1.

INTRODUCTION
1.1 Outline:

Global communication is getting more important every day. At the same time, computer crimes
are increasing. Countermeasures are developed to detect or prevent attacks - most of these
measures are based on known facts, known attack patterns. As in the military, it is important to
know, who your enemy is, what kind of strategy he uses, what tools he utilizes and what he is
aiming for. Gathering this kind of information is not easy but important. By knowing attack
strategies, countermeasures can be improved and vulnerabilities can be fixed. To gather as much
information as possible is one main goal of honey pots.

Generally, such information gathering should be done silently, without alarming an attacker. All
the gathered information leads to an advantage on the defending side and can therefore be used on
productive systems to prevent attacks
.
1.2 Honey Pots:

Definition:

A honeypot is an "an information system resource whose value lies in unauthorized or illicit use
of that resources".

A honeypot is primarily an instrument for information gathering and learning. A honeypot is an

information system resource whose value lies in the unauthorized or illicit use of that resource.
More generally a honeypot is a trap set to deflect or detect attempts at unauthorized use of
information systems. Essentially; honeypots are resources that allow anyone or anything to access
it and all production value. More often than not, a honeypot is more importantly, honeypots do
not have any resimply an unprotected, unpatched, unused workstation on a network being closely
watched by administrators
.
1.3 Features of Honeypots:

• The virtual system should look as real as possible to attract intruders.

• The virtual system should be frequently watched.
• The virtual system should look and feel like a regular systems.

1.4 Goals:

• which is to collect as much information as possible on the attack

• designed to gain information on the black hat community
• to help mitigate risk in an organization

1
 2. LITERATURE SURVEY

2.1 List of Articles Referred:

2.1.1Title:Anagnostakis, K. G., et al. "Detecting targeted attacks using shadow

honeypots." Proceedings of the 14th conference on USENIX Security Symposium. ACM,
2005. 129-144
Description:
The authors, researchers at the University of Pennsylvania, Columbia University, and FORTH, present
a hybrid system called a Shadow Honeypot. The shadow honeypot partially mirrors the state of a
production system. The paper can be found at http://ics.forth.gr/dcs/Activities/papers/replay.pdf.

2.1.2Title: Paxson, Vern. "Bro: A System for Detecting Network Intruders in Real-
Time." Computer Networks. 1999. 2435-2463
Description:

Paxson's journal article describing the first system that could perform network intruder detect in real-
time. The paper introduces a language for describing high-level network use rules. The article can be
found at http://www.ece.cmu.edu /~adrian/731-sp04/readings/paxson99-bro.pdf.

2.1.3Title: Provos, Niels. "A Virtual Honeypot Framework." In Proceedings of the 13th
USENIX Security Symposium. 2004. 1-14

Description:

The paper that laid the groundwork for the honeyd project. Provos describes building virtual
honeypots which meet help honeypots meet the need to monitor a large network address space. The
paper is located at http://www.citi.umich.edu /techreports/reports/citi-tr-03-1.pdf.

2
2.2 List of Textbooks Referred:

2.2.1Title: Spitzner, Lance. Honeypots: Tracking Hackers. Addison-

WesleyProfessional, 2002.

Description:

An older book providing a comprehensive discussion of honeypots. Includes an in-depth treatment of

6 available honeypots.

2.2.2Title: honeypot Definition - PC Magazine. pcmag.com. 24 March 2009.

Description:

http://www.pcmag.com/encyclopedia_term/0,2542,t=honeypot&i=44335,00.asp.PC Magazine's
encyclopedia entry for honeypot.
2.2.3Title: Provos, Niels and Thorsten Holz. Virtual Honeypots: From Botnet Tracking
to Intrusion Detection. Addison-Wesley Professional, 2007.

Description:

A comprehensive book about honeypots, including ethical and legal issues. Has a perfect "5 star"
rating on Amazon.com at the time of writing.

3
 3. HONEY POTS

3.1 History of Honey Pots:

• 1997 :- Deception Toolkit
• 1998 :- Cyber Cop Sting
• 1998 :- Net Facade (and Snort)
• 1998 :- Back Officer Friendly
• 1999 :- Formation of the Honey Net Project
• 2001 :- Worms captured

3.2 Classification :
There are several possible ways to classify honeypots. Some of the more popular are by the level
of interaction available to the attacker, the type of data collected, and the type of system
configuration.

3.2.1 Level of interaction:

The most common type of classification is based on the level of interaction which is provided to
the malicious user by the honeypot. The more interactive an environment presented, the closer
the honeypot becomes to the actual targets of attack, and then potentially more accurate
information can be gathered. The downside is that the more realistic honeypots present greater
challenges to configure and setup.
There are three levels :
1) Low-interaction: One or more simple services are made available which log all
communication attempts to specific services, like a web or SSH server. Usually these are just
simple daemons which provide the person who configured them a passive way to monitor
attack attempts. The host operating system is not vulnerable to attacks, so low-interaction
honeypots are fairly safe to run, but are also unable to be used where a more complex,
interactive environment is needed, like a SMTP server.
2) Medium-interaction: Medium level honeypots begin to emulate collections of software to
present a more convincing front to the attacker, but still shield the host operating system.
Emulating a collection of software can become quite complex, since the emulated programs
should respond the same way as their real counterparts, but must not have the same security
issues, otherwise the emulation will break. Further, there are more points of attack for the
malicious user, so the chance of system compromise is raised.
3) High-interaction: Finally there are high-interaction honeypots. The full host operating
system is presented to the attacker, along with actual instances of programs, instead of their
emulations. Theusualgoalofhigh-interactionhoneypotsisfortheattackertogainrootaccess on the
machine, and then see what he does. Because of this goal, this level of honeypot has the
highest risk, but also the highest potential for collecting information. Honeypots at this level
need constant supervision, since the attacker will actually control it, and could try to use it as
a jumping-off point for further attacks.

3.2.2 Type of data collection:

4
A second way of classifying honeypots is by looking at what type of data is collected concerning
an attack . A honeypot can be set up to detect and record one or more types of data: events
(things that happen which change something in the honeypot), attacks (attempts by a malicious
user to exploit a vulnerability), and intrusions (successful attacks that penetrate the honeypot).
All three types of data can provide valuable information about the malicious user, and most
honeypots can provide some information from each group.
1) System configuration: Honeypots can work either alone or as a group. A group of
honeypots is commonly referred to as a honeyfarm. Individual honeypots may be simpler to
setup, but they are inherently less powerful and more prone to unit ended failure than honey
farms because they lack the load balancing abilities and redundancy of a group of
cooperating servers.
2) Hardware based Honeypot:Hardware devices like servers, switches or routers are partially
disabled and used as honeypots.Though they look like real systems, intruders cannot use
them to launch attacks on other servers

3.2.3 Purpose:

Honeypots are typically used in one of two main fashions: as part of an organization’s computer
network monitoring and defense, and by security researchers who are trying to keep up with the
activities of blackhats.
1) Production environment: Honeypots deployed in a production environment serve to alert
administrators to potential attacks in real time. Because of the advanced level of logging and
information that is available on a honeypot, better defenses against the attacks may be able to
be devised for implementation on the real servers. Production honeypots tend to be reactive
in nature.
2) Research environment: In a research environment, security analysts are trying to figure out
what the next generation of attacks by malicious users will be. These honeypots can be quite
dynamic, as they are adjusted and tweaked to lure attackers and respond to new attack
strategies. Often a research honeypot is actively monitored by a person in real time.

4 HONEYPOT ARCHITECTURE

5
4.1Architecture:

Fig 4.1 Architecture of Honey Pots

Architecture consists of several components:

1) configure database
2) Packet dispatcher
3) Personality engine
4) Routing component
5) Protocol handler

Personality Engine: Used as a fingerprinting tools. It uses fingerprint databases by Nmap, for
TCP, UDP and Xprobe, for ICMP. Introduces changes to the headers of every outgoing packet
before sent to the network
Routing topology: It simulates virtual network topologies. Some honeypots are also configured
as routers. Latency and loss rate for each edge is configured .It is also used as a support network
tunneling and traffic redirection.
Configure: Each virtual honeypot is configured with a template. It uses commands like: Create,
Set ,Block, Reset, Open, Add, Proxy ,Bind.

5. IMPLEMENTATION

6
5.1 Deployment:

Fig 5.1 Deployment of Honey Pots

A honeypot does not need a certain surrounding environment as it is a standard server with no
special needs
If the main concern is the Internet, a honeypot can be placed at two locations:
• In front of the firewall (Internet)
• DMZ (De-Militarized Zone)
• Behind the firewall (intranet)

7
5.2 Block Diagram:

Fig 5.2 Block Diagram of Honey Pots

The program is divided into two main applications.

• GUI – Allows an easy way of starting and stopping the servers, searching through collected
data and displaying statistics
• Honeypot Core – Creates and maintains the servers. Collects the data from the users and
updates the databases.

6. WORKING OF HONEY POTS

8
 Fig 6.Working of Honey pots

Prevention: Keeping the bad guys out.

- not effective prevention mechanisms.
-Deception, Deterence, Decoys do NOT work against automated attacks: worms,
auto-rooters, mass-rooters.
Detection: Detecting the burglar when hacker breaks in.
- Does great work.

-Purpose is to identify failure or breakdown in prevention.

-Honeypots excel at this capability, due to their advantages.
-Low interaction honeypots are best, since they are easier to deploy
Response: Can easily be pulled to offline.
-Little to no data pollution.
-They can be quickly taken offline for a full forensic analysis.
-Gives in-depth information to the organization about the intruder.

7. ADVANTAGES & DISADVANTAGES OF HONEY POTS

9
Advantages:
• Small data sets of high value
• New tools and tactics
• Minimal resources
• Encryption
• Information
• Simplicity

Disadvantages:
• Narrow Field of View
• Risk
• Expensive
• Difficult to maintain

Legal issues:
• Liability
• Privacy
• Entrapment

Applications:
• Network Decoys
• Detecting and countering worms
• Spam prevention

8. CONCLUSION

10
Honeypots are positioned to become a key tool to defend the corporate enterprise from hacker attacks
it’s a way to spy on your enemy; it might even be a form of camouflage. Hackers could be fooled into
thinking they've accessed a corporate network, when actually they're just banging around in a
honeypot -- while the real network remains safe and sound.
Honeypots have gained a significant place in the overall intrusion protection strategy of the enterprise.
Security experts do not recommend that these systems replace existing intrusion detection security
technologies; they see honeypots as complementary technology to network- and host-based intrusion
protection.
The advantages that honeypots bring to intrusion protection strategies are hard to ignore. In time, as
security managers understand the benefits, honeypots will become an essential ingredient in an
enterprise-level security operation.
We do believe that although honeypots have legal issues now, they do provide beneficial information
regarding the security of a network .It is important that new legal policies be formulated to foster and
support research in this area. This will help to solve the current challenges and make it possible to use
honeypots for the benefit of the broader internet community.

9. FUTURE HONEYPOTS

11
• Government projects
• Ease of use
• Closer integration
• Specific purpose
• More services such as ftp, messenger, p2p applications
• Allow administration of multiple servers via network
• Add the ability to answer as different ip addresses
• Emulate different kinds of web servers other than IIS

• Emulate a more complex telnet session

10. REFERENCES

12
1) Spitzner, Lance.“Honeypots Tracking Hackers”. Addison-Wesley: Boston,2002
2) Spitzner, Lance. ”The value of Honeypots, Part Two:Honeypot Solutions and legal Issues”
10Nov.2002
3) http://online.securityfocus.com/infocus/1498
4) Spitzner, Lance. “Know Your Enemy: Honeynets”. 18 Sep. 2002.

5) http://www.macom.com

6) http://www.enteract.com/honepot.html

7) http://project.honeypot.org/

13