Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.

HoneypotHoneypotAn instrument for attractingAn instrument for attractingand detecting attackersand detecting attackers

Adapted from R. Baumann

Honeypot - R. Baumann – April 2002

AgendaAgenda

Theory Implementation Administrations Toolkit Attacks Conclusion


TheoryTheory

HoneypotHoneypot Term originally from the military Fake target or ambush In this presentation, the term „honeypot“ is used

in network security environment


TheoryTheory

DefinitionDefinition

A honeypot is a resource which pretends to be a real target. A

honeypot is expected to be attacked or compromised. The main goals are the distraction of an attacker

and the gain of information about an attacker, his methods and tools.


TheoryTheory

BenefitBenefit Productive environment:

distraction from the real targets Research environment:

information gathering

but: No direct protection gained In difference to IDS: no false alerts


TheoryTheory

Types of implementationTypes of implementation Level of Involvement

– Low Involvement: Port Listeners

– Mid Involvement: Fake Daemons

– High Involvement: Real Services

Risk increases with level of involvement


TheoryTheory

HoneynetHoneynet Network of honeypots Supplemented by firewalls and intrusion

detection systems

Advantages: “More realistic” environment Improved possibilities to collect data


ImplementationImplementation

Projekt HoneybreadProjekt Honeybread Honeynet implementation Administration Toolkit Ethernet Tunneling Software



Schematic illustrationSchematic illustration

HoneypotsDetectionInternet



TopologyTopology



HoneypotsHoneypots Multiple honeypots

Virtual machines

Different, independent systems



Detection unitDetection unit Information logging

Connection control

Administration


Administration InterfaceAdministration Interface

FeaturesFeatures Web-based Event visualization Connections from and to the honeynet Intrusion detection system alerts Session logs Statistics and reports


Administration InterfaceAdministration Interface

ScreenshotScreenshot


AttacksAttacks

FactsFacts Huge amount of IDS alerts (>40‘000) Mostly automated attacks Code Red Virus

In less than 24 hours successfully attacked Well known security vulnerabilities used


AttacksAttacks

IDS alertsIDS alerts


AttacksAttacks

Distribution over timeDistribution over time


AttacksAttacks

OriginOrigin


AttacksAttacks

SummarySummary Amount of attacks surprised Origin of attacks mostly from local systems

– Attacks on own subnet

– Most tools use own subnet as default setting

Conclusion: Protection required and possible


SummarySummary

TechnologyTechnology Honeypot as a safety solution not very attractive

– Very time expensive

– No out-of-the-box solutions

– Risk quite high when used inappropriately

– Deep knowledge needed

– Legal situation uncertain

Honeypot as a service very attractive


SummarySummary

ImplementationImplementation Data analysis very complex and time consuming Very good learning results Very interesting research area Exciting and suprising moments

Honeypot An instrument for attracting and detecting attackers Adapted from R. Baumann.

Documents

baumann slide

term honeypot

theory honeypot term

attractive slide

time slide

attacks origin slide

software slide

data slide