Honeypot An instrument for attracting and detecting attackers

1
HoneypotAn instrument for attractingand
detecting attackers

• April 2002, R. Baumann
• me_at_rbaumann.net
• http//security.rbaumann.net

2
Agenda

• Theory
• Implementation
• Administrations Toolkit
• Attacks
• Conclusion

3
TheoryHoneypot

• Term originally from the military
• Fake target or ambush
• In this presentation, the term honeypot is used
  in network security environment

4
TheoryDefinition
A honeypot is a resource which pretends to be a
real target. A honeypot is expected to be
attacked or compromised. The main goals are the
distraction of an attacker and the gain of
information about an attacker, his methods and
tools.
5
TheoryBenefit

• Productive environmentdistraction from the real
  targets
• Research environmentinformation gathering
• but
• No direct protection gained
• In difference to IDS no false alerts

6
TheoryTypes of implementation

• Level of Involvement
• Low Involvement Port Listeners
• Mid Involvement Fake Daemons
• High Involvement Real Services
• Risk increases with level of involvement

7
TheoryHoneynet

• Network of honeypots
• Supplemented by firewalls and intrusion detection
  systems
• Advantages
• More realistic environment
• Improved possibilities to collect data

8
ImplementationProjekt Honeybread

• Honeynet implementation
• Administration Toolkit
• Ethernet Tunneling Software

9
ImplementationSchematic illustration
Honeypots
Detection
Internet
10
ImplementationTopology
11
ImplementationHoneypots

• Multiple honeypots
• Virtual machines
• Different, independent systems

12
ImplementationDetection unit

• Information logging
• Connetion controll
• Administration

13
Administration InterfaceFeatures

• Web-based
• Event visualization
• Connections from and to the honeynet
• Intrusion detection system alerts
• Session logs
• Statistics and reports

14
Administration InterfaceScreenshot
15
AttacksFacts

• Huge amount of IDS alerts (gt40000)
• Mostly automated attacks
• Code Red Virus
• In less than 24 hours successfully attacked
• Well known security vulnerabilities used

16
AttacksIDS alerts
17
AttacksDistribution over time
18
AttacksOrigin
19
AttacksSummary

• Amount of attacks surprised
• Origin of attacks mostyl from local systems
• Attacks on own subnet
• Most tools use own subnet as default setting
• Conclusion
• Protection required and possible

20
SummaryTechnology

• Honeypot as a safety solution not very attractive
• Very time expensive
• No out-of-the-box solutions
• Risk quite high when used inappropriate
• Deep knowledge needed
• Legal situation uncertain
• Honeypot as a service very attractive

21
SummaryImplementation

• Data analysis very complex and time consuming
• Very good learning results
• Very interesting research area
• Exciting and suprising moments

22
Thank you very muchfor your attention