Honeypot (computing)
Encyclopedia
In computer terminology, a honeypot is a trap
set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems
. Generally it consists of a computer
, data, or a network site that appears to be part of a network
, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.
Based on the deployment, honeypots may be classified as
Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations; Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots do. The purpose of a production honeypot is to help mitigate risk in an organization. The honeypot adds value to the security measures of an organization.
Research honeypots are run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of the Blackhat
community targeting different networks. These honeypots do not add direct value to a specific organization; instead, they are used to research the threats organizations face and to learn how to better protect against those threats. This information is then used to protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.
Based on the design criteria, honeypots can be classified into three categories as
Pure honeypot is a full fledged production system. The activities of the attacker are monitored using a casual tap that has been installed on the honeypots link to the network. No other software needs to be installed. Even though a pure honeypot is useful, stealthiness of the defense mechanisms can be ensured by a more controlled mechanism.
High interaction honeypots imitate the activities of the real systems that host a varieties of services and, therefore, an attacker may be allowed a lot of services to waste his time. According to recent researches in high interaction honeypot technology, by employing virtual machine
s, multiple honeypots can be hosted on single physical machine. Therefore, even if the honeypot is compromised, there is chance for quicker recovery. In general, high interaction honeypots provide more security by being difficult to detect but, on the negative side, are highly expensive to maintain. If virtual machines are not available, each honeypot need to maintained for each physical computer, which can be exorbitantly expensive. Example:Honeynet.
Low interaction honeypot is based on the services that the attacker normally request for. These services are simulated by this classification of honeypot. There are many
positives with the requirement of only few services by the attackers: ease of hosting multiple virtual machines on one physical system as they consume relatively few resources, fast response time of the virtual systems, and shorter code length reduces the complexity in the security of the virtual systems. Example: Honeyd
.
s and open proxies
. Some system administrators have created honeypot programs that masquerade as these abusable resources to discover spammer activity. There are several capabilities such honeypots provide to these administrators and the existence of such fake abusable systems makes abuse more difficult or risky. Honeypots can be a powerful countermeasure to abuse from those who rely on very high volume abuse (e.g., spammers).
These honeypots can reveal the apparent IP address of the abuse and provide bulk spam capture (which enables operators to determine spammers' URLs and response mechanisms). For open relay honeypots, it is possible to determine the e-mail addresses ("dropboxes") spammers use as targets for their test messages, which are the tool they use to detect open relays. It is then simple to deceive the spammer: transmit any illicit relay e-mail received addressed to that dropbox e-mail address. That tells the spammer the honeypot is a genuine abusable open relay, and they often respond by sending large quantities of relay spam to that honeypot, which stops it. The apparent source may be another abused system—spammers and other abusers may use a chain of abused systems to make detection of the original starting point of the abuse traffic difficult.
This in itself is indicative of the power of honeypots as anti-spam tools. In the early days of anti-spam honeypots, spammers, with little concern for hiding their location, felt safe testing for vulnerabilities and sending spam directly from their own systems. Honeypots made the abuse riskier and more difficult.
Spam still flows through open relays, but the volume is much smaller than in 2001 to 2002. While most spam originates in the U.S., spammers hop through open relays across political boundaries to mask their origin. Honeypot operators may use intercepted relay tests to recognize and thwart attempts to relay spam through their honeypots. "Thwart" may mean "accept the relay spam but decline to deliver it." Honeypot operators may discover other details concerning the spam and the spammer by examining the captured spam messages. (However, open relay spam has declined significantly.)
Open relay honeypots include Jackpot, written in Java
, smtpot.py, written in Python
, and spamhole, written in C
. The Bubblegum Proxypot is an open proxy honeypot (or proxypot).
, the term "honeypot" might better be reserved for systems and techniques used to detect or counter attacks and probes. Spam arrives at its destination "legitimately"—exactly as non-spam e-mail would arrive.
An amalgam of these techniques is Project Honey Pot
. The distributed, open-source Project uses honeypot pages installed on websites around the world. These honeypot pages hand out uniquely tagged spamtrap e-mail addresses. E-mail address harvesting
and Spammers can then be tracked as they gather and subsequently send to these spamtrap e-mail addresses.
. Because such activities are not recognized by basic firewalls, companies often use database firewalls. Some of the available SQL database firewalls provide/support honeypot architectures to let the intruder run against a trap database while the web application still runs as usual.
, the inventor of the Deception Toolkit, even argues that every system running his honeypot should have a deception port that adversaries can use to detect the honeypot. Cohen believes that this might deter adversaries.
s. A honeyfarm is a centralized collection of honeypots and analysis tools.
The concept of the honeynet first began in 1999 when Lance Spitzner, founder of the Honeynet Project, published the paper "To Build a Honeypot":
Trap (tactic)
A trap is a device intended to catch an intruder or prey. "Trap" may also refer to the tactic of catching or harming an adversary. Conversely it may also mean a hindrance for change, being caught in a trap.-Device:*Animal trapping*Bird trapping...
set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems
Information systems
Information Systems is an academic/professional discipline bridging the business field and the well-defined computer science field that is evolving toward a new scientific area of study...
. Generally it consists of a computer
Computer
A computer is a programmable machine designed to sequentially and automatically carry out a sequence of arithmetic or logical operations. The particular sequence of operations can be changed readily, allowing the computer to solve more than one kind of problem...
, data, or a network site that appears to be part of a network
Computer network
A computer network, often simply referred to as a network, is a collection of hardware components and computers interconnected by communication channels that allow sharing of resources and information....
, but is actually isolated and monitored, and which seems to contain information or a resource of value to attackers.
Types
Honeypots can be classified based on their deployment and based on their level of involvement.Based on the deployment, honeypots may be classified as
- Production Honeypots
- Research Honeypots
Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations; Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots do. The purpose of a production honeypot is to help mitigate risk in an organization. The honeypot adds value to the security measures of an organization.
Research honeypots are run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of the Blackhat
Black hat
A black hat is the villain or bad guy, especially in a western movie in which such a character would stereotypically wear a black hat in contrast to the hero's white hat, especially in black and white movies....
community targeting different networks. These honeypots do not add direct value to a specific organization; instead, they are used to research the threats organizations face and to learn how to better protect against those threats. This information is then used to protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.
Based on the design criteria, honeypots can be classified into three categories as
- pure honeypots
- high interaction honeypots
- low interaction honeypots
Pure honeypot is a full fledged production system. The activities of the attacker are monitored using a casual tap that has been installed on the honeypots link to the network. No other software needs to be installed. Even though a pure honeypot is useful, stealthiness of the defense mechanisms can be ensured by a more controlled mechanism.
High interaction honeypots imitate the activities of the real systems that host a varieties of services and, therefore, an attacker may be allowed a lot of services to waste his time. According to recent researches in high interaction honeypot technology, by employing virtual machine
Virtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
s, multiple honeypots can be hosted on single physical machine. Therefore, even if the honeypot is compromised, there is chance for quicker recovery. In general, high interaction honeypots provide more security by being difficult to detect but, on the negative side, are highly expensive to maintain. If virtual machines are not available, each honeypot need to maintained for each physical computer, which can be exorbitantly expensive. Example:Honeynet.
Low interaction honeypot is based on the services that the attacker normally request for. These services are simulated by this classification of honeypot. There are many
positives with the requirement of only few services by the attackers: ease of hosting multiple virtual machines on one physical system as they consume relatively few resources, fast response time of the virtual systems, and shorter code length reduces the complexity in the security of the virtual systems. Example: Honeyd
Honeyd
Honeyd is an open source computer program created by Niels Provos that allows a user to set up and run multiple virtual hosts on a computer network. These virtual hosts can be configured to mimic several different types of servers, allowing the user to simulate an infinite number of computer...
.
Spam versions
Spammers abuse vulnerable resources such as open mail relayOpen mail relay
An open mail relay is an SMTP server configured in such a way that it allows anyone on the Internet to send e-mail through it, not just mail destined to or originating from known users...
s and open proxies
Open proxy
An open proxy is a proxy server that is accessible by any Internet user. Generally, a proxy server allows users within a network group to store and forward Internet services such as DNS or web pages to reduce and control the bandwidth used by the group...
. Some system administrators have created honeypot programs that masquerade as these abusable resources to discover spammer activity. There are several capabilities such honeypots provide to these administrators and the existence of such fake abusable systems makes abuse more difficult or risky. Honeypots can be a powerful countermeasure to abuse from those who rely on very high volume abuse (e.g., spammers).
These honeypots can reveal the apparent IP address of the abuse and provide bulk spam capture (which enables operators to determine spammers' URLs and response mechanisms). For open relay honeypots, it is possible to determine the e-mail addresses ("dropboxes") spammers use as targets for their test messages, which are the tool they use to detect open relays. It is then simple to deceive the spammer: transmit any illicit relay e-mail received addressed to that dropbox e-mail address. That tells the spammer the honeypot is a genuine abusable open relay, and they often respond by sending large quantities of relay spam to that honeypot, which stops it. The apparent source may be another abused system—spammers and other abusers may use a chain of abused systems to make detection of the original starting point of the abuse traffic difficult.
This in itself is indicative of the power of honeypots as anti-spam tools. In the early days of anti-spam honeypots, spammers, with little concern for hiding their location, felt safe testing for vulnerabilities and sending spam directly from their own systems. Honeypots made the abuse riskier and more difficult.
Spam still flows through open relays, but the volume is much smaller than in 2001 to 2002. While most spam originates in the U.S., spammers hop through open relays across political boundaries to mask their origin. Honeypot operators may use intercepted relay tests to recognize and thwart attempts to relay spam through their honeypots. "Thwart" may mean "accept the relay spam but decline to deliver it." Honeypot operators may discover other details concerning the spam and the spammer by examining the captured spam messages. (However, open relay spam has declined significantly.)
Open relay honeypots include Jackpot, written in Java
Java (programming language)
Java is a programming language originally developed by James Gosling at Sun Microsystems and released in 1995 as a core component of Sun Microsystems' Java platform. The language derives much of its syntax from C and C++ but has a simpler object model and fewer low-level facilities...
, smtpot.py, written in Python
Python (programming language)
Python is a general-purpose, high-level programming language whose design philosophy emphasizes code readability. Python claims to "[combine] remarkable power with very clear syntax", and its standard library is large and comprehensive...
, and spamhole, written in C
C (programming language)
C is a general-purpose computer programming language developed between 1969 and 1973 by Dennis Ritchie at the Bell Telephone Laboratories for use with the Unix operating system....
. The Bubblegum Proxypot is an open proxy honeypot (or proxypot).
E-mail trap
An e-mail address that is not used for any other purpose than to receive spam can also be considered a spam honeypot. Compared with the term spamtrapSpamtrap
A spamtrap is a honeypot used to collect spam.Spamtraps are usually e-mail addresses that are created not for communication, but rather to lure spam...
, the term "honeypot" might better be reserved for systems and techniques used to detect or counter attacks and probes. Spam arrives at its destination "legitimately"—exactly as non-spam e-mail would arrive.
An amalgam of these techniques is Project Honey Pot
Project Honey Pot
Project Honey Pot is a web based honeypot network which uses software embedded in web sites to collect information about IP addresses used when harvesting e-mail addresses for spam or other similar purposes such as bulk mailing and e-mail fraud...
. The distributed, open-source Project uses honeypot pages installed on websites around the world. These honeypot pages hand out uniquely tagged spamtrap e-mail addresses. E-mail address harvesting
E-mail address harvesting
Email harvesting is the process of obtaining lists of email addresses using various methods for use in bulk email or other purposes usually grouped as spam.-Methods:...
and Spammers can then be tracked as they gather and subsequently send to these spamtrap e-mail addresses.
Database honeypot
Databases often get attacked by intruders using SQL InjectionSQL injection
A SQL injection is often used to attack the security of a website by inputting SQL statements in a web form to get a badly designed website in order to dump the database content to the attacker. SQL injection is a code injection technique that exploits a security vulnerability in a website's software...
. Because such activities are not recognized by basic firewalls, companies often use database firewalls. Some of the available SQL database firewalls provide/support honeypot architectures to let the intruder run against a trap database while the web application still runs as usual.
Detection
Just as honeypots are weapons against spammers, honeypot detection systems are spammer-employed counter-weapons. As detection systems would likely use unique characteristics of specific honeypots to identify them, a great deal of honeypots in use makes the set of unique characteristics larger and more daunting to those seeking to detect and thereby identify them. This is an unusual circumstance in software: a situation in which "versionitis" (a large number of versions of the same software, all differing slightly from each other) can be beneficial. There's also an advantage in having some easy-to-detect honeypots deployed. Fred CohenFred Cohen
Frederick B. Cohen is an American computer scientist and best known as the inventor of computer virus defense techniques.In 1983, while a student at the University of Southern California's School of Engineering , he wrote a program for a parasitic application that seized control of computer...
, the inventor of the Deception Toolkit, even argues that every system running his honeypot should have a deception port that adversaries can use to detect the honeypot. Cohen believes that this might deter adversaries.
Honeynets
Two or more honeypots on a network form a honeynet. Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network intrusion detection systemNetwork intrusion detection system
A Network Intrusion Detection System is an intrusion detection system that tries to detect malicious activity such as denial of service attacks, port scans or even attempts to crack into computers by Network Security Monitoring of network traffic.A NIDS reads all the incoming packets and tries to...
s. A honeyfarm is a centralized collection of honeypots and analysis tools.
The concept of the honeynet first began in 1999 when Lance Spitzner, founder of the Honeynet Project, published the paper "To Build a Honeypot":
- A honeynet is a network of high interaction honeypots that simulates a production network and configured such that all activity is monitored, recorded and in a degree, discreetly regulated.
See also
- Network telescopeNetwork telescopeA network telescope is an Internet system that allows one to observe different large-scale events taking place on the Internet. The basic idea is to observe traffic targeting the dark address-space of the network...
- HoneytokenHoneytokenIn the field of computer security, honeytokens are honeypots that are not computer systems. Their value lies not in their use, but in their abuse. As such, they are a generalization of such ideas as the honeypot and the canary values often used in stack protection schemes...
- HoneyMonkeyHoneyMonkeyHoneyMonkey, short for Strider HoneyMonkey Exploit Detection System, is a Microsoft Research honeypot. The implementation uses a network of computers to crawl the World Wide Web searching for websites that use browser exploits to install malware on the HoneyMonkey computer. A snapshot of the...
- Client honeypot
- Tarpit (networking)
- Honeypot and forEnsic Analysis ToolHoneypot and forEnsic Analysis ToolHoneypot and forEnsic Analysis Tool or HEAT in short is a Live CD based on KNOPPIX S-T-D distro and Tiny Honeypot by George Bakos. This tool is primarily a honeypot for monitoring networks for unauthorized intrusions on information systems. It also doubles up as a forensic tool to perform analysis...
- Canary trapCanary trapA canary trap is a method for exposing an information leak, which involves giving different versions of a sensitive document to each of several suspects and seeing which version gets leaked....