Published on

  • Be the first to comment


  1. 1. An Introduction to The Honeypots<br />Shashwat Shriparv<br />dwivedishashwat@gmail.com<br />InfinitySoft<br />
  2. 2. 2<br />Content<br />Definition <br />Three Architectures<br />Applications<br />Advantages and disadvantages<br />Future Work<br />
  3. 3. 3<br />Definition <br />Honeypot<br />Honeypot is a trap set to detect, deflect or in some manner counteract attempts at unauthorized use of information systems.. <br />
  4. 4. How it works<br />Theoretically, a honeypot should see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity<br />4<br />
  5. 5. 5<br />Type of Honeypot<br />Purposes<br />Production / Research<br />Characteristics<br />Low / High Interactivity<br />
  6. 6. 6<br />Low-Interaction vs. High-Interaction<br />
  7. 7. 7<br />Value of Honeypots<br />Prevention<br />Detection<br />Response<br />Research Purpose<br />
  8. 8. Prevention<br />Honeypots can help prevent attacks in several ways. The first is against automated attacks, such as worms or auto-rooters. These attacks are based on tools that randomly scan entire networks looking for vulnerable systems. If vulnerable systems are found, these automated tools will then attack and take over the system<br />8<br />
  9. 9. Detection<br />Detection is critical, its purpose is to identify a failure or breakdown in prevention. Regardless of how secure an organization is, there will always be failures, if for no other reasons then humans are involved in the process. By detecting an attacker, we can quickly react to them, stopping or mitigating the damage they do. <br />9<br />
  10. 10. Response<br />Response can often be one of the greatest challenges an organization faces. There is often little information on who the attacker is, how they got in, or how much damage they have done. In these situations detailed information on the attacker's activity are critical<br />10<br />
  11. 11. 11<br />Three Architectures<br />Honeyd<br />Gen I Honeynet<br />Gen II Honeynet<br />
  12. 12. 12<br />Honeyd Overview<br />Honeyd is a low-interaction virtual honeypot<br />Simulate arbitrary TCP/UDP service<br />IIS, Telnet, pop3…<br />Supports multiple IP addresses<br />Test up to 65536 addresses simultaneously<br />Supports ICMP<br />Virtual machines answer to ping and traceroute<br />Supports subsystem<br />
  13. 13. 13<br />Honeyd Architecture<br />
  14. 14. 14<br />Honeyd Architecture<br />Configuration database<br />Store the personalities of the configured network stack.<br />Central packet dispatcher<br />Dispatch Incoming packets to the correct protocol handler.<br />Protocol handles<br />Personality engine<br />Option routing component<br />
  15. 15. 15<br />GEN I Honeynet<br />Simple Methodology, Limited Capability<br />Highly effective at detecting automated attacks<br />Use Reverse Firewall for Data Control<br />Can be fingerprinted by a skilled hacker<br />Runs at OSI Layer 3<br />
  16. 16. 16<br />Gen I Honeynet<br />
  17. 17. GEN II Honeynet<br />More Complex to Deploy and Maintain<br />Examine Outbound Data and make determination to block,pass, or modify data<br /> Runs at OSI Layer 2<br />17<br />
  18. 18. 18<br />Gen II Honeynet <br />
  19. 19. Application<br />Detecting and countering worms<br />Spam prevention<br />19<br />
  20. 20. How effective it is !<br />20<br />
  21. 21. Advantages<br />One can learn about incident response; setting up a system that intruders can break into will provide knowledge on detecting hacker break-ins and cleaning-up after them. <br />Knowledge of hacking techniques can protect the real system from similar attacks.  <br />The honeypot can be used as an early warning system; setting it up will alert administrators of any hostile intent long before the real system gets compromised.<br />21<br />
  22. 22. Disadvantages<br />Honeypots add complexity to the network. Increased complexity may lead to increased exposure to exploits. <br />Honeypots must be maintained just like any other networking equipment and services.<br />Requires just as much use of resources as a real system. <br />Building a honeypot requires at least a whole system dedicated to it, and this may be an expensive resource<br />22<br />
  23. 23. 23<br />Future Work<br />Ease of use: In future Honeypots will most probably appear in prepackaged solutions, which will be easier to administer and maintain. People will be able to install and develop Honeypots at home and without difficulty.<br />Closer integration: Currently Honeypots are used along with other technologies such as firewall, tripwire, IDS etc. As technologies are developing, in future Honeypots will be used in closer integration with them.<br />Specific purpose: Already certain features such as honeytokens are under development to target Honeypots only for a specific purpose. Eg: catching only those attempting credit card fraud etc.<br />
  24. 24. 24<br />Thank you<br />Shashwat Shriparv<br />dwivedishashwat@gmail.com<br />InfinitySoft<br />