8/6/2019 HONEY POT (1)
http://slidepdf.com/reader/full/honey-pot-1 1/20
HONEYPOTS
TRACKING HACKERS
By Rohit Kumar
8/6/2019 HONEY POT (1)
http://slidepdf.com/reader/full/honey-pot-1 2/20
A WORD ON SECURITY
´The secret to a good defenseis good offenseµ
- Anonymous
8/6/2019 HONEY POT (1)
http://slidepdf.com/reader/full/honey-pot-1 4/20
How a hacker affect a server?
� Steals confidential data.� Imposes someone else.
� Causes loss of resources.� Sometimes causes even hardware loss.
8/6/2019 HONEY POT (1)
http://slidepdf.com/reader/full/honey-pot-1 5/20
What are the security issues?
� To provide secure connectionbetween the client and the server.
� E.g. email service provided by variousweb-sites.
8/6/2019 HONEY POT (1)
http://slidepdf.com/reader/full/honey-pot-1 8/20
Definition of Honeypots
´ A honeypot is a security resourcewhose value is in being probed,
attacked or compromised ´
8/6/2019 HONEY POT (1)
http://slidepdf.com/reader/full/honey-pot-1 10/20
Q UESTIONS ON HP s ?
� What are the different values this uniquetechnology can have? What are the differentHoneyPot technologies available today?
� What the advantages and disadvantages of usingHoneyPots?
� Are there any deployment and maintenance issuesassociated with HoneyPots?
� Are all HoneyPots offensive in nature?
8/6/2019 HONEY POT (1)
http://slidepdf.com/reader/full/honey-pot-1 11/20
IS THIS A HONEYPOT ?
On a network, install a firewall whichrestricts all outbound traffic. Attackerscan get into the network but not usethis network to spread out theinfection.
8/6/2019 HONEY POT (1)
http://slidepdf.com/reader/full/honey-pot-1 12/20
CONCERNS
(THE ´WHAT-IFµ FACTOR)
� What if the attacker is lured into aHoneyPot? He/She will be infuriated bythe deception and retaliate againstthe organisation.
� What if the HoneyPot is misconfigured?
8/6/2019 HONEY POT (1)
http://slidepdf.com/reader/full/honey-pot-1 13/20
THEN WHY USE HONEYPOTS ?
� At the end of year 2000, the life expectancy of a defaultinstallation of Red Hat 6.2 was less than 72 hrs !
� One of the fastest recorded times a HoneyPot wascompromised was 15 min. This means that within 15 min of
being connected to the internet, the system was found,probed, attacked, and successfully exploited by the attacker!The record for capturing a worm was 90 sec !!
� During an 11 month period (Apr 2000 ² Mar 2001), there was a100% increase in IDS alerts based on Snort.
� In the beginning of 2002, a home network was scanned on anaverage by three different systems a day.
� The year 2001 saw a 100% increase in reported incidents from21,756 to 52,658 reported attacks.
8/6/2019 HONEY POT (1)
http://slidepdf.com/reader/full/honey-pot-1 14/20
WHAT CAN HONEYPOTS DO ?
� Can they capture known attacks ?
� Can they detect unknown attacks ?
8/6/2019 HONEY POT (1)
http://slidepdf.com/reader/full/honey-pot-1 15/20
ADVANTAGES OF USING HONEYPOTS
� Data ValueHoneyPots collect very little data, but they collect is essentiallyof very high value.HoneyNet project research group collects less than 1 MB data
per day !� ResourcesHoneyPots typically donot have problems of resourceexhaustion.
� SimplicityNo fancy algorithms to develop.No signature databases to maintain.No rule-bases to misconfigure !
8/6/2019 HONEY POT (1)
http://slidepdf.com/reader/full/honey-pot-1 16/20
DISADVANTAGES OF HONEYPOTS
� Narrow field of view
HoneyPots only see the activity directed againstthem.
� Fingerprinting
An incorrectly implemented HoneyPot can identifyitself and others of the same kind.
8/6/2019 HONEY POT (1)
http://slidepdf.com/reader/full/honey-pot-1 17/20
CLASSIFICATION OF HONEYPOTS (1/2)
[Based on level of INTERACTION]Are you hoping to catch the attackers in action
and learn about their tools and tactics?OR
Are you interested in detecting unauthorizedactivity ?
OR
Are you hoping to capture latest worm for analysis ?
8/6/2019 HONEY POT (1)
http://slidepdf.com/reader/full/honey-pot-1 18/20
CLASSIFICATION OF HONEYPOTS (2/2)
LEVEL OF WORK TO INSTALL WORK TO DEPLOY INFORMATION LEVEL OF
INTERACTION AND CONFIGURE AND MAINTAIN GATHERING RISK
Low Easy Easy Limited Low
Medium Involved Involved Variable Medium
High Difficult Difficult Extensive High
8/6/2019 HONEY POT (1)
http://slidepdf.com/reader/full/honey-pot-1 19/20
Conclusion
� Honeypots are good resources for tracing hackers.
� The value of Honeypots is in beingHacked.� Honeypots have their own pros and
cons and this technology is stilldeveloping.