Linux.com

Search

Special Offers

Get special offers on:

Linux
Application Dev
Programming
Software

Email:

Feature: Security

'Know Your Enemy': Everything you need to know about honeypots

By Lance Spitzner on September 27, 2004 (8:00:00 AM)

Share    Print    Comments   

<ed by cp 9.23> Honeypots are a relatively new and highly dynamic technology. Because they are so dynamic, it is difficult to define just what they are. Honeypots are unique in that they are not a solution in and of themselves; they do not solve a specific security problem. Instead, they are highly flexible tools with many different information security applications.

Types of honeypots

High-interaction honeypots

To better understand honeypots, we can divide them into two general categories: low interaction and high interaction. Interaction is the amount of activity a honeypot allows an attacker to have with that honeypot. The more interaction a honeypot allows, the more an attacker can do with the honeypot and the more you can learn. However, the more the attacker can do, the greater the risk. Low-interaction honeypots allow for a limited amount of interaction, whereas high-interaction honeypots allow for an extensive amount of interaction. While these categories are general in nature, they help us better understand the capabilities and limitations of the honeypots we are dealing with.

Low-interaction honeypots

Low-interaction honeypots work primarily by emulating systems and services. Attackers' activities are contained to what the emulated services allow. For example, the BackOfficer Friendly honeypot shown in Figure 2-1 is an extremely simple honeypot that emulates seven different services. Attackers are very limited to what they can do with the honeypot based on the emulated services. At the most, attackers can connect to the honeypot and issue a few basic commands.

Low-interaction honeypots tend to be easier to deploy as they usually come preconfigured with a variety of options for the administrator. You merely have to point and click, and you instantly have a honeypot with the operating system, services, and behavior you want, as we see in the interface for Specter, shown in Figure 2-2. Specter is a commercial honeypot designed to run on Windows. It can emulate up to 13 different operating systems and monitors 14 different services. User interfaces make deploying honeypots very simple, as you merely have to click on the services you want monitored and how you want the honeypot to behave.

Low-interaction honeypots also have minimal risk, as the emulated services contain the hacker, limiting what they can and cannot do. There is no real operating system for the attacker to upload toolkits to, nor are there any services they should be able to actually break into.

However, emulated services are also limited to the amount of information they can capture, as attackers have limits as to what they can do. Also, emulated services primarily work best with known behavior or expected attacks. When attackers do something unknown or unexpected, low-interaction honeypots have difficulty understanding the attacker's actions, responding properly, or capturing the activity. Some examples of low-interaction honeypots include Honeyd, Specter, and KFSensor. To better understand how a low-interaction honeypot works, let's take a quick look at the Honeyd honeypot.

honeypot1
Low-interaction honeypot example: Honeyd

Honeyd is an open source honeypot that was developed by Niels Provos and was first released in April 2002. As an open source solution, Honeyd is free to use and provides users with full access to its source code. Developed and designed for UNIX, Honeyd has also been ported to Windows. However, the Windows port lacks many of the features the UNIX version has. Honeyd is a low-interaction honeypot in that you install the software on a computer. This software then emulates hundreds of different operating systems and services, as typical of most low-interaction solutions. By editing the configuration file, you determine which IP addresses Honeyd will monitor, the types of operating systems it will emulate, and the services it will emulate.

For example, you can tell Honeyd to emulate a Linux 2.4.14 kernel system with an emulated File Transfer Protocol (FTP) server listening on port 21. If attackers probe the honeypot, they will believe they are interacting with a Linux system. If attackers connect to the FTP service, they will be deceived into thinking they are interacting with the wu-ftpd service. The emulated script behaves in many of the same ways a real wu-ftpd service would behave, logging all of the attacker's activities. However, the script is nothing more than a program that expects specific input from the attacker and then returns a predetermined output. If the attacker does something, the emulated script is not programmed to react to, the script merely returns an error message.

The following is some of the source code of the emulated wu-ftpd service script that comes with Honeyd.

QUIT* )
echo -e "221 Goodbye.\r"
exit 0;;
SYST* )
echo -e "215 UNIX Type: L8\r"
;;
HELP* )
echo -e "214-The following commands are recognized.\r" echo -e
echo -e echo -e echo -e echo -e echo -e
echo -e "214 Direct comments to ftp@$domain.\r" ;;

<html> <head> <meta content="text/html; charset=ISO-8859-1" http-equiv="content-type"> <title>chartcode</title> </head> <body>

"USER<o:p></o:p>

PORT<o:p></o:p>

STOR<o:p></o:p>

MSAM*<o:p></o:p>

RNTO<o:p></o:p>

NLST<o:p></o:p>

MKD\r"<o:p></o:p>

"PASS<o:p></o:p>

PASV<o:p></o:p>

APPE<o:p></o:p>

MRSQ*<o:p></o:p>

ABOR<o:p></o:p>

SITE<o:p></o:p>

XMKD\r"<o:p></o:p>

"ACCT*<o:p></o:p>

TYPE<o:p></o:p>

MLFL*<o:p></o:p>

MRCP*<o:p></o:p>

DELE<o:p></o:p>

SYST<o:p></o:p>

RMD\r"<o:p></o:p>

"SMNT*<o:p></o:p>

STRU<o:p></o:p>

MAIL*<o:p></o:p>

ALLO<o:p></o:p>

CWD<o:p></o:p>

STAT<o:p></o:p>

XRMD\r"<o:p></o:p>

"REIN*<o:p></o:p>

MODE<o:p></o:p>

MSND*<o:p></o:p>

REST<o:p></o:p>

XCWD<o:p></o:p>

HELP<o:p></o:p>

PWD\r"<o:p></o:p>

"QUIT<o:p></o:p>

RETR<o:p></o:p>

MSOM*<o:p></o:p>

RNFR<o:p></o:p>

LIST<o:p></o:p>

NOOP<o:p></o:p>

XPWD\r"<o:p></o:p>

USER* )
parm1_nocase='echo $parm1 | gawk '{print toupper($0);}'' if [ "$parm1_nocase" == "ANONYMOUS" ]
then
echo -e "331 Guest login ok, send e-mail as password.\r" AUTH="ANONYMOUS"
else
echo -e "331 Password required for $parm1\r" AUTH=$parm1
fi
;;

Notice how in the script, Honeyd expects specific input and then has predetermined responses to that input. If the emulated FTP service gets input it does not expect, it returns an error message. Honeyd includes several features not common to many low-interaction honeypots. First, not only does it emulate operating systems by modifying the behavior of emulated services, it also emulates operating systems at the IP stack level. If an attacker uses active fingerprinting methods (such as security scanning tools Nmap or Xprobe), Honeyd responds at the IP stack level as whatever operating system you want. In addition, unlike most low-interaction honeypots, Honeyd can monitor literally millions of IP addresses. Honeyd does this not by monitoring the IP address of the computer it's installed on; instead, it monitors all of the unused IP addresses in your network. When Honeyd identifies a connection attempt to an unused IP, it intercepts that attempt, dynamically assumes the identity of the victim, and then interacts with the attacker. This capability dramatically increases Honeyd's chances of interacting with an attacker.

High-interaction honeypots are very different from low-interaction honeypots as they provide entire operating systems and applications for attackers to interact with. High-interaction honeypots do not emulate; instead, they are real computers with real applications to be broken into. The advantages provided by high interaction honeypots are tremendous. For one, they are designed to capture extensive amounts of information. Not only can they detect attackers probing a system, they also allow attackers to break into the service and gain access to the operating system. You can then capture the attackers' rootkits as they upload them onto the systems, analyze their keystrokes as they interact with the computer, and monitor their communications as they talk with other attackers. As a result, you can learn attackers' motives, skill levels, organization, and other critical information.

Also, since high-interaction honeypots do not emulate, they are designed to capture new, unknown, or unexpected behavior. Time and time again, high-interaction honeypots have demonstrated the capability to capture new activity, everything from nonstandard IP protocols used for covert command channels, to tunneling IPv6 in IPv4 environment to hide communications. However, these tremendous capabilities come at a price. First, high-interaction honeypots pose a high level of risk. Since attackers are provided real operating systems to interact with, these same honeypots can be used to attack or harm other non-honeypot systems. Second, high-interaction honeypots are complex. You don't simply install software and instantly have a honeypot. Instead, you need to build and configure real systems for the attackers to interact with. Also, a great deal of complexity is added as you attempt to minimize the risk of attackers using your honeypots to harm or attack other people.

Two examples of high-interaction honeypots are Symantec's Decoy Server and honeynets. As this entire book is dedicated to honeynets, we will not discuss them in this chapter. However, to give you a better idea of high-interaction honeypots, we will spend a moment discussing Decoy Server.

High-interaction honeypot example: Symantec Decoy Server

Decoy Server is a commercial honeypot sold by Symantec. As a high-interaction honeypot, Decoy Server does not emulate operating systems or services. Instead, it creates real systems and real applications for attackers to interact with. Currently, Decoy Server works only on the Solaris operating system, both SPARC and Intel platforms. Decoy Server is a software program that is installed on an existing Solaris computer. The software then takes the existing host system and creates up to four identical "cages," each cage being a honeypot. Each cage has a separate operating system with its own file system. Attackers interact with the cages just as they would with real operating systems. What attackers don't realize is that their every action and keystroke is being logged and recorded by the honeypot. Figure 2-3 shows a logical diagram of how this technology works.

Low-interaction vs. high-interaction honeypots

Keep in mind when choosing low-interaction or high-interaction honeypots that no one type of honeypot is better than the other. Each type of honeypot has:

  • Cage 1
  • Cage 2
  • Cage 3
  • Cage 4
  • Host Operating Sytem

honeypot2
Advantages and disadvantages of low-interaction and high-interaction honeypots

Low-interaction honeypots (Emulate operating systems and services)

  • Easy to install and deploy; usually requires simply installing and configuring software on a computer
  • Minimal risk as the emulated services control what attackers can and cannot do
  • Captures limited amount of information, mainly transactional data and some limited interaction
  • Can capture far more information than can low-interaction honeypots, including new tools, communications, or attacker keystrokes

High-interaction honeypots (No emulation; provide real operating systems and services)

  • Can be complex to install or deploy (commercial versions tend to be much simpler)
  • Increased risk as attackers are provided real operating systems to interact with its own unique advantages and disadvantages. Different organizations have different goals and therefore use different honeypots. One common trend is that, in general, commercial organizations (such as banks, manufacturing, or retail stores) prefer low-interaction honeypots as they are low risk, easy to deploy, and simple to maintain. High-interaction honeypots are more common among organizations that need the unique capabilities of high-interaction solutions and manage the risk, such as military, government, and educational organizations. Table 2-1 compares the advantages and disadvantages of low- and high-interaction honeypots.

More on Page 3: Uses of honeypots

Share    Print    Comments   

Related Links

Other articles in category Security:

Last 5 articles by this author:

Sponsored links:

Comments

on 'Know Your Enemy': Everything you need to know about honeypots

There are no comments attached to this item.

This story has been archived. Comments can no longer be posted.



 
Tableless layout Validate XHTML 1.0 Strict Validate CSS Powered by Xaraya