A Honey Pot is an intrusion (unwanted) detection technique used to study hacker movement and interested to help better system defences against later attacks usually made up of a virtual machine that sits on a network or single client.
Introduction to HoneyPots
Types of HoneyPots
Technologies in Honeypots
Introduction to HoneyPots
A Honey Pot is an intrusion (unwanted) detection
technique used to study hacker movement and
interested to help better system defences against
later attacks usually made up of a virtual machine
that sits on a network or single client.
This includes the hacker, cracker, and script
Types of HoneyPots
Based on deployment, honeypots may be classified as
1. production honeypots
2. research honeypots
Production honeypots are easy to use, capture only
limited information, and are used primarily by
companies or corporations. Production honeypots are
placed inside the production network with other
production servers by an organization to improve their
overall state of security.
Research honeypots are run to gather information
about the motives and tactics of the Blackhat
community targeting different networks.
Based on design criteria, honeypots can be classified as:
1. pure honeypots
2. high-interaction honeypots
3. low-interaction honeypots
Recently, a new market segment called Deception
Technology has emerged using basic honeypot
technology with the addition of advanced automation
for scale. Deception Technology addresses the
automated deployment of honeypot resources over a
large commercial enterprise or government institution.
Malware honeypots are used to detect malware by
exploiting the known replication and attack vectors of
Spammers abuse vulnerable resources such as open
mail relays and open proxies. Some system
administrators have created honeypot programs that
masquerade as these abusable resources to discover
An email address that is not used for any other
purpose than to receive spam can also be considered a
spam honeypot. Compared with the term
“SPAMTRAP", the term "honeypot" might be more
suitable for systems and techniques that are used to
detect or counterattacks and probes.
Databases often get attacked by intruders using SQL
Injection. As such activities are not recognized by
basic firewalls, companies often use database firewalls
for protection. Some of the available SQL
database firewalls provide/support honeypot
architectures so that the intruder runs against a trap
database while the web application remains functional
Just as honeypots are weapons against spammers,
honeypot detection systems are spammer-employed
counter-weapons. As detection systems would likely
use unique characteristics of specific honeypots to
Two or more honeypots on a network form a honeynet.
Typically, a honeynet is used for monitoring a larger
and/or more diverse network in which one honeypot
may not be sufficient.
The metaphor of a bear being attracted to and stealing
honey is common in many traditions, including
Germanic and Slavic. Bears were at one time called
"honey eaters" instead of by their true name for fear of
attracting the threatening animals.
New Tools and Tactics: They are designed to capture anything
that interacts with them, including tools or tactics never seen
before, better known as “zero-days”.
Minimal Resources: This means that resources can be
minimum and still enough to operate a powerful platform to
operate at full scale. i.e. A computer running with a Pentium
Processor with 128 Mb of RAM can easily handle an entire B-
Information: Honeypots can gather detailed information,
unlike other security incident analysis tools.
Limited Vision: They can only scan and capture activity
destined to interact directly with them. They do not
capture information related to attacks destined towards
neighboring systems, unless the attacker or the threat
interacts with the Honeypot at the same time.
Risk: Inherently, the use of any security technology
implies a potential risk. Honeypots are no different
because they are also subject to risks, specifically being
hijacked and controlled by the intruder and used as a
launch pad for subsequent attacks.
Honey pots are an extremely effective tool for observing
hackers movements as well as preparing the system for
Although the down side to using Honeypots are amount
of resource used, this is usually countered by
implementing a central analysis module, but is still a
security risk if that central module goes down.