Software Engineering 4C03
Computer Networks and Security
NETWORK DECEPTION SYSTEMS: HONEYPOTS
by Ryan Mohammed # 9616106
21st March 2001
When talking about network security one usually thinks about routers, firewalls and Intrusion Detection Systems (IDS's). One other layer of defense can be achieved through the use of Honeypots; its primary use is to gain direct, observable knowledge of how intruders operate. Honeypots are programs that simulate one or more network services that are running on designated computer ports so as to look like something an intruder can attack. To better understand what honeypots are, let me first explain what "intruders" really are: An intruder is an individual who is using (or attempting to use) a computer system without authorization. This individual may be called a "Script Kiddie" or a "Black Hat" respective to increasing skill level. Essentially, a honeypot works as a decoy i.e. it lures them away from vulnerable parts of a network to something that cannot be harmed. This paper will first discuss reasons why systems such as honeypots are necessary and what are the ethical and legal issues surrounding its use. I shall then explain how a honeypot can be setup on a network and mention some implementation issues. Next I shall focus on some of the advantages and disadvantages of using honeypots. Following this I shall then show some real life examples of how honeypots have been used and what were the results. Finally I shall present information on some commercial honeypots.
Why are Honeypots Necessary?
Why are honeypots necessary given other technologies of securing a system? This question has one obvious answer, honeypots give the ability to learn how a system can be compromised and by whom while protecting it. To show its importance, a honeypot can be compared to the infamous firewall, which is widely used by many network administrators as a form of security. A firewall is a device that shuts off everything and then turns back on only a few well-chosen items. The reason we have firewalls is because various servers leave security holes open accidentally on many ports. Put simply, a firewall is a fence around a network, with a couple of well-chosen gates. This fence has no capability of detecting somebody trying to break in (such as digging a hole underneath it), nor does a fence know if somebody coming through the gate is allowed in. Hence, intruders are still able to get pass the firewall if the attack is targeted at an access point that the firewall legitimately allows. Also, the firewall only protects from outsiders of the network, however, 80% of financial losses due to attacks are from the inside of the network in question. The firewall can hence be described as a static defense mechanism and in comparison a honeypot is dynamic. The honeypot defends against attacks that the firewall is unable to see. Ideally the honeypot is used with a firewall. It is easy to build a conservative firewall that cannot be hacked, however, engineers are not allowed to be sufficiently paranoid; corporations always want to expand Internet services. This forces network administrators to relax on the firewall barriers.
Honeypots are designed to be broken into for two primary reasons. One of these is to find information about vulnerable areas of a system and those that are most likely to be attacked. Essentially, by doing this one can learn how a system can be compromised by observing attack methodologies. The second main goal of honeypots is to gather forensic information required to aid in the apprehension or prosecution of intruders. Honeypots purposely leaves a "hole" in the system that is so obvious to walk through that other areas of the system look relatively much more secure. In essence, the honeypot then protects the other areas of the system or network by diverting attention to it.
Honeypots are always subject to scrutiny by its use because of the controversy of it being labeled as a form of entrapment. Honeypots are in fact not a form of entrapment because it lets the system afford an attack and does not encourage being attacked. Legally you can be liable if a honeypot is compromised and used as a launching pad for other unauthorized intrusions. If the honeypot is however virtual enough and really only simulates, then launching attacks from a honeypot would be harmless.
All traffic to a honeypot is deemed suspicious because it is designed so that it still has to be accessed using a near obvious "hole". Honeypots are generally based on a real server and operating system and with data that gives the impression of being real. The difference from real servers is its location, it is located in the DMZ (De-Militarized Zone: outside firewall but still accessible by internal computers) of a network. This ensures that the internal network is not exposed to the intruder. It should be placed close to the production servers in order to tempt intruders that are targeting them. The use of port redirection on an upstream router or firewall will give the impression that services are on the production server. This router will have to be capable of redirection and also have the ability to transparently handle the address translation of the honeypot so as to conceal its true IP. A good example of such use is an attempt to run a web server or telnet on a production server that normally does not accept such requests. Such connection requests could be then redirected to the honeypot, which will simulate response for the request. It should be noted that there are limitations on the service emulation of a honeypot. The network will have to be probed so as to determine vulnerabilities so that services can then be accurately emulated. The honeypot’s address is ideally in between the production servers (example if .2, .3, .5 are production servers then ideally the honeypot is .4). This takes advantage of intruders that do a "sweep scan" on the entire network looking for vulnerable services.
The honeypot works by monitoring or controlling the intruder. The honeypot audits the activity of the intruder by saving log files, started processes, compiles, file changes, and recording keystrokes. The valuable log files generated by the honeypot should be stored elsewhere rather than on itself because the intruder will eventually have the ability to change the data contained therein. The ability to alert administrators that the honeypot has been compromised is also essential; this is required because of the possibility that a real production server can then be attacked using the honeypot! Oneway to protect production servers and alert admin incase of a compromise is to have to honeypot on its own subnet and behind a firewall. Any activity in that subnet segment will then trip any alarms. If there were multiple computers on the same subnet it would be hard to distinguish between good and bad traffic. By the use of a “sniffer”, all incoming and outgoing traffic can be closely monitored. In summary, by using these techniques you can: be protected in case of honeypot compromise, have the ability to log and view all incoming and outgoing traffic and also have the ability to control traffic. The ability to control traffic is useful because it gives the ability to use the honeypot as a stepping-stone to further attacks on other protected resources or on systems belonging to others on the Internet. To do this the firewall rules for a honeypot system should permit all traffic in from the Internet and block most outgoing traffic.
Whether the advantages of a honeypot outweigh the disadvantages is really specific to the designer. This is so because every individual has different resources and needs. The following is some of the advantages of setting up a honeypot. Firstly, one can learn about incident response; setting up a system that intruders can break into will provide knowledge on detecting hacker break-ins and cleaning-up after them. Secondly, knowledge of hacking techniques can protect the real system from similar attacks. Thirdly, the honeypot can be used as an early warning system; setting it up will alert administrators of any hostile intent long before the real system gets compromised. Another advantage of honeypots is its ability to deceive intruders easily. For example, the honeypot can be made to provide a banner that looks like a system that can easily be attacked. The banner may be a version of software where there is a well-known security flaw.
The disadvantages of the system are as follows. First and foremost is that the honeypot may be used as a stepping stone to further compromise the network, may it be the user’s own internal network or some network on the internet. Secondly, honeypots add complexity to the network. Increased complexity may lead to increased exposure to exploits. Another disadvantage is that honeypots must be maintained just like any other networking equipment and services. Maintenance not only requires that the system be shut off but also requires just as much use of resources as a real system. Lastly, building a honeypot requires that you have at least a whole system dedicated to it, and this may be an expensive resource for some corporations.
There are numerous examples of where honeypots were successfully used to monitor real hackers. One of the largest projects currently being undertaking is called the honeynet project (http://project.honeynet.org). This project includes some 30 security professionals, programmers and psychologists all working on the project in their spare time. It is run by Lance Spitzner a security consultant with Sun Microsystems. This honeynet has been used and continues to be used to gather intelligence on hackers and their tactics. Another person quite famous in using a network as a honeypot to track down and observe a hacker was Clifford Stoll in his groundbreaking "Cuckoo's Egg" story. Stoll let the intruder hang around the San Diego University network for a year in order to gather valuable information, which was eventually shared with the authorities. In another case, a group of suspected Pakistani hackers broke into a U.S.-based computer system in June of 2000. This system was a honeypot and the hackers were unsuspecting. They attempted to use the honeypot as a launching pad to attack web sites across India. Within the span of one month, the honeypot administrators were able to gather, record and study information from these hackers. This was done by monitoring every keystroke they made, every tool they used and every word of their online chat sessions. The honeypot administrators learned how the hackers chose their targets, what level of expertise they had, what their favorite kinds of attacks were, and how they went about trying to cover their tracks so that they could nest on compromised systems.
Some commercial honeypot software currently available on the market are CyberCop Sting, Mantrap and Spector 4.01. Spector 4.01 can simulate five different network services and seven traps. The system can also simulate nine different operating systems. The operating system and character options combined with the services, traps and password settings allow for more than 2'000'000 different ways to act and appear making it very hard to detect. CyberCop Sting appears an enticing target to intruders that normal users would otherwise overlook. It logs intrusive behavior and creates 3-5 decoy system images on your network that play off an attacker's natural curiosity to investigate them. Mantrap also creates a decoy environment in which to trap attackers. It maintains an audit trail of the attacker's activities, saves log files and records keystrokes.
This paper first addressed the importance of honeypots as well as some legal issues. Honeypots provide a dynamic level of security that cannot be achieved by other conventional methods. Honeypots are also perfectly legal once used correctly. This paper also presented details on how a honeypots should be setup. Some advantages and disadvantages were also discussed and as mentioned, they vary with respect to budget and resources of the company wanting to use one. Finally this paper presented some cases where honeypots were successfully used.
Klug D., 13th September 2000, HoneyPots and Intrusion Detection[online]
SANS Institute, Available: http://www.sans.org/infosecFAQ/intrusion/honeypots.htm
Merkow M., January 12th 2001, Playing With Fire: Not So Sweet Honeypots [online]
Miami.internet.com, Available: http://miami.internet.com/views/print/0,,9691_559561,00.html
Talisker Network Security Tools, UNKNOWN DATE, Honeypots [online]
Graham R., March 20th 2001, FAQ: Network Intrusion Detection Systems [online]
Multiple Authors, DATE CHANGES, The Honeynet Project [online]