Merkur MaclangHow to build a HoneypotUses and TypesHoneypots ResourcesConsiderationsLaBrea TarpitConclusionResourcesMerkur MaclangJohn LuzziCMPT 495-01Monday, December 13, 2004HoneypotsHow to build a HoneypotThe wave of interest behind honeypots has grown to epic proportions recently. Besides the significant information that can be gained from them, honeypots have gained notoriety because some of the consequences of deployment have been brought into the limelight. In this paper, we will look at all aspects of honeypots: what they are, how to deploy them, and what should be considered before deploying them.A honeypot is an Internet attached server that acts as a decoy, luring in potential hackers in order to study their activities and monitor how they are able to break into a system. Other terms that are associated with honeypots are honeynets (decoy networks, and honey tokens (decoy information hidden in areas like databases).Uses and TypesThere are many uses for honeypots, including pure research. Many new types of attacks and malware can be studied in isolation on these systems, unbeknownst to attackers. Another use is as a decoy system on a production network to divert an attacker from the true information assets with your network. Other uses include a version of an intrusion detection system, a forensic tool for dissecting attacks after the fact, and a tool to fight spam.A honeypot can be almost any type of server or application that is meant as a tool to catch or trap an attacker. A further distinction within honeypots is the honeypot vs. the virtual honeypot. The former is typically a hardware device of some sort, whereas the other is a software implementation.Honeypots ResourcesMany tools are available, both in freeware and commercial packages, with which to build a honey pot on UNIX. A good listing of tools are LaBrea Tarpit, Tiny Honeypot, and Honeyd. http://labrea.sourceforge.net/labrea-info.htmlhttp://www.derkeiler.com/Mailing-Lists/Securiteam/2002-07/0105.htmlhttp://www.citi.umich.edu/u/provos/honeyd/An interesting feature of honeypots is that most of the available packages differ greatly, offering you many options in your honey pursuit. For instances, LaBrea Tarpit is more of a diversion tool, making it appear that there are more devices on a network thanthere really are, whereas honeyd is an OS deception tool that can obscure the true operating system and confuse attackers.ConsiderationsBefore you set up a honeypot, you must consider what you want out of it. If you are purely interested in the research aspect of honey pots, it is not recommended trying this at work unless research is part of your job. If you wish to purposely trap intruders forthe purpose of legal recourse, you should reconsider using a honey pot at all. A honeypot is best used for the purpose of having another layer of security to help mitigate risks within your company. After you determined the goal, you should now focus on how the network environment of the honeypot should be established. It can be very dangerous to leave an intentionally fake system called “Investment” or “Payroll” in a computer host or small network inserted as a "neutral zone" between a company's private network and the outside public network (DMZ). If the honeypot is revealed for its true purpose and is compromised, then you run the risk of compromising the other systems within your DMZ, or worse, ultimately your corporate network.Out of this consideration the “honeynet” was born. A honeynet is actually an isolated network that holds your honeypot. If the honeypot is compromised, then the danger of anything of value being accessible is lessened. If a honeynet is not possible to implement, they you can lock down the honeypot host using such tools as firewalls, chroot jails, and host-based intrusion detection.The key to implementing a honey pot correctly is to ensure that its architecture is carefully thought out, and to ensure that your honeypot meets the requirements of your information security policies. Even when implementing a honeypot on your home network, you should strongly consider a secure architecture because you could possibly violate the Acceptable Use policies of your ISP by having your compromised honeypot attack its other customers. Do your homework and implement wisely. Honeypots are not to be taken lightly. Legal IssuesBefore implementing a honeypot, you must understand the legal issues involved as well. In addition to becoming popular, honeypots have also come under a lot of criticism recently. Two packages discussed in this paper have been subject to distribution limitations because of U.S. state law adoption of the S-DMCA legislation, defining unlawful communication devices as “any communication device which is capable of facilitating the disruption of a communication service without the express consent of express authorization of the communication service provider.” Neils Provos, the creator of honeyd, had to move all of his research on the topics of steganograhpy and honeypots to a location outside of the United States because of Michigan state laws put into effect this last year. Tom Liston, the creator of LaBrea Tarpit, who is a resident to Illinois, stopped distributing his software for the same reason.It is still unclear and untested that honeypots in fact violate the law. It is importantto keep in mind that these restrictions may apply depending on where you live. Otherareas that may apply when implementing a honey include peripheral attack. This is when your compromised honeypot is used to attack others. Also, honeypots can also be considered a means of entrapment.To ensure that you’re covered, implement the most verbose log servers available. The best scenario is a secure, remote log server, with whatever honeypot that you choose,to properly preserve and evidence that might be needed. This will also help you in your research of the attack.LaBrea TarpitThe LaBrea Tarpit is a freeware honeypot created by Tom Liston that will run on any flavor of OpenBSD, Linux, Solaris, or Windows. LeBrea describes itself as a “sticky honeypot”, where LaBrea borrows unassigned IP addresses on the network it resides in and acts like hosts on those address that will respond to connection attempts. LaBrea usesa technique to slow the connection attempts so the attacking machine becomes “stuck”. The general focus of this honeypot is to slow down hackers and worm viruses by keepingthe