you do not want to
be probed or attacked. b. Client side honeypots (HoneyMonkey)

As should be apparent from this definition, honeypots are

different from most security tools in that they can take on
different manifestations. Most of the security technologies used
today were designed to address specific problems. For example
firewalls, are a technology that protect your organization by
in the organization to mirror the appearance of a live mail
Honeypots differentiated by their level server. When attacks are directed at the decoy sensor, Symantec
of interactions: Decoy Server delivers comprehensive attack detection through a
system of data collection modules. Every action is recorded for
The Low-Interaction Honeypots[3] analysis, allowing administrators to prioritize and understand the
Low-interaction honeypots have limited interaction; they work threat and respond appropriately.
by emulating services and operating systems. Attacker activity is
limited to the level of emulation by the honeypot. For example, Since the decoy server is not a real system, all traffic directed
an emulated SMTP service listening on port 25 may just emulate towards Symantec Decoy Server is likely suspicious and should
a SMTP login, or it may support a variety of additional SMTP be considered a prelude to an attack. This helps eliminate the
commands. Low level honeypots are easier to deploy and nuisance of false negatives and positives, allowing system
maintain, with very low risk. You just install honeypot software, administrators to focus on legitimate attacks and respond much
select the operating systems and services you want to emulate more effectively.
and start monitoring. Attacker's activity is contained, the
attacker never has access to an operating system to attack or Symantec Decoy Server is not signature-based, so it
harm others. Disadvantages with low interaction honeypots is automatically detects unknown attacks without any need for
that they log only limited information and capture known security signature updates or dynamic policy configurations. It
activity. Also, it’s easier for an attacker to detect a low- also detects both host- and network-based attacks, unauthorized
interaction honeypot. Example of low-interaction honeypots is use of passwords and server access for increased network
SPECTER. protection.

Example of a Tool for Low-Interaction Honeypots Low-interaction Honeypots High-interaction Honeypots

SPECTER[4] is a smart honeypot-based intrusion detection Emulates operating systems Real operating systems and
system. It simulates a vulnerable computer, providing an and services. services are provided.
interesting target to lure hackers away from the production
machines. SPECTER offers common Internet services such as  Easy to install and  Can capture
SMTP, FTP, POP3, HTTP and TELNET which appear perfectly deploy. Simple comprehensive
normal to the attackers but in fact are traps for them to mess installing and information,
around and leave traces without even knowing that they are configuring software including new tools,
connected to a decoy system, which does none of the things it on a computer. communications, or
appears to do, but instead logs everything and notifies the  Low risk, as the attacker keystrokes.
appropriate people. Furthermore, SPECTER automatically emulated services  Can be complex to
investigates the attackers while they are still trying to break in. control what install or deploy.
SPECTER provides massive amounts of decoy content attackers can and  Increased risk, as
including images, MP3 files, email messages, password files, cannot do. attackers are
documents and all kinds of software. It dynamically generates  Captures limited provided real
decoy programs that will leave hidden marks on the attacker's amounts of operating systems to
computer. Automated online updates of the system's content and information, like interact with.
vulnerability database allow the honeypot to change constantly transactional data and
without user interaction. limited interaction.

The High-Interaction Honeypots Honeypots differentiated by their

High-interaction honeypots are complex solutions as they intended use:
involve real operating systems and applications[5]. With high-
interaction honeypots, you can capture comprehensive Production Honeypots:
information. You can learn the full extent of attackers’ behavior, A production honeypot is used in an organization to protect its
complete from new rootkits to IRC sessions. Also high- IT infrastructure[7]. Production honeypots secure the
interaction honeypots provide an open environment that captures organization by policing its IT environment to identify attacks.
all activity. This allows high-interaction honeypots to learn Production honeypots have less purpose and require fewer
unexpected behavior. Of course this also increases the risk; as functions than research honeypots. Using production honeypots,
attackers can use these operating system loopholes to attack we may know the origin of the hackers such what kind of
non-honeypot systems. High-interaction honeypots are more machine or operating system it uses, which country they are
complex to deploy and maintain. Example of high-interaction from, the kind of tools they used and the types of exploits the
honeypots is Symantec Decoy Server. blackhat launches. Production honeypots let the blackhat
community spend time and resource into attacking the
Example of a Tool for High-Interaction Honeypot. honeypots rather than the organization’s production systems.
Example of Production Honeypots is Honeynets.
Symantec Decoy Server provides early detection of threats and
enables attack diversion and confinement by actually becoming
the target of the attack[6]. The decoy sensor acts like a fully
functioning server, and can simulate email traffic between users
Research Honeypots Production Honeypots Research Honeypots
Less purpose and require fewer Complex and comprehensive
Research honeypots are complex. They are designed to collect functions. functions.
as much information as possible about hackers’ and their
activities[8]. Their primary mission is to research the threats  Help to reduce or  Complex and capture
organization may face, such as who the attackers are, how they mitigate risk that a complete
are organized, what kind of tools they use to attack other specific organization information,
systems, and where they obtained those tools. From the faces. including new tools,
information gathered by research honeypots, it will help the  Secure the communications, or
organization to better understand on the hackers’ attack patterns, organization by attacker keystrokes.
motives and how they function. With knowledge about potential policing its IT  Help to understand
threats, the organization can use necessary defense mechanisms environment to attack patterns,
and processes. Research honeypots are also an excellent tool to identify attacks. motives and how
capture automated attacks, such as auto-rooters or worms.  The implementation attackers function.
and deployment of  Excellent tool to
Example of a Tool for Production and Research are relatively easier capture automated
and less risky. attacks such as auto-
 Provide less evidence rooters or worms.
A honeynet is a type of honeypot[9]. Specifically, it is a high- about hacker’s attack  difficult and complex
interaction honeypot designed to capture extensive information patterns and motives. to implement, higher
on threats. High-interaction means a honeynet provides real risk and require
systems, applications, and services for attackers to interact with. skilled personnel
It is through this extensive interaction we gain information on
threats, both external and internal to an organization. What
makes a honeynet different from most honeypots is that it is a
network of real computers for attackers to interact with. These Honeypots differentiated by their
victim systems (honeypots within the honeynet) can be any type attack role:
of system, service, or information you want to provide.
Server side honeypots
Conceptually honeynets are very simple; they are a network that
contains one or more honeypots. Since honeypots are not An Internet-attached server that acts as a decoy[1], luring in
production systems, the honeynet itself has no production potential hackers in order to study their activities and monitor
activity, no authorized services. As a result, any interaction with how they are able to break into a system. Honeypots are
a honeynet implies malicious or unauthorized activity. Any designed to mimic systems that an intruder would like to break
connections initiated inbound to your honeynet are most likely a into but limit the intruder from having access to an entire
probe, scan, or attack. Any unauthorized outbound connections network. If a honeypot is successful, the intruder will have no
from your honeynet imply someone has compromised a system idea that s/he is being tricked and monitored. Most honeypots
and has initiated outbound activity. This makes analyzing are installed inside firewalls so that they can better be
activity within your honeynet very simple. With traditional controlled, though it is possible to install them outside of
security technologies, such as firewall logs or IDS sensors, you firewalls. A firewall in a honeypot works in the opposite way
have to sift through gigabytes of data, or thousands of alerts. A that a normal firewall works: instead of restricting what comes
great deal of time and effort is spent looking through this into a system from the Internet, the honeypot firewall allows all
information, attempting to eliminate false positives while traffic to come in from the Internet and restricts what the system
identifying attacks or unauthorized activity. Since a honeynet is sends back out.
nothing more than a network of honeypots, all captured activity
is assumed to be unauthorized or malicious. Using server side honeypots the administrator can watch the
hacker exploit the vulnerabilities of the system, thereby learning
where the system has weaknesses that need to be redesigned.
The hacker can be caught and stopped while trying to obtain
root access to the system. By studying the activities of hackers,
designers can better create more secure systems that are
potentially invulnerable to future hackers.

Example of a Tool for Server side Honeypots

Honeyd is a small daemon that creates virtual hosts on a
network[10]. The hosts can be configured to run arbitrary
services, and their personality can be adapted so that they appear
to be running certain operating systems. Honeyd enables a single
host to claim multiple addresses - tested up to 65536 - on a LAN
for network simulation. Honeyd improves cyber security by
providing mechanisms for threat detection and assessment. It
also deters adversaries by hiding real systems in the middle of HoneyMonkey is based on the honeypot concept, with the
virtual systems. difference that it actively seeks websites that try to exploit it.
The term was coined by Microsoft Research in 2005. With
It is possible to ping the virtual machines, or to traceroute them. honeymonkeys it is possible to find open security holes that
Any type of service on the virtual machine can be simulated aren't yet publicly known but are exploited by attackers.
according to a simple configuration file. Instead of simulating a
service, it is also possible to proxy it to another machine. A single HoneyMonkey is an automated program, which tries to
mimic the action of a user surfing the net. A series of
The different TCP personalities are learned from reading a nmap HoneyMonkeys are run on virtual machines running Windows
fingerprint file. The configured personality is the operating XP, at various levels of patching — some are fully patched,
system that nmap or xprobe will return. Personalities can be some fully vulnerable, and others in between these two
annotated to determine if they allow FIN-scans for open ports or extremes. The HoneyMonkey program records every read or
to select the preference in which they reassemble fragmented IP write of the file system and registry, thus keeping a log of what
packets. data was collected by the web-site and what software was
installed by it. Once the program leaves a site, this log is
Honeyd can be used to create a virtual honey net or for general analyzed to determine if any malware has been loaded. In such
network monitoring. It supports the creation of a virtual network cases, the log of actions is sent for further manual analysis to an
topology including dedicated routes and routers. The routes can external controller program, which logs the exploit data and
be attributed with latency and packet loss to make the topology restarts the virtual machine to allow it to crawl other sites
seem more realistic. starting in a known uninfected state.

Because Honeyd interacts with potentially malicious

adversaries, you should sandbox it with Systrace. Systrace Server side honeypots Client side honeypots
prevents an adversary from exploiting bugs in your Honeyd Acts as a decoy, luring in Actively in search of servers
scripts. potential hackers. that attack clients.
 Can watch the hacker  Simulates/drives
Client side honeypots exploit the system, so client-side software
as learn the and does not expose
Client Honeypots are active security devices in search of weaknesses that need server based services
malicious servers that attack clients[11]. The client honeypot to be redesigned. to attack.
poses as a client and interacts with the server to examine  The attacker can be  Actively interact with
whether an attack has occurred. Any client that interacts with caught and stopped remote servers to be
servers can be part of a client honeypot (for example Browser, while trying to obtain attacked.
ftp, ssh, email, etc.). root access to the  Evaluates which
system. server is malicious
Client honeypots can be grouped into low interaction and high  Help to create more and which is benign.
interaction honeyclients. Low interaction client honeypots are secure systems that
fast and generally easier to manage, but are weaker at detecting are potentially
new attacks and less likely to be able to obtain malware. High invulnerable to future
interaction client honeypots are slower and more difficult to hackers.
manage in general, but are better suited for the detection of new
attacks and obtaining malware. Client side honeypots
simulates/drives client-side software and does not expose server
based services to be attacked. It cannot lure attacks to itself, but Honeypot Deployments[13]
rather it must actively interact with remote servers to be
attacked. The client-side honeypot must discern which server is Large-scale Distributed Honeypots
malicious and which is benign.
Example of a Tool for Client side Honeypots Honeypot network Honeynet, which is a network of honeypots
that imitate and replicate an actual or fictitious network. This
HoneyMonkey, short for Strider HoneyMonkey Exploit will appear to attackers as if many different types of applications
Detection System[12], is a Microsoft Research honeypot. The are available on several different platforms. A honeynet offers
implementation uses a network of computers to crawl the World an early warning system against attacks and provides an
Wide Web searching for websites that use browser exploits to excellent way to analyze and understand an attacker’s intention,
install malware on the HoneyMonkey computer. A snapshot of by looking at what kind of machines and Honeypot Security
the memory, executable and registry of the honeypot computer services have been attacked, and what type of attacks have been
is recorded before crawling a site. After visiting the site, the conducted.
state of memory, executable, and registry is compared to the
previous snapshot. The changes are analyzed to determine
Honeynet Project and HoneyLab are examples of this type of
whether the visited site installed malware onto the honeypot
Server Honeypot Deployment: Deployment of a WEB Honeypot
Honeypots are deployed alongside regular production servers[14]. [7]
Through web interface, one can deploy low-involvement (low-
The honeypot will mirror some real data and services from the interaction), production, dynamic and manageable honeypot. It
production servers in order to attract attackers. The security of uses a combination of deployment strategies, such as,
the honeypot can be loosened slightly so as to increase its “Deception Ports on Production Systems” to simulate honeypot
chance of being compromised. The honeypot can then collect services, substituted for well-known services (for instance
attack related information. However, if a successful attack takes HTTP, SMTP, POP, DNS and FTP) and “Proximity Decoys”
place on the honeypot within the network; that compromised where the honeypot decoys are in close proximity to the
honeypot machine might be used to scan for other potential production hosts (in the same logical subnet). The risk is
targets in the network. This is the main drawback of installing minimized because there is no real Operating System present
honeypots within the production system. and services are simulated.

In other method each server is paired with a honeypot, and This deployment is easier to deploy and maintain. Furthermore,
suspicious traffic destined for the server is directed to the the emulated services reduce the risk by containing the
honeypot. For instance, traffic at TCP port 80 can be directed to attacker’s activity. The attacker will never have access to an
a web server IP address as normal, while all other traffic to the operating system to do further damage. However, only limited
web server will be directed towards the honeypot. To information is logged. It is also easier for an attacker to detect a
camouflage the honeypot, a certain amount of data, such as the low-interaction honeypot in this particular architecture. No
website contents of a web server, may need to be replicated on matter how good the emulation is, a skilled attacker can
the honeypot. There are several ways to set up a server eventually detect its presence. Another disadvantage is that it
honeypot. It can be set in front of a firewall, in the DMZ or will not allow the researcher to capture any additional data
behind a firewall. It is best to deploy the honeypot closer to the associated with the attack other than the initial probe. The
server, as it is more tempting for the attacker. Another way to honeypots are deployed in the same logical subnet to distract an
deploy a honeypot would be to place it in between servers, but attacker from the real targets. They are used as a bait to bind
this method is not very effective. It would only prove use mostly attacking attempts as long as possible and protect the productive
against sweep scans. environment in the meantime. The primary interest here is to
protect the real systems. The purpose of running Honeypot in
the intranet is to detect internal attackers. It is also possible to
Virtual Honeypot Deployment detect a misconfigured firewall using an internal honeypot. In
Virtual honeypots simulate virtual computer systems at the addition, implementation of the web honeypot is a great way to
network level[15]. The simulated computer systems appear to run detect worms or Trojans.
on unallocated network addresses. To deceive network
fingerprinting tools, these honeypots simulate the networking
stack of different operating systems and can provide arbitrary
routing topologies and services for an arbitrary number of [1] Honeypots: Tracking Hackers By Lance Spitzner. Publisher
virtual systems. These honeypots help in many areas of system : Addison Wesley Pub Date : September 13, 2002
security, e.g. detecting and disabling worms, distracting
adversaries, or preventing the spread of spam email. [2] N. Provos, “A virtual honeypot framework,” in SSYM’04:
Proceedings of the 13th conference on USENIX Security
Honeyd is example of Virtual Honeypot framework Symposium. Berkeley, CA, USA: USENIX Association, 2004.

Deployment of a Client Honeypot [3] Low Interaction Server Honeypot Evolution Mark
Schloesser Giraffe Honeynet Project FIRST Technical
Client honeypots focus on malicious webservers, which they Colloquium, Kuala Lumpur December 2, 2009
interact with by driving a web browser on the honeypot system.
Honeyclient detects successful attacks by monitoring changes to [4] SPECTER a smart honeypot-based intrusion detection
a list of files, directories and system configuration after the system
Honeyclient has interacted with a server. Honeyclient such as
Honeymonkey also detects intrusions by monitoring changes to
[5] Security and Results of a Large-Scale High-Interaction
a list of executable files and registry entries, but Honeymonkey
Honeypot J. Briffaut, J.-F. Lalande, C. Toinard; JOURNAL OF
goes a step further by adding monitoring of the child processes
COMPUTERS, VOL. 4, NO. 5, MAY 2009
to its repertoire to detect client side attacks. The UW client
honeypot uses event triggers of file system activity, process
creation, registry activity and browser crashes to identify client [6] Symantec Releases Decoy-Based Intrusion Detection
side attacks. All these client honeypots can be classified as high System;
interaction client honeypots because they make use of a real
browser within a real operating system environment and monitor
the state of the entire system. [7] Issues in Informing Science and Information Technology
Volume 3, 2006 Honeypot through Web (Honeyd@WEB): The
Emerging of Security Application Integration Nor Badrul Anuar,
Omar Zakaria, and Chong Wei Yao University of Malaya, Kuala
Lumpur MY [12] Strider HoneyMonkey Exploit Detection
[8] HoneyLab: Large-scale Honeypot Deployment and Resource us/um/redmond/projects/strider/honeymonkey/
Sharing by P. Akritidis, W. Y. Chin, E. P. Markatos, E. [13] Effective Deployment of Honeypots Against Internal and
Kotsovinos, S. Ioannidis, K. G. Anagnostakis External Threats Douglas B. Moran

[9] Know Your Enemy: Honeynets What a honeynet is, its [14] Honeypot Deployment Hanli Ren Member of UNB
value, overview of how it works, and risk/issues involved. Honeynet Project Faculty of Computer Science University of
honeynet Project 31 May, 2006 New Brunswick, Fredericton, Canada

[10] Developments of the Honeyd Virtual Honeypot: [15] Virtual honeypots: from botnet tracking to intrusion detection, First edition Authors: Niels Provos, Thorsten Holz.
Publisher Addison-Wesley Professional Year of Publication:
[11] HoneyC - The Low-Interaction Client Honeypot by 2007
Christian Seifert, Ian Welch, Peter Komisarczuk
[16] Honeyware: a web-based low interaction client honeypot
{cseifert, ian.welch, peter.komisarczuk}; Yaser Alosefer, Omer Rana School of Computer Science &
August 2006 Informatics, Cardiff University, UK