PRESENTED BY KAJAL MITTAL
B.TECH(IT) 5TH SEM
DATE – 11TH SEPTEMBER, 2013
Countermeasure to detect or prevent attacks
Know attack strategies
Gather information which is then used to better
identify, understand and protect against
Divert hackers from productive systems
The Internet security is hard
New attacks every day
Our computers are static targets
What should we do?
The more you know about your enemy, the better you
can protect yourself
Malicious code or malicious software is a
software program designed to
access a computer without the owners
consent or permission.
Problem(s) via computer
A honeypot can be almost any type of server or
application that is meant as a tool to catch or trap an
A honeypot is an internet attached server that acts as
decoy , luring in potential hackers in order to study
their activities and monitor how they are able to
break into a system.
History of Honeypots
1990/1991 The Cuckoo’s Egg and Evening with
1997 - Deception Toolkit
1998 - CyberCop Sting
1998 - NetFacade (and Snort)
1998 - BackOfficer Friendly
1999 - Formation of the Honeynet Project
2001 - Worms captured
The idea of honeypots began in 1991 with two
publications, “The Cuckoos Egg” and “An Evening with
“The Cuckoos Egg” by Clifford Stoll was about his
experience catching a computer hacker that was in his
corporation searching for secrets.
The other publication, “An Evening with Berferd” by Bill
Chewick is about a computer hacker’s moves through
traps that he and his colleagues used to catch him. In both
of these writings were the beginnings of what became
The first type of honeypot was released in 1997
called the Deceptive Toolkit. The point of this kit was
to use deception to attack back.
In 1998 the first commercial honeypot came out. This
was called Cybercop Sting.
In the year, 2005, The Philippine Honeypot Project
was started to promote computer safety over in the
What is Honeypot?
In computer terminology, a honeypot is a trap set to
detect, deflect, or in some manner counteract
attempts at unauthorized use of information
Generally it consists of a computer, data, or a
network site that appears to be part of a network, but
is actually isolated and monitored, and which seems
to contain information or are source of value to
In front of the firewall(Internet)
DMZ is to add an additional layer of security to
an organization's local area network (LAN).
Behind the firewall
Types of Honeypots
By level of interaction
Level of Interaction
Easy to deploy, minimal risk
Simulate services frequently requested by attackers
Highly expensive to maintain
Can be compromised completely, higher risk
Provide more security by being difficult to detect
Pure honeypots are full-fledged production systems .
The activities of the attacker are monitored using a casual tap
that has been installed on the honeypot's link to the network.
No other software needs to be installed.
Level of Interaction
On Implementation basis
Own IP Addresses
Simulated by other machines that:
Respond to the traffic sent to the honeypots
May simulate a lot of (different) virtual honeypots at the
How do HPs work?
Basis of Deployment
Based on deployment, honeypots maybe classified
1. Production honeypots
2. Research honeypots
Production HPs: Protect the systems
Keeping the bad guys out
not effective prevention mechanisms.
Deception, Deterence , Decoys do NOT work against
automated attacks: worms, auto-rooters, mass-rooters
Detecting the burglar when he breaks in.
Can easily be pulled offline
Little to no data pollution
Research HPs: gathering information
Collect compact amounts of high value information
Discover new Tools and Tactics
Understand Motives, Behavior, and Organization
Develop Analysis and Forensic Skills
Not add direct value to a specific organization
Honeyd: A virtual honeypot application, which allows us
to create thousands of IP addresses with virtual machines
and corresponding network services.
What is a Honeynet
High-interaction honeypot designed to:
capture in-depth information
learn who would like to use your
system without your permission
for their own ends
Its an architecture, not a product or software.
Populate with live systems.
Can look like an actual production system
Provides security to the systems.
Data Value : Honeypots can give you the precise information
you need in a quick and easy-to-understand format.
Resources : The honeypot only captures activities directed at
itself, so the system is not overwhelmed by the traffic.
It can be a relatively cheap computer.
Simplicity : There are no fancy algorithms to develop, no
signature databases to maintain, no rule bases to misconfigure.
Narrow Field of View : They only see what activity is
directed against them.
Fingerprinting : Fingerprinting is when an attacker
can identify the true identity of a honeypot because
it has certain expected characteristics or behaviors.
Risk : By risk, we mean that a honeypot, once
attacked, can be used to attack, infiltrate, or harm
other systems or organizations.
Just the beginning for honeypots.
Honeypots are not a solution, they are a flexible tool
with different applications to security.
Primary value in detection and information
Yet, honeypot technology is moving ahead
rapidly, and, in a year or two, honeypots will be
hard to ignore.