Honeypot Honeypot An instrument for attracting An instrument for attracting and detecting attackers and detecting attackers Adapted from R. Baumann
Dec 22, 2015
HoneypotHoneypotAn instrument for attractingAn instrument for attractingand detecting attackersand detecting attackers
Adapted from R. Baumann
Honeypot - R. Baumann – April 2002
AgendaAgenda
Theory Implementation Administrations Toolkit Attacks Conclusion
Honeypot - R. Baumann – April 2002
TheoryTheory
HoneypotHoneypot Term originally from the military Fake target or ambush In this presentation, the term „honeypot“ is used
in network security environment
Honeypot - R. Baumann – April 2002
TheoryTheory
DefinitionDefinition
A honeypot is a resource which pretends to be a real target. A
honeypot is expected to be attacked or compromised. The main goals are the distraction of an attacker
and the gain of information about an attacker, his methods and tools.
Honeypot - R. Baumann – April 2002
TheoryTheory
BenefitBenefit Productive environment:
distraction from the real targets Research environment:
information gathering
but: No direct protection gained In difference to IDS: no false alerts
Honeypot - R. Baumann – April 2002
TheoryTheory
Types of implementationTypes of implementation Level of Involvement
– Low Involvement: Port Listeners
– Mid Involvement: Fake Daemons
– High Involvement: Real Services
Risk increases with level of involvement
Honeypot - R. Baumann – April 2002
TheoryTheory
HoneynetHoneynet Network of honeypots Supplemented by firewalls and intrusion
detection systems
Advantages: “More realistic” environment Improved possibilities to collect data
Honeypot - R. Baumann – April 2002
ImplementationImplementation
Projekt HoneybreadProjekt Honeybread Honeynet implementation Administration Toolkit Ethernet Tunneling Software
Honeypot - R. Baumann – April 2002
ImplementationImplementation
Schematic illustrationSchematic illustration
HoneypotsDetectionInternet
Honeypot - R. Baumann – April 2002
ImplementationImplementation
HoneypotsHoneypots Multiple honeypots
Virtual machines
Different, independent systems
Honeypot - R. Baumann – April 2002
ImplementationImplementation
Detection unitDetection unit Information logging
Connection control
Administration
Honeypot - R. Baumann – April 2002
Administration InterfaceAdministration Interface
FeaturesFeatures Web-based Event visualization Connections from and to the honeynet Intrusion detection system alerts Session logs Statistics and reports
Honeypot - R. Baumann – April 2002
Administration InterfaceAdministration Interface
ScreenshotScreenshot
Honeypot - R. Baumann – April 2002
AttacksAttacks
FactsFacts Huge amount of IDS alerts (>40‘000) Mostly automated attacks Code Red Virus
In less than 24 hours successfully attacked Well known security vulnerabilities used
Honeypot - R. Baumann – April 2002
AttacksAttacks
SummarySummary Amount of attacks surprised Origin of attacks mostly from local systems
– Attacks on own subnet
– Most tools use own subnet as default setting
Conclusion: Protection required and possible
Honeypot - R. Baumann – April 2002
SummarySummary
TechnologyTechnology Honeypot as a safety solution not very attractive
– Very time expensive
– No out-of-the-box solutions
– Risk quite high when used inappropriately
– Deep knowledge needed
– Legal situation uncertain
Honeypot as a service very attractive
Honeypot - R. Baumann – April 2002
SummarySummary
ImplementationImplementation Data analysis very complex and time consuming Very good learning results Very interesting research area Exciting and suprising moments