PUNJAB UNIVERSITY , CHANDIGARH
A SEMINAR REPORT
A seminar report submitted in partial fulfillment of the requirement for the
Under the Guidance of
The work on this project has been an inspiring, often exciting, sometimes challenging,
but always interesting experience. It has been made possible by many other people, who have
supported me. I take this opportunity to express gratitude to the people who have been
instrumental in the successful completion of this project. My great full acknowledge the valuable
subjection and contribution from, …. and I also thanks full to my college …..
TABLE OF CONTENTS:-
NO. TOPIC PAGE NO
1. Abstract 5
2. Introduction 6
3. History of honeypot and honeynet 7
3.1 Types of honeypot 8
3.2 Concepts 10
3.3 Placement of Honeypot 13
3.4 Honeypot detection 15
3.5 Honeypot over firewall 16
4.1 Types of honeynet 19
4.2 Honeynet architecture 20
4.3 Honeynet generations 22
4.4 Advantages of honeynet 23
4.5 Disadvantages of honeynet 24
4.6 Diff. b/w honeypot and honeynet 25
4.7 Value of honeynet
5. Advantages 26
6. Disadvantages 27
7. Conclusion 28
8. Bibliography 29
With the help of this type of project students can get all information about security
community. HoneyPots and HoneyNets are a fast evolving and maturing technology/concept
in the IT security world. They are an innovation in the strategy of fighting internet/network
The purpose of this project is that, the students can understands how to track Hackers.
With the help of this manual we can detect or prevent attacks and also know about attack
This manual focuses on the description and analysis of honeypots as well as how and where
they are used.
To understand Honeynets, you need to understand Honeypots, because Honeynets are one
type of Honeypots.
Honeypots are an exciting new technology with enormous potential for the security
community. The concepts were first introduced by several icons in computer security,
specifically Cliff Stoll in the book The Cuckoo's Egg", and Bill Cheswick's paper " An
Evening with Berferd." Since then, honeypots have continued to evolve, developing into the
powerful security tools they are today.
Honeypot is comes from the Honeypot mailing list, a list consisting of about 5000 different
security professionals working with Honeypot technology.
“A Honeypot is a security resource whose value is being probed, attacked or comprised.”
A honeypot is a security resource…..
This security resource may come in different shapes and sizes. In fact, a Honeypot
could just as simply be one of your old PC’s, a script or even a digital entity3 like
some made-up patient records.
Whose value is being probed,attacked or comprised.
If anyone “touches” our Honeypot, then we knowsomeone’s creeping around in our
network system, no person or resource should be communicating with it. Incoming
traffic or more dangerously, outgoing traffic would be considered unauthorized
A Honeypot is a security resource whose value is in its being probed, attacked or
compromised. A Honeypot could come in different sizes. It can be one of your old PC’s,
a script like Honeyd or even more complicated setups like the Honeynet8.
A Honeypot looks and acts like a production system but in reality is not so. Since its’ not
a production system, no ones supposed to use it thus should have no valid traffic. So if
we detect traffic, most likely its potentially malicious traffic.
Concrete definition:“A honeypot is a faked vulnerable system used for the purpose of
being attacked, probed, exploited and compromised.”
They are a resource that has no authorized activity, they do not have any production
value. Theoreticlly, a honeypot should see no traffic because it has no legitimate activity.
This means any interaction with a honeypot is most likely unauthorized or malicious
activity. Any connection attempts to a honeypot are most likely a probe, attack, or
compromise. While this concept sounds very simple (and it is), it is this very simplicity
that give honeypots their tremendous advantages
History of Honeypot and honeynet
The concept of the honeypot is not new. In fact as early as 1991, a number of
publications expounded on concepts that were to be foundations of today’s honeypot
development. Two publications in particular stood out:
1990/1991 The Cuckoo’s Egg and Evening with Berferd
o Clifford Stoll was an astrophysicist turned systems manager at Lawrence
Berkeley Lab. Due to a 75 percent accounting error was able to track down a
hacker that was using their computers as a launching pad to hack hundreds of
military, industrial, and academic computers in search of secrets. His book “The
Cuckoo's Egg”, published in 1988, detailed his experiences through this 3 year
incident where he observed the hacker and subsequently gathered information that
led to the hackers arrest.
o The other publication that was of particular note during this period was “An
Evening with Berferd” by the well respected Internet Security expert, Bill
Cheswick. In the paper, Mr. Cheswick describes how he and his colleagues set up
their jail machine, also known as roach motel2 in which they chronicled a hackers
movements and the bait and traps they used to lure and detect him.
1997 - Deception Toolkit
o The Deception Toolkit is one of the original and landmark Honeypots. It is
generally a collection of PERL scripts designed for UNIX systems that emulate a
variety of known vulnerabilities. The concept put forward by the DTK is
“deceptive defense” which now central in Honeypot concepts and
1998 - CyberCop Sting
o CyberCop Sting is a component of the CyberCop intrusion protection software
family which runs on NT. Cybercop Sting has also been referred to as a “decoy
server” for it can simulate a network containing several different types of network
devices, including Windows NT servers, Unix servers and routers. Each of these
decoys had the ability to track, record, and report intrusive activity to network and
security administrators. As with the DTK, each of these decoys can run simulated
services. However, as with the problem with most simulated or low-interaction
Honeypots, you can only only simulate limited functionality with Cybercop sting
such as telnet logins or SMTP banners thus limiting its ability to deceive and to
study hackers in the long term.
1998 - NetFacade (and Snort)
o As with Cybercop Sting, it creates a simulated network of hosts, with simulated
IP addresses, running seemingly vulnerable services but in a much larger scale.
NetFacade can simulate an entire class C network up to 254 systems. It can also
simulate 7 different operating systems with a variety of different services.
1998 - BackOfficer Friendly
o Back Officer Friendly runs in Windows and was free thus giving more people
access to Honeypot technology. Though It didn’t give much functionality it was
still a very useful piece of software which demonstrated the concepts of the
Honeypot to a lot of people that who were not familiar to Honeypot concepts at
1999 - Formation of the Honeynet Project 9
o A group of people led by Lance Spitzner decided to form the Honeynet Project 9.
The honeynet project is a non-profit group dedicated to researching the blackhat
community and to share their work to others. Their primary tool for research is
the honeynet, an advanced form of Honeypot.
2003- Some Honeypot Tools
o In 2003, several important Honeypot tools were introduced through these
organizations such as Snort-Inline12, Sebek13, and advanced virtual
o Snort- Inline augmented Snort to block and disable attacks instead of just
o Sebek provided a means to capture hacker activities in Honeypots by logging
o Virtual honeynets provided a means to deploy multiple honeynets with just one
TYPES OF HONEYPOT
Honeypots can be classified based on their deployment and based on their level of
involvement. Based on the deployment, honeypots may be classified as:
Production honeypots are easy to use, capture only limited information, and are used
primarily by companies or corporations; Production honeypots are placed inside the
production network with other production servers by organization to improve their
overall state of security. Normally, production honeypots are low-interaction honeypots,
which are easier to deploy. They give less information about the attacks or attackers than
research honeypots do. The purpose of a production honeypot is to help mitigate risk in
an organization. The honeypot adds value to the security measures of an organization.
Research honeypots are run by a volunteer, non-profit research organization or an
educational institution to gather information about the motives and tactics of the
BLACKHAT community targeting different networks. These honeypots do not add direct
value to a specific organization. Instead they are used to research the threats
organizations face, and to learn how to better protect against those threats. This
information is then used to protect against those threats. Research honeypots are complex
to deploy and maintain, capture extensive information, and are used primarily by
research, military, or government organizations.
Level of Honeypot:
Involvement defines the level of activity a honeypot allows an attacker.
Easy to install and deploy. Usually requires simply installing and configuring software on
Minimal risk, as the emulated services control what attackers can and cannot do.
Captures limited amounts of information, mainly transactional data and some limited
HONEYD is a low-interaction honeypot. Developed by Niels Provos, Honeyd is
OpenSource and designed to run primarily on Unix systems (though it has been ported to
Windows). Honeyd works on the concept of monitoring unused IP space. Anytime it sees
a connection attempt to an unused IP, it intercepts the connection and then interacts with
the attacker, pretending to be the victim. By default, Honeyd detects and logs any
connection to any UDP or TCP port. In addition, you can configure emulated services to
monitor specific ports, such as an emulated FTP server monitoring TCP port 21. When an
attacker connects to the emulated service, not only does the honeypot detect and log the
activity, but it captures all of the attacker's interaction with the emulated service. In the
case of the emulated FTP server, we can potentially capture the attacker's login and
password, the commands they issue, and perhaps even
learn what they are looking for or their identity.
These honeypots tend to be easier to deploy and maintain, with minimal risk.
Usually they involve installing software, selecting the operating systems and services you
want to emulate and monitor, and letting the honeypot go from there. This plug and play
approach makes deploying them very easy for most organizations.
The emulated services mitigate risk by containing the attacker's activity, the attacker
never has access to an operating system to attack or harm others.
They log only limited information and are designed to capture known activity.
It’s easier for an attacker to detect a low-interaction honeypot, no matter how good the
emulation is, skilled attacker can eventually detect their presence.
Examples of low-interaction honeypots include Specter, Honeyd, and KFSensor.
High- Involvement Honeypot
Has a real underlying Operating System
Attacker has rights on the system
He is in Jail,a Sandbox
Time-consuming to build/maintain
All actions can be recorded and analyze High-interaction honeypots are different, they
are usually complex solutions as they involve real operating systems and applications.
Nothing is emulated, we give attackers the real thing.
If you want a Linux honeypot running an FTP server, you build a real Linux system
running a real FTP server. The advantages with such a solution are two fold. First, you
can capture extensive amounts of information. By giving attackers real systems to
interact with, you can learn the full extent of their behavior, everything from new rootkits
to international IRC sessions.
The second advantage is high-interaction honeypots make no assumptions on how an
attacker will behave. Instead, they provide an open environment that captures all activity.
This allows high-interaction solutions to learn behavior we would not expect.
An excellent example of this is how a Honeynet captured encoded back door commands
on a non-standard IP protocol.
Extensive amounts of information can be captured. By giving attackers real systems to
interact with, you can learn the full extent of their behavior, everything from new rootkits
to international IRC sessions.
They make no assumptions on how an attacker will behave. Instead, they provide an open
environment that captures all activity. This allows high-interaction solutions to learn
behavior we would not expect.
It increases the risk of the honeypot as attackers can use these real operating system to
attack non-honeypot systems.
As result, additional technologies have to be implement that prevent the attacker from
harming other non-honeypot systems
PLACEMENT OF HONEYPOT
There are various way to allocate a honeypot:-
In front of the firewall(Internet)
DMZ is to add an additional layer of security to an organization's local area
In computer security, a DMZ, or demilitarized zone is a physical or logical
subnetwork that contains and exposes an organization's external services to a
larger untrusted network, usually the Internet.
The term is normally referred to as a DMZ by information technology
professionals. It is sometimes referred to as a perimeter network. The purpose of a
DMZ is to add an additional layer of security to an organization's local area
network (LAN); an external attacker only has access to equipment in the DMZ,
rather than any other part of the network.
Behind the firewall
Honeywall is also there to control the flow of data. Without Honeywall no data restrictin
Hardware/software specific honeypot detection:
Detect virtual environment via specific code
E.g., time response, memory address
Detect faculty honeypot program
Case by case detection
Detection based on fundamental difference:
Honeypot defenders are liable for attacks sending out
Liability law will become mature
It’s a moral issue as well
DETECTION OF HONEYPOT
Real attackers bear no liability:
Check whether a bot can send out malicious traffic or not.
Two-stage Reconnaissance to Detect Honeypot:
No central sensor is used
Could be fooled by double-honeypot
Counterattack is presented in our paper
Lightweighted spearhead code:
Infect + honeypot detection
Speedup UDP-based infection
HONEYPOT OVER FIREWALL
First, without a firewall, the firewall can not prevent attacks. Data without a firewall, the
firewall can not check.
Second, the firewall does not resolve the internal network from attacks and security
issues. Firewalls can be designed either to prevent anti-foreign also inside, no one trusted,
but most units because of inconvenience, does not require anti-in firewall
Third, firewalls can not prevent configuration policy configuration error caused by
improper or security threats. A firewall is a passive security policy enforcement device,
like a guard, as according to policies and regulations to implement security, and not given
a free hand.
Fourth,the firewall can not prevent access to human or natural damage. A firewall is a
security device, but the firewall itself must exist in a safe place.
Fifth,the firewall can not prevent the use of standard network protocol defects in the
attack. Once the firewall to allow some of the standard network protocol, a firewall can
not prevent the use of the agreement of the defects of the attack.
Sixth,the firewall can not prevent the use of server system vulnerabilities to attack.
Hacking through the firewall to allow access to ports on the server vulnerability to attack,
the firewall can not prevent.
Seventh, a firewall can not prevent virus-infected file transfers. The firewall itself does
not have the function of killing the virus, even if integrated third-party anti-virus
software, there is no one kind of killing all the virus software.
Eighth, the firewall can not prevent data-driven attacks. When some seemingly innocuous
mail or copy data to the host on the internal network was performed, which may occur
Ninth,the firewall can not prevent internal leaks of secrets. Inside the firewall active leak
of a legitimate user, the firewall is powerless.
One of the advantages of honeypot systems is that they greatly reduce the data to be
analyzed. For the usual website or mail server, attack traffic is usually overwhelmed by
Know Your Enemy:
Two or more honeypots on a network form a honeynet.
Tradationally information security has been primarily defensive. Firewalls,
Intrusion detection system, encryption; all of these mechanism are used
defensively to protect one’s resource. The strategy is to defend one’s organization
as best as possible, detect any failures in the defense, and then react to those
failures. The problem with this approach is it purely defensive, the enemy has the
initiative. Honeypots attempts to change that. The primary purpose of honeypot is
to gather information on threats. This information has defferent value for different
Academic research institution may use honeypot to gather data for research, such
as worm activity.
Security organization may use honeypot to capture and analyze malware for anti-
Government organization use them to learn more about who is targetting them
Honeynets are a prime example of high-interaction honeypot. Honeynets are not
a product; they are not a software solution that you install on a computer. Instead,
Honeyents are an architecture, an entire network of computers designed to
attacked. The idea is to have an architecture that creates a highly controlled
network, one where all activity is controlled and captured. Within this network we
place our intended victims, real computers running real applications. The bad
guys find, attack, and break into these systems on their own initiative. When they
do, they do not realize they are within a Honeynet. All of their activity, from
encrypted sessions to emails and files uploads, are captured without them
knowing it. This is done by inserting kernel modules on the victim systems that
capture all of the attacker's actions. At the same time, the Honeynet controls the
attacker's activity. Honeynets do this using a Honeywall gateway. This gateway
allows inbound traffic to the victim systems, but controls the outbound traffic
using intrusion prevention technologies. This gives the attacker the flexibility to
interact with the victim systems, but prevents the attacker from harming other
honeypots that simulates a production network and configured such that all activity
is monitored, recorded and in a degree, discretely regulated."
Typically, a honeynet is used for monitoring a larger and/or more diverse network
in which one honeypot may not be sufficient. Honeynets and honeypots are
usually implemented as parts of larger network intrusion-detection systems.
A honeyfarm is a centralized collection of honeypots and analysis tools.
Honeynets are digital network bait, and through deception, they are designed to
actually attract intruders.
Honeypot one,Honeypot two,Honeypot three make honeynets.
Honeynets are a prime example of high-interaction honeypot. Honeynets are not a
product, they are not a software solution that you install on a computer.
Instead, Honeyents are an architecture, an entire network of computers designed to
The idea is to have an architecture that creates a highly controlled network, one where
all activity is controlled and captured. Within this network we place our intended
victims, real computers running real applications.
The bad guys find, attack, and break into these systems on their own initiative. When
they do, they do not realize they are within a Honeynet. All of their activity, from
encrypted SSH sessions to emails and files uploads, are captured without them
This is done by inserting kernel modules on the victim systems that capture all of the
attacker's actions. At the same time, the Honeynet controls the attacker's activity.
Honeynets do this using a Honeywall gateway. This gateway allows inbound traffic
to the victim systems, but controls the outbound traffic using intrusion prevention
This gives the attacker the flexibility to interact with the victim systems, but prevents
the attacker from harming other non-Honeynet computer.
Types of Honeynet:
A distributed network composing many honeypots.
Emulate a virtual network in one physical machine.
Honeynets are nothing more than an architecture. To succesfully deploy a honeynet; the
honeynet architecture should be correctly deployed. The key to the honeynet architecture is what
we call a “honeywall”. This is a gateway device that seperates your honeypots from the rest of
the world. Any traffic going to or from the honeypots must go through the honeywall. This
gateway is traditionally a layer 2 bridging device, meaning the device should be invisible to
anyone interacting with the honeypots.
Below we see a diagram of this architecture. The Honeywall has 3 interfaces. The first 2
interfaces (eth0 and eth1) are what seperate our honeypots from everything else, these are
bridged interfaces that have no IP stack. The 3rd interface (eth2, which is optional) has an IP
stack allowing for remote administration.
There are several key requirements that a honeywall must implement; Data Control,
Data Capture, Data Analysis, Data Collection. Data Control defines how activity is
contained with the honeynet without an attacker knowing it. Its purpose is to minimize
risk. Data Capture is capturing all of the attacker's activity without the attacker knowing
it. Data Analysis is the ability to analyze this data. Data Collection is the ability to collect
data from multiple honeynets to a single source. Of all these requirements, Data Control
is the more important. Data Control always takes priority as its role is to mitigate risk.
We describe each in more detail below.
Data Control is the containment of activity, it is what mitigates risk. By risk, we mean
there is always the potential of an attacker or malicious code using a honeynet to attack or
harm non-honeynet systems, or abusing the honeynet in some un-expected way. We want
to make every effort possible to ensure that once an attacker is within our honeynet or a
system is compromised, they cannot accidentally or purposefully harm other non-
honeynet systems. The challenge is implementing data control while minimizing the
attacker's or malcious's code chance of detecting it. This is more challenging then it
seems. First, we have to allow the attackers some degree of freedom to act. The more
activity we allow the attackers to perform, the more we can potentially learn about them.
However, the more freedom you allow an attacker, the more risk there is they will
circumvent Data Control and harm other non-honeynet systems. The balance of how
much freedom to give the attacker vs. how much you restrict their activity is a decision
every organization has to make themselves.
Data Capture is the monitoring and logging of all of the threat's activities within the
honeynet. It is this captured data that is then analyzed to learn the tools, tactics, and
motives of attackers. The challenge is to capture as much data as possible without the
threat detecting the process. As with Data Control, one of the primary lessons learned for
Data Capture has been the use of layers. It is critical to use multiple mechanisms for
capturing activity. Not only does the combination of layers help piece together all of the
attacker's actions, but it prevents having a single point of failure. The more layers of
information that are captured, at both the network and host level, the more that can be
learned. To minimize the ability of attackers to detect our capture mechanisms, there are
two ways: First, make as few modifications to the honeypots as possible. The more
modifications you make, the greater the chance of detection. Second it is best that
captured data not be stored locally on the honeypots themselves. Not only could this data
be detected by attackers, but it could also be modified or deleted. As such, captured data
must be logged and stored on a seperate, secured system.
Data Analysis is the third requirement. Remember, the entire purpose of a honeynet is
information. A honeynet is worthless if you have no ability to convert the data it collect
to information, you must have some ability to analyze the data. Different organizations
have different needs, and as such will have different data analysis requirements.
Data Collection applies only to organizations that have multiple honeynets in distributed
environments. Most organizations will have only one single honeynet, what we call a
standalone deployment. As such they do not need to worry about Data Collection.
However, organizations that have multiple honeynets logically or physically distributed
around the world have to collect all of the captured data and store it in a central location.
This way the captured data can be combined, exponentially increasing its value. The Data
Collection requirement provides the secure means of centrally collecting all of the
captured information from distributed honeynets.
Implementing all of these requirements is extremely difficult, complex, and time
consuming. In the past it took a great deal of time and effort to deploy such an
architecture. However, today the Honeynet Project has developed a rapid and simple
way for an organization to deploy such functionality, its call the Honeywall CDROM.
The purpose of this bootable CDROM is to make it simple to rapidly build and deploy a
honeywall, the critical component to honeynet architecture. You simply install the
Honeywall CDROM into a computer with multiple NICs, and it automates the build
process of a honeywall, implementing all of the requirements we just discussed above.
TYPES OF HONEYNETS
GenI first generation. Were effective at catching automated activities such as worms,
script kiddies, auto-rooters and mass-rooters. GenI is no longer recommended for
GenII second generation. Simpler to deploy, harder to detect, and safer to maintain. They
utilize more advanced data control and data capture mechanisms
Virtual Honeynets are designed to make deployment much easier to manage and far more
Distributed Honeynets are multiple Honeynets deployed across large networks or across
the Internet. They exponentially increase the information collected.
Gen I Honeynet was developed in 1999 by the Honeynet Project. The architecture
was simple with a firewall aided by an IDS as the gateway and Honeypots placed
behind it.This architecture required 2 interfaces on the Honeywall gateway, one facing
the external network and one facing the Honeypot’s internal network. This architecture
was flawed as the gateway acting as a Layer 3 device could be detected by attackers.
The main advantage is you can remotely manage the Honeynet gateway from outside by
allowing a connection from a select IP address on the Internet
Combining IDS and firewall on a single machine reduces the hardware requirements to
just two machines. Although a bit riskier
Generation II & III
Change in architecture was brought about by the introduction of a single device that
handles the data control and data capture mechanisms of the Honeynet called the IDS
Gateway or the Honeywall. This is implemented as a transparent bridge.
Gen II Honeynets were first introduced in 2001 and Gen III Honeynets were released at
the end of 2004. Gen II Honeynets were made in order to address the deficiencies in Gen
I Honeynets. Gen II and Gen III Honeynets have the same architecture, with the only
difference being improvements in deployment and management in Gen III Honeynets
along with the addition of a Sebek server built in the gateway – this is known as the
Honeywall. This architecture incorporates 3 interfaces on the Honeywall. Two interfaces
acted as a bridge between the external network and the internal Honeypot network; whilst
the third interface was used for management and configuration tasks.
Risk means different thing to different organizations
You will have to identify what risks are important to you
There are four general areas of risk; harm, detection, disabling, and violation
o Harm is when a Honeynet is used to attack or harm other nonhoneynet systems
o Detection. Once the true identity of a Honeynet has been identified by the
blackhats, its value is greatly reduced.
o Risk of disabling Honeynet functionality by an attack against either data control
or data capture routines
o Violation is the catchall of remaining risk. Example is an attacker using a
Honeypot to upload then distribute contraband or illegal material
In all four cases, there are two steps to help mitigate these risks, human monitoring and
o Human means having a trained professional monitoring and analyzing your
Honeynet in real time
o Customization is critical. A simple default installation that has no purpose or
system activity is a give away of a Honeypot
Advantages of Honeynet:
• High Data Value
• Low Resource Cost
Weak or Retired system
• Simple Concept, Flexible Implementation
• Return on Investment
Proof of Effectiveness
• Catch new attacks
Disadvantages of honeynet:
• In reference to risk, there are four general areas we will cover;
Harm: when a honey net is used to attack or or harm other, non-honey net
Eg. An attacker may break into a honeynet, and then launch an outbound attack
never seen before, successfully harming or compromising its intended victim.
Detection: Once the true identity of a honey net has been identified, its value is
dramatically reduced. Attacker can ignore or bypass the honeynet, eliminating its
capability for capturing information.
Disabling: Attackers may want to not only detect a honey net's identity, but
disable its Data Control or Data Capture capabilities, potentially without the
honeynet administrator knowing that functionality has been disabled (feed the
honeypot with bogus activity, making administrator think that data capture is still
functioning and recording activity when it is not.)
Violation: Attackers may attempt criminal activity from your compromised
honey net without actually attacking anyone outside your honey net
Eg. Attackers using a honeypot to upload then distribute illegal material. Remember, this
individual broke into your system on their own initiative. If detected, this illegal activity would
be attributed to you by way of it being on your system. You may then have to prove that it was in
fact not you who was responsible for this activity
Before investing in honeynet technology for your corporation there is a couple issues that you
must consider and work out first. One topic that needs to be addressed is the cost of a honeynet.
What kind of budget goes into deploying and maintaining? The first issue is the equipment
needed for a honeynet. Because of the simplicity of a honeynet, the systems to set one up are
inexpensive. The total cost for all the systems would depend on how many different honeypot
you wish to have in your complete honeynet. Then there is the network utilities and Internet
connection. This could be a one or more employee depending on the knowledge and experience
of the employee, and the length of time. Some of the topics that need to be discussed are
management, operations, and cleanup.
Value of Honeynet:
Defends Organization and React.
Provide an Organization Info. on their own Risk.
Test your abilities.
Determine System Compromised within Production Network.
Risks and Vulnerabilities discovered.
Specially for research.
Honeypots are a tremendously simply concept, which gives them some very powerful
Small data sets of high value: Honeypots collect small amounts of information. Instead of
logging a one GB of data a day, they can log only one MB of data a day. Instead of
generating 10,000 alerts a day, they can generate only 10 alerts a day. Remember, honeypots
only capture bad activity, any interaction with a honeypot is most likely unauthorized or
malicious activity. As such, honeypots reduce 'noise' by
collectin only small data sets, but information of high value, as it is only the bad guys. This
means its much easier (and cheaper) to analyze the data a honeypot collects and derive value
New tools and tactics: Honeypots are designed to capture anything thrown at them, including
tools or tactics never seen before.
Minimal resources: Honeypots require minimal resources, they only capture bad activity.
This means an old Pentium computer with 128MB of RAM can easily handle an entire class
B network sitting off an OC-12 network.
Encryption or IPv6: Unlike most security technologies (such as IDS systems) honeypots
work fine in encrypted or IPv6 environments. It does not matter what the bad guys throw at a
honeypot, the honeypot will detect and capture it.
Information: Honeypots can collect in-depth information that few, if any other technologies
Simplicty: Finally, honeypots are conceptually very simple. There are no fancy algorithms to
develop, state tables to maintain, or signatures to update. The simpler a technology, the less
likely there will be mistakes or misconfigurations.
Protection: Honeypot can help protect an organization is in reponse.
Attack prevention: One way that honeypots can help defend against such attacks is slowing
their scanning down, potentially even stopping them. Called sticky honeypots, these solutions
monitor unused IP space. When probed by such scanning activity, these honeypots interact
with and slow the attacker down. They do this using a variety of TCP tricks, such as a
Windows size of zero, putting the attacker into a holding pattern. This is excellent for
slowing down or preventing the spread of a worm that has penetrated your in pc.
Like any technology, honeypots also have their weaknesses. It is because of this they do
not replace any current technology, but work with existing technologies.
Limited View:oneypots can only track and capture activity that directly interacts with
them. Honeypots will not capture attacks against other systems, unless the attacker or
threat interacts with the honeypots also.
Risk:All security technologies have risk. Firewalls have risk of being penetrated,
encryption has the risk of being broken, IDS sensors have the risk of failing to detect
Honeypots are no different, they have risk also. Specifically, honeypots have the risk of
being taken over by the bad guy and being used to harm other systems. This risk various
for different honeypots. Depending on the type of honeypot, it can have no more risk then
an IDS sensor, while some honeypots have a great deal of risk.
The purpose of this topic was to define what honeypots and honeynets are and their value
to the security community. We identified two different types of honeypots, low-
interaction and high-interaction honeypots.
Interaction defines how much activity a honeypot allows an attacker. The value of these
solutions is both for production or research purposes.
Honeypots can be used for production purposes by preventing, detecting, or responding
to attacks. Honeypots can also be used for research, gathering information on threats so
we can better understand and defend against them.
Know Your Enemy: Honeynets
“Honey pots - Definitions and Value of Honey pots”
Reto Baumann, Christian Plattner “White Paper Honeypots” 2002