Honey pot

Dedicated To Sri K.Suresh Babu associate professor of JNTU By A.shahgholi

copy right@2012

Intro .
Honeypot is a very flexible within the computer system on the Internet that acts as a security tool. And to attract and trap people who wish to penetrate other computers through the scans and attacks are explored and used. This section includes the hackers, crackers and script programmer that are not clear their location in the world. Honeypots do not fix a security issue. It is interesting that this tool for detecting and preventingmisleading information through close and caref ul monitoring in order for hackers to hack something that is not being used.

copy right@2012

Why honeypot?
Honeypot remotes attackers from the most valuable network resources and protect your resources easier. Honey pot too early to attempt new attacks warns. IDS error may be wrong, while those who are hurting just achieve to honeypot because it is non-productive. Perhaps the most interesting advantage of honey is the CYA or hide the equipment. These systems can show that the design of your network security is effective . Enemy rcognition is another reason for the existing of the honeypot. (Techniques and rules)

copy right@2012

TEST ONE EXAMPLE COMPUTER HONEYPOT

To test the computer s honeypot, go to another machine and type the ip address of the honeypot host into a webbrowser. Below you will see the computer s ip address has been logged. The green is the honeypot s ip address and the red is the malicious host.

 TYPES OF HONEYPOTS Interaction defines the level of activity a honeypot allows an attacker. Low-interaction honeypots It have limited interaction, they normally work by emulating services and operating systems. Examples of low-interaction honeypots include Specter, Honeyd, and KFSensor. High-interaction honeypots High-interaction honeypots are different; they are usually complex solutions as they involve real operating systems and applications. Nothing is emulated, the attackers are given the real thing. If one wants a Linux honeypot running an FTP. Examples of high-interaction honeypots include Symantec Decoy Server and Honeynets.

A few examples of honeypots and their varieties are:

BackOfficer Friendly BOF (as it is commonly called) is a very simple but highly useful honeypot developed by Marcus Ranum and crew at NFR. It is an excellent example of a low interaction honeypot. It is a great way to introduce a beginner to the concepts and value of honeypots. BOF is a program that runs on most Window based operating system. All it can do is emulate some basic services, such as http, ftp, telnet, mail, or BackOrrifice. Whenever some attempts to connect to one of the ports BOF is listening to, it will then log the attempt. BOF also has the option of "faking replies", which gives the attacker something to connect to. This way one can log http attacks, telnet brute force logins, or a variety of other activity (Screenshot). The value in BOF is in detection, similar to a burglar alarm. It can monitor only a limited number of ports, but these ports often represent the most commonly scanned and targeted services.

 After a quick installation procedure, BOF presents you with a small configuration and viewing screen

A few examples of honeypots and their varieties are:

Specter Specter is a commercial product and it is another 'low interaction' production honeypot. It is similar to BOF in that it emulates services, but it can emulate a far greater range of services and functionality. In addition, not only can it emulate services, but emulate a variety of operating systems. Similar to BOF, it is easy to implement and low risk. Specter works by installing on a Windows system. The risk is reduced as there is no real operating system for the attacker to interact with. For example, Specter can emulate a web server or telnet server of the any operating system. When an attacker connects, it is then prompted with an http header or login banner. The attacker can then attempt to gather web pages or login to the system. This activity is captured and recorded by Specter, however there is little else the attacker can do. . You can see an example of this functionality in a screen shot of Specter.

SPECTER can also be configured remotely from . any Windows PC

A SPECTER system consists of a dedicated PC and the SPECTER software

A few examples of honeypots and their varieties are:

Honeyd Created by Niels Provos, Honeyd is an extremely powerful, OpenSource honeypot. Designed to run on Unix systems, it can emulate over 400 different operating systems and thousands of different computers, all at the same time. Honeyd introduces some exciting new features. First, not only does it emulate operating systems at the application level, like Specter, but it also emulates operating systems at the IP stack level. Second, Honeyd can emulate hundreds if not thousands of different computers all at the same time. While most honeypots can only emulate one computer at any point in time, Honeyd can assume the identity of thousands of different IP addresses. , Third as an OpenSource solution, not only is it free to use, but it will expotentially grow as members of the security community develop and contribute code.

 Recent versions of Honeyd support real-time capture of network traffic ...

You can use a port scanner to confirm thatHoneyd is working.

copy right@2012

Honeyd monitors unused IP space (1). When an attacker(2) probes an unused IP, Honeyd detects the probe, takes over that IP via ARP spoofing, then creates a virtual honeypot(3) for the attacker to interact with (Honeyd can create multiple virtual honeypots to fool attackers on all unused addresses). The attacker is fooled into thinking he is interacting wit a successful hacked system(4). In addition, Honeyd automatically updates its list of unused IPs as systems are added or removed from the network

A few examples of honeypots and their varieties are:

Honeynets A Honeynet is a network of production systems. Unlike many of the honeypots discussed so far, nothing is emulated. The idea is to have an architecture that creates a highly controlled network, one where all activity is controlled and captured. Within this network we place our intended victims, real computers running real applications. The bad guys find, attack, and break into these systems on their own initiative. When they do, they do not realize they are within a Honeynet. This gives the attackers a full range of systems, applications, and functionality to attack.

redirecting an outbound attack in a honeynet

how theHoneynet Research Alliance ...

VALUE OF HONEY POT We will take a more in-depth look athow a honeypot can work in all three.

1. Prevention : Honeypots can help prevent attacks in several ways. The first is against automated attacks, such as worms or auto-rooters. These attacks are based on tools that randomly scan entire networks looking for vulnerable systems. Honeypots can also be used to protect the organization from human attackers

VALUE OF HONEY POT

2. Detection : The second way honeypots can help protect an organization is through detection. Detection is critical, its purpose is to identify a failure or breakdown in prevention. Honeypots excel at detection, addressing many of these problems of traditional detection. Since honeypots have no production activity, all connections to and from the honeypot are suspect by nature. By definition, anytime a connection is made to the honeypot, this is most likely an unauthorized probe, scan, or attack.

VALUE OF HONEY POT

3. Response : The third and final way a honeypot can help protect an organization is in reponse. Once an organization has detected a failure, how do they respond? There is often little information on who the attacker is, how they got in, or how much damage they have done. There are two problems compounding incidence response. First, often the very systems compromised cannot be taken offline to analyze. Production systems, such as an organization's mail server, are so critical that even though its been hacked, security professionals may not be able to take the system down and do a proper forensic analysis. The other problem is even if the system is pulled offline, there is so much data pollution it can be very difficult to determine what the bad guy did.

Implementation
Honeypot Location A honeypot does not need a certain surrounding environment as it is a standard server with no special needs. A honeypot can be placed anywhere a server could be placed. But certainly, some places are better for certain approaches as others. . Placing a honeypot on the intranet can be useful if the detection of some bad guys inside a private network is wished If the main concern is the Internet, a honeypot can be placed at two locations: -In front of the firewall (Internet) -DMZ -Behind the firewall (intranet) The best solution would be to run a honeypot in its own DMZ, therefore with a preliminary firewall. The firewall could be connected directly to the Internet or intranet, depending on the goal. This attempt enables tight control as well as a flexible environment with maximal security.

How does a Honeypot Gather Information

Obviously a honeypot must capture data in an area that is not accessible to an attacker. Data capture happens on a number of levels. Firewall Logs A Packet Sniffer (or similar IDS sensor) The IDS should be configured to passively monitor network traffic (for an added level of invisibility, one might set the system up to have no IP address or, in some instances, the sniffer could be configured to completely lack an IP stack). This will capture all cleartext communication, and can read keystrokes. Local and Remote Logs These should be set up just as it would on any other system, and will possibly be disabled, deleted, or modified by an experienced hacker, but plenty of useful information will still be available from all the previous capture methods. Remotely Forwarded Logs Will capture data on a remote log and then instantly forward the data to a system even further out of the range of the attacker,so that the attacker cannot be warned that all his activities are watched or try to modify the captured data.

MERITS AND DEMERITS

Merits: Small data sets of high value: Honeypots collect small amounts of information. Instead of logging a one GB of data a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day. Remember, honeypots only capture bad activity, any interaction with a honeypot is most likely unauthorized or malicious activity. As such, honeypots reduce 'noise' by collectin only small data sets, but information of high value, as it is only the bad guys. This means its much easier (and cheaper) to analyze the data a honeypot collects and derive value from it. New tools and tactics: Honeypots are designed to capture anything thrown at them, including tools or tactics never seen before. Minimal resources: Honeypots require minimal resources, they only capture bad activity. This means an old Pentium computer with 128MB of RAM can easily handle an entire class B network sitting off an OC-12 network. Encryption or IPv6: Unlike most security technologies (such as IDS systems) honeypots work fine in encrypted or IPv6 environments. It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it. Information: Honeypots can collect in-depth information that few, if any other technologies can match. Simplicty: Finally, honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update. The simpler a technology, the less likely there will be mistakes or misconfigurations.

MERITS AND DEMERITS

Demerits: Like any technology, honeyopts also have their weaknesses. It is because of this they do not replace any current technology, but work with existing technologies : Limited view: Honeypots can only track and capture activity that directly interacts with them. Honeypots will not capture attacks against other systems, unless the attacker or threat interacts with the honeypots also. Risk: All security technologies have risk. Firewalls have risk of being penetrated, encryption has the risk of being broken, IDS sensors have the risk of failing to detect attacks. Specifically, honeypots have the risk of being taken over by the bad guy and being used to harm other systems

FUTURE OF HONEYPOTS
Government projects: Currently honeypots are mainly used by organizations, to detect intruders within the organization as well as against external threats and to protect the organization. In future, honeypots will play a major role in the government projects, especially by the military, to gain information about the enemy, and those trying to get the government secrets. Ease of use: In future honeypots will most probably appear in prepackaged solutions, which will be easier to administer and maintain. People will be able to install and develop honeypots at home and without difficulty. Closer integration: Currently honeypots are used along with other technologies such as firewall, tripwire, IDS etc. As technologies are developing, in future honeypots will be used in closer integration with them. For example honeypots are being developed for WI-FI or wireless computers. However the development is still under research. Specific purpose: Already certain features such as honeytokens are under development to target honeypots only for a specific purpose. Eg: catching only those attempting credit card fraud etc

CONCLUSION
This paper has given an in depth knowledge about honeypots and their contributions to the security community. A honeypot is just a tool. How one uses this tool is upto them. Honeypots are in their infancy and new ideas and technologies will surface in the next time. At the same time as honeypots are getting more advanced, hackers will also develop methods to detect such systems. A regular arms race could start between the good guys and the blackhat community. Let s hope that such a technology will be used to restore the peace and prosperity of the world and not to give the world a devastating end.

Thank you all very much for taking the time to listen to this presentation

By AbdolMajid Shahgholi RN: 10031D6404 M.TECH, CNIS (SIT department ), JNTU HYDERABAD , INDIA [email protected] copy right@2012
24