A Practical Guide to Honeypots A Practical Guide to Honeypots Eric Peter epeter at wustl dot edu and Todd Schiller tschiller at acm dot org A project report written under the guidance of Prof Raj Jain Download Abstract This paper is composed of two parts a survey of honeypot technology and a case study describing a low interaction honeypot implemented in Java The survey provides a brief overview of honeypot concepts and references to more detailed works The implementation case study addresses many of the decisions required when designing and implementing a low interaction honeypot Keywords Honeypot network security low interaction honeypot implementation honeypot trends honeyd specter honeyBot case study Table of Contents 1 Introduction 1 1 Network Intrusion Detection Systems 1 2 Honeypots 1 3 Honeypot History 1 4 Types of Honeypots 1 5 General Honeypot Advantages and Disadvantages 2 Recent Trends and Advances 2 1 Honeynets and Honeyfarms 2 2 Shadow Honeypots 2 3 Distributed Honeypots 3 Survey of Existing Honeypot Solutions 3 1 Honeyd 3 2 HoneyBOT 3 3 Specter 3 4 Comparison 4 HoneyRJ Low Interaction Honeypot Implementation Case Study 4 1 Implementation Features 4 2 Application Design 4 2 1 Choice of Development Language 4 2 2 Choice of IDE 4 2 3 Design Decisions 4 3 Application Internals 4 3 1 HoneyRJ Launch and Initialization 4 3 2 LIModule Initialization 4 3 3 LIProtocol interface overview 4 4 Implementing Additional Protocols http www cse wustl edu jain cse571 09 ftp honey index html 1 of 19 A Practical Guide to Honeypots 4 4 1 Key Protocol Design Decisions 4 4 2 Implementation 4 4 3 Adding the Protocol 5 Summary Appendix Application Source Code Source Code Documentation and User Manual References List of Acronyms 1 Introduction In this section we describe network intrusion detection systems the traditional approach to network security We then introduce and provide a brief history of honeypots The section concludes with a discussion of the general advantages and disadvantages of honeypots 1 1 Network Intrusion Detection Systems The goal of an Intrusion Detection System IDS is to identify preferably in real time unauthorized use misuse and abuse of computer systems by both system insiders and external penetrators Mukherjee94 An IDS is used as an alternative or a complement to building a shield around the network The shielding approach is deficient in several ways including failure to prevent attacks from insiders Mukherjee et al provide an overview of the IDS problem Mukherjee94 Despite the groundwork being laid for detection systems it wasn t until Paxson s work in 1998 that methods for building real time detection systems became publically available The system converts a stream of packets into a series of high level network events that can be analyzed according to system security policy Paxson99 Since 1999 this work has been extended to incorporate advanced machine learning techniques Verwoerd02 and better detect threats such as denial of service attacks Hussain03 However while IDS technology is progressing methods to circumvent IDSs are becoming more prevalent Ptacek98 For example Wagner and Soto develop a class of mimicry attacks which mimic the original behavior of the application Wagner02 In light of these attacks as well as the growing prevalence of encrypted communication alternatives such as honeypots have become more popular 1 2 Honeypots The exact definition of a honeypot is contentious however most definitions are some form of the following A honeypot is an an information system resource whose value lies in unauthorized or illicit use of that resources from the www securityfocus com forum A more practical but more limiting definition is given by pcmag com A server that is configured to detect an intruder by mirroring a real production system It appears as an ordinary server doing work but all the data and transactions are phony Located either in or outside the firewall the honeypot is used to learn about an intruder s techniques as well as determine vulnerabilities in the real system pcmag09 In practice honeypots are computers which masquerade as unprotected The honeypot records all actions and interactions with users Since honeypots don t provide any legitimate services all activity is unauthorized and possibly malicious Talabis presents honeypots as being analogous to the use of wet cement for detecting human intruders Talabis07b http www cse wustl edu jain cse571 09 ftp honey index html 2 of 19 A Practical Guide to Honeypots 1 3 Honeypot History The first publically available honeypot was Fred Cohen s Deception ToolKit in 1998 which was intended to make it appear to attackers as if the system running DTK had a large number of widely known vulnerabilities Cohen98 More honeypots became both publically and commercially available throughout the late nineties As worms began to proliferate beginning in 2000 honeypots proved imperative in capturing and analyzing worms In 2004 virtual honeypots were introduced which allow multiple honeypots to run on a single server Provos04 A detailed history of honeypots can be found in Spitzner02 and Talabis07a 1 4 Types of Honeypots There are two broad categories of honeypots available today high interaction and low interaction These categories are defined based on the services or interaction level provided by the honeypot to potential hackers Spitzner02 High interaction honeypots let the hacker interact with the system as they would any regular operating system with the goal of capturing the maximum amount of information on the attacker s techniques Any command or application an end user would expect to be installed is available and generally there is little to no restriction placed on what the hacker can do once he she comprises the system On the contrary low interaction honeypots present the hacker emulated services with a limited subset of the functionality they would expect from a server with the intent of detecting sources of unauthorized activity Provos04 For example the HTTP service on a low interaction honeypot would only support the commands needed to indentify that a known exploit is being attempted Some authors classify a third category medium interaction honeypots as providing expanded interaction from low interaction honeypots but less than high interaction systems A medium interaction honeypot might more fully implement the HTTP protocol to emulate a well known vendor s implementation such as Apache However there are