HoneypotsByMargaret AsamiCS 265 (Spring 2003)IntroductionWhat Are Honeypots ?Values and RisksBuilding A HoneypotSome Popular HoneypotsConclusionReferencesHoneypotsByMargaret Asami CS 265 (Spring 2003)IntroductionHoneypot is a simple but yet useful and powerful security tool for intrusion detection. This report is intended to introduce its basic concepts, the values it offers, the risks it poses, and finally, we’ll look at how to build a simple honeypot and introduce some of the popular honeypots out there today.What Are Honeypots ?A honeypot is essentially a host-based IDS (Intrusion Detection System), whose job is to entice intruders to probe, attack and compromise the system, while their motives,moves and techniques are being monitored and studied, all without the intruders knowing.There are two types of honeypots: production and research. The purpose of a production honeypot is to help mitigate security risks in an organization, it functions as the law enforcement unit, by detecting and dealing with the bad guys; whereas that of a research honeypot is to gain information of the intruders community: who they are, how, when, and why they launch attacks, moreover, what they would do once they take over a system, in other words, research honeypots provide counter intelligence data for the security community.Being a security mechanism, let’s look at how honeypots could contribute to the following three aspects of security: - prevention: honeypots are not designed to prevent intruder’s attacks, only good security practices (e.g., disabling unneeded or insecure services etc.) can; some believe deception, a honeypot by-product, which works by luring intruders away from real production systems, can provide prevention, however deception has proved to fail against automated toolkit and worm attacks.- detection: honeypots can add extensive value to this area, it complements the detection capabilities of an existing IDS, by leveraging two major weaknesses of a traditional IDS: false positives and false negatives. False positives are valid traffic reported as attacks because they match with some configured attack signatures; whereas false negatives are genuine attacks missed by IDS becausethey are too new and yet unknown. Honeypots won’t have these 2 weaknesses because all inbound traffic are for sure scans or attacks, while outbound traffic indicates a compromised system; moreover, there is no need to update attack signature database, nor patching up IDS engines from time to time because honeypots detect intrusion by monitoring activities, versus relying on an attack signature database. - reaction: honeypots can also add value to reaction, when a system is compromised, incident response team usually has a hard time pulling useful forensics information because either the data are already heavily polluted, or the system cannot be stopped, or both. However, say a honeypot has been inserted into a network of webservers, which is now compromised, the incident response team could just easily take the honeypot off-line, and by looking at the damages inthe honeypot, other production servers could be recovered more quickly.Values and RisksIn addition to the values seen in the above discussion about various security aspects, honeypots draw fans by being simple and easy to build and deploy; its biggest attraction to the security community, however, is probably the extremely high useful data to noise ratio; with honeypots, there is no need to wade through gigabytes of data to look for useful data, which is one of the toughest job faced by the security community. However, the more honeypots let us learn, which can only be achieved by offeringthe intruders more capabilities and a higher level of interaction, the higher will be the riskthat the intruders would be able to launch massive attacks from the honeypots, which we will be held responsible for. Building A HoneypotSuppose we are about to introduce a system, in order to protect it, we want to learn its vulnerabilities and threats, so we decide to build a mirror honeypot and leave it out on the internet, we’ll wait for intruders to attack and eventually gain root access, at the same time we’ll track their moves, once we learn enough from them, we’ll kick themout without having them getting suspicious. Now that we have laid down our objectives, let’s look at how it could be put together: - how can we attract intruders ? a honeypot is essentially useless if it is not attacked, so it is important to be able to attract intruders, and yet this can be simply achieved by giving enticing names to the honeypot, like “ns1.sjsu.edu”, “mail.sjsu.edu” etc. to make it sound like a name server or mail server etc.- how do we alert ourselves when the honeypot is probed ? this can be done by putting the honeypot on its own network behind a firewall, which can be configured to log all traffic and send alerts for incoming probes to the honeypot; once out-going traffic is reported, we know the honeypot has been compromised. - how can we protect other systems from being compromised ? this again can be done by setting the firewall rulebase to allow all traffic to come in but only limited traffic to go out, the opposite of what a firewall normally does. Common programs intruders would need to download their tool set after they gain access are FTP, ICMP, and DNS etc. - how do we track intruder’s moves ? the key is to use layers, since each layer provides different information, and most importantly, using multiple layers avoidsa single point of failure in terms of protecting the data we collect, now let’s look at some possible layers: firewall logs: it should be noted that logs on the honeypot itself should not be used because the first thing intruders normally do is to wipe out or craft up system logs once they gain access. syslogd hack: the next move most intruders would take is to replace syslogd, so we want to hack syslogd to log activities to another server, by building a syslog server on a machine on the other side of the firewall, recompile syslogdto read from a different config file, which tells syslogd to log both locally and to the remote syslog server. However, it is important to keep the standard config file, although is now useless to us, to still point to all local logging to avoid suspicion. Moreover, syslogd traffic can also be sent using different protocols (e.g., IPX), or even encrypted or hashed. sniffer: a sniffer can
View Full Document
Unlocking...