HONEY POT (1)

8/6/2019 HONEY POT (1)

http://slidepdf.com/reader/full/honey-pot-1 1/20

HONEYPOTS

TRACKING HACKERS

By Rohit Kumar

8/6/2019 HONEY POT (1)


A WORD ON SECURITY

´The secret to a good defenseis good offenseµ

- Anonymous

8/6/2019 HONEY POT (1)


8/6/2019 HONEY POT (1)


How a hacker affect a server?

� Steals confidential data.� Imposes someone else.

� Causes loss of resources.� Sometimes causes even hardware loss.

8/6/2019 HONEY POT (1)


What are the security issues?

� To provide secure connectionbetween the client and the server.

� E.g. email service provided by variousweb-sites.

8/6/2019 HONEY POT (1)


8/6/2019 HONEY POT (1)


How Honeypots work.

8/6/2019 HONEY POT (1)


Definition of Honeypots

´ A honeypot is a security resourcewhose value is in being probed,

attacked or compromised ´

8/6/2019 HONEY POT (1)


8/6/2019 HONEY POT (1)


Q UESTIONS ON HP s ?

� What are the different values this uniquetechnology can have? What are the differentHoneyPot technologies available today?

� What the advantages and disadvantages of usingHoneyPots?

� Are there any deployment and maintenance issuesassociated with HoneyPots?

� Are all HoneyPots offensive in nature?

8/6/2019 HONEY POT (1)


IS THIS A HONEYPOT ?

On a network, install a firewall whichrestricts all outbound traffic. Attackerscan get into the network but not usethis network to spread out theinfection.

8/6/2019 HONEY POT (1)


CONCERNS

(THE ´WHAT-IFµ FACTOR)

� What if the attacker is lured into aHoneyPot? He/She will be infuriated bythe deception and retaliate againstthe organisation.

� What if the HoneyPot is misconfigured?

8/6/2019 HONEY POT (1)


THEN WHY USE HONEYPOTS ?

� At the end of year 2000, the life expectancy of a defaultinstallation of Red Hat 6.2 was less than 72 hrs !

� One of the fastest recorded times a HoneyPot wascompromised was 15 min. This means that within 15 min of

being connected to the internet, the system was found,probed, attacked, and successfully exploited by the attacker!The record for capturing a worm was 90 sec !!

� During an 11 month period (Apr 2000 ² Mar 2001), there was a100% increase in IDS alerts based on Snort.

� In the beginning of 2002, a home network was scanned on anaverage by three different systems a day.

� The year 2001 saw a 100% increase in reported incidents from21,756 to 52,658 reported attacks.

8/6/2019 HONEY POT (1)


WHAT CAN HONEYPOTS DO ?

� Can they capture known attacks ?

� Can they detect unknown attacks ?

8/6/2019 HONEY POT (1)


ADVANTAGES OF USING HONEYPOTS

� Data ValueHoneyPots collect very little data, but they collect is essentiallyof very high value.HoneyNet project research group collects less than 1 MB data

per day !� ResourcesHoneyPots typically donot have problems of resourceexhaustion.

� SimplicityNo fancy algorithms to develop.No signature databases to maintain.No rule-bases to misconfigure !

8/6/2019 HONEY POT (1)


DISADVANTAGES OF HONEYPOTS

� Narrow field of view

HoneyPots only see the activity directed againstthem.

� Fingerprinting

An incorrectly implemented HoneyPot can identifyitself and others of the same kind.

8/6/2019 HONEY POT (1)


CLASSIFICATION OF HONEYPOTS (1/2)

[Based on level of INTERACTION]Are you hoping to catch the attackers in action

and learn about their tools and tactics?OR

Are you interested in detecting unauthorizedactivity ?

OR

Are you hoping to capture latest worm for analysis ?

8/6/2019 HONEY POT (1)


CLASSIFICATION OF HONEYPOTS (2/2)

LEVEL OF WORK TO INSTALL WORK TO DEPLOY INFORMATION LEVEL OF

INTERACTION AND CONFIGURE AND MAINTAIN GATHERING RISK

Low Easy Easy Limited Low

Medium Involved Involved Variable Medium

High Difficult Difficult Extensive High

8/6/2019 HONEY POT (1)


Conclusion

� Honeypots are good resources for tracing hackers.

� The value of Honeypots is in beingHacked.� Honeypots have their own pros and

cons and this technology is stilldeveloping.

8/6/2019 HONEY POT (1)


HONEY POT (1)

Documents