|
Honey
Pots
In
computer terminology, a honey pot is a trap set to detect or
deflect attempts at unauthorized use of information systems.
Generally it consists of a computer, data or a network site
that appears to be part of a network but which is actually
isolated and protected, and which seems to contain
information that would be of value to attackers. A honey pot
that masquerades as an open proxy is known as a sugarcane.
A
honey pot is valuable as a surveillance and early-warning
tool. While often a computer, a honey pot can take on other
forms, such as files or data records, or even unused IP
address space. Honey pots should have no production value and
hence should not see any legitimate traffic or activity.
Whatever they capture can then be surmised as malicious or
unauthorized.
Honeypots can carry risks to a network, and must be handled
with care. If they are not properly walled off, an attacker
can use them to actually break into a system.
Sticky
Honeypot
Also called 'Tarpit', an internet-attached server that acts
as a decoy, luring in potential hackers and responding in a
way that causes their machine to get "stuck", sometimes for
a very long time.
Honeypots are designed to mimic systems that an intruder
would like to break into but limit the intruder from having
access to an entire network. If a honeypot is successful,
the intruder will have no idea that s/he is being tricked
and monitored. Most honeypots are installed inside firewalls
so that they can better be controlled, though it is possible
to install them outside of firewalls. A firewall in a
honeypot works in the opposite way that a normal firewall
works: instead of restricting what comes into a system from
the Internet, the honeypot firewall allows all traffic to
come in from the Internet and restricts what the system
sends back out.
By
luring a hacker into a system, a honeypot serves several
purposes:
The
administrator can watch the hacker exploit the
vulnerabilities of the system, thereby learning where the
system has weaknesses that need to be redesigned.
The
hacker can be caught and stopped while trying to obtain root
access to the system.
By
studying the activities of hackers, designers can better
create more secure systems that are potentially invulnerable
to future hackers.
Creating a Honeypot - overview for the basic user.
Honeypot systems should be configured to look like a box
that hackers would like to exploit. You can achieve this by
giving it an irresistible name, such as
financials.companyname.com or mail.companyname.com. If the
system doesn't appear real or looks unusual, the hacker will
most likely detect a trap and move on.
Honeypot - The two major goals
Learn
how intruders probe and attempt to gain access to your
systems. The general idea is that since a record of the
intruder's activities is kept, you can gain insight into
attack methodologies to better protect your real production
systems.
Gather
forensic information required to aid in the apprehension or
prosecution of intruders. This is the sort of information
often needed to provide law enforcement officials with the
details needed to prosecute. More important, when you decide
you're going to build a honeypot you must first realize that
you're playing with fire and can easily get burned. Someone
with skills far superior to your own is out there and poised
to attack your system and it may only take them a few hours
after it's up to discover it! Keeping this in mind the
entire way through is your best hedge against doing
something reckless -- or even fatal.
Honeypots
Honeypots can operate on any variety of computer systems and
just about any type of computer. While most public domain
software for setting up a honeypot is written for UNIX, many
of these systems have already been ported to NT. Below I'll
list some tools (free of course!) that will help you set the
bait. Some packages may or may not include a sniffer (a
package to log incoming and outgoing traffic) - I'll list a
few of those as well.
You'll need a basic computer to get started. If you don't
have an extra system, you can use your current system by
removing any existing drives and installing a spare drive
with a fresh install of your operating system - NEVER use
your original drives!
The
last item to perform is making sure you have all the latest
operating system service packs and patches installed. Once
you've given it a test, connect it to the internet and wait.
This was a very quick overview for those inquisitive readers
who want to get started now!
Free Honeypot Software
BackOfficer Friendly: A free Windows-based low interaction
honeypot. Excellent solution if you are new to honeypot
technologies.
Honeyd:
A free Unix-based low interaction honeypot. Can emulate
entire networks of systems (over 60,000 systems at the same
time), proxy connections, and emulate both application and
IP stack. You can also download a statically compiled
version for Linux.
|