honeypot
Post on 10-Feb-2016
28 Views
Preview:
DESCRIPTION
TRANSCRIPT
HONEYPOT
By SIDDARTHA ELETI
CLEMSON UNIVERSITY
Introduction
• Introduced in 1990/1991 by Clifford Stoll’s in his book “The Cuckoo’s Egg” �
and by Bill Cheswick’s in his paper “An Evening With Berferd.”�� ��
• A honeypot is an information system resource whose value lies in
unauthorized or illicit use of that resource.
• Acts as a Decoy or a Bait to lure attackers .
• They are designed to be attacked.
• Its about spying the spy i.e. attacker.
Working
• Uses the concept of deception.
• Honeypots work on the idea that all traffic to a honey pot should be deemed
suspicious.
• Designed to audit the activity of an intruder, save log files, and record events – Processes started– Adding, deleting, changing of files – even key strokes
Location
• Honeypots are usually placed somewhere in the DMZ. This ensures that
the internal network is not exposed to the hacker.
• Most honeypots are installed inside firewalls so that they can be better
controlled.
• But a firewall that is placed in a honeypot works exactly the opposite to
how a normal firewall works.
Types of Honeypots
• Based on level of Deployment:– Production Honeypots– Research Honeypots
• Based on Design:– Pure– High Interaction– Low Interaction
Levels of Deployment
• Production : – Its easy and captures only limited info.– Adds value to the security measures of an organization.– Used by companies and large corporations
• Research :– Collects a lot of info i.e. attackers tools, intent, identity etc.– Does not directly add value to an organization – Researches the threats and tries to come up with better measures– Used by military, government organizations and research
Interaction• What is Interaction?
– Level of Interaction determines amount of functionality a honeypot provides.
– The greater the interaction, the more you can learn.– The greater the interaction, greater the complexity.– The greater the interaction, greater the risk.
• High Interaction:– Imitates the services and actions of a real system.
– Gives vast amount of information.
– Involves an operating system.• This involves risk
– Multiple honeypots can be hosted with the use of VM’s
– Difficult to detect
– Expensive to maintain
– Example : Honeynet
• Low Interaction Honeypots:– It simulates the services of a system.
– Predetermined set of responses
– Not good for interacting with unexpected attacks
– Gives less information. Usually • Time of attack• IP and port of attacker • Destination IP and Port of attack
– Does not involve an operating system
– Easy to Detect
– Cheaper to maintain
Commercial Honeypot Systems• There are a variety of commercial Honey Pot systems available.
– Deception ToolKit (DTK)
– Specter
• Supported OS’s– Microsoft NT – Unix.
Deception Toolkit• First free Honeypot by Fred Cohen in 1997
• Suite of applications that listen to inbound traffic.– FTP, – Telnet,– HTTP
• Uses scripted responses.
• Experienced attackers can quickly realize that they are in a
Honeypot.
SPECTER• SPECTER is a smart honeypot-based intrusion detection system.
• A Production Honeypot and easy to configure.
• Provides Real-time counterintelligence against hackers.
• It simulates a vulnerable computer with various operating systems like
Windows, Mac, Linux, Solaris etc.
• Offers common Internet services such as SMTP, FTP, POP3, HTTP and
TELNET.
• These services appear perfectly normal to the attackers but in fact are traps
for them to mess around and leave traces.
• Offers Intelligent systems like TRACER, TRACE ROUTE, DNS, FTP Banner etc.
Advantages• The administrator can learn about vulnerabilities in his system
• Intent of the attackers
• Simple design and implementation
• Less resources
• Cheaper to analyze collected information
Disadvantages• Has to be attacked directly.
• Can be avoided.
• Honeypots can be detected as they have expected characteristics or behavior.
• They can introduce risk to the environment.
• They don’t prevent or stop an attack.
Conclusion• It’s a tool to learn and understand the how the attack is being executed
and motives of the attackers.
• Not a solution.
• Provide important information about – The attacker– The tools being used by attacker– What the attacker is after
References• http://www.techrepublic.com/article/which-honeypot-should-i-use/10425
27• http://www.specter.com/default50.htm• http://en.wikipedia.org/wiki/Honeypot_(computing)• http://www.tracking-hackers.com/papers/honeypots.html• http://www.sans.org/security-resources/idfaq/honeypot3.php• Honeypots: Tracking Hackers By Lance Spitzner
THANK YOU
top related