Honeypots are information systems designed to detect attacks by capturing unauthorized access. A honeypot mimics real systems to attract hackers while logging their activities without exposing real systems to harm. Honeynets are networks of high-interaction honeypots that provide whole systems for hackers to interact with and reveal their tactics. While helpful for research, honeypots require careful control and monitoring to prevent real damage while gathering forensic data on intrusions and attacks.

1. Honeypot &Honeynet
Sina Manavi
Manavi.Sina@gmail.com

2. Content
• What is Honeypot
• What is Honeynet
• Advantages and Disadvantages of
Honeypot/net

3. Definition of Honeypot:
• A Honeypot is an information system resource
whose value lies in unauthorized or illicit use
of that resource.
- Lance Spitzner

4. Honeypots value:
• Prevention
prevent automated attacks:(Warms and auto-rooters)
• Detection
identify a failure or breakdown in prevention
• Response

5. How Honeypot works:
Prevent
Detect
Response No connection Attackers
Attack Data
HoneyPot A
Gateway

6. Architecture

7. Honeypot can be placed:
 In front of the firewall (Internet)
 DMZ (DeMilitarized Zone)
 Behind the firewall (intranet)

8. Honeypot Classification:
By Implementation
• Virtual
• Physical
By purpose
• Production
• Research
By level of interaction
• High
• Low
• Middle?

9. Implementation of Honeypot
Physical
• Real machines
• Own IP Addresses
• Often high-interactive
Virtual
• Simulated by other machines that:
– Respond to the traffic sent to the honeypots
– May simulate a lot of (different) virtual honeypots at the same
time

10. Physical Honeypot vs. Virtual Honeypot
• PH (Real machines, NICs, typically high-interaction)
– High maintenance cost.
– Impractical for large address spaces.
• VH (Simulated by other machines)
– Multiple virtual services and VMs on one machine.
– Typically it only simulate network level interactions, but
still able to capture intrusion attempts.

11. Propose of Honeypot:
Research
 Complex to deploy and maintain.
 Captures extensive information.
 Run by a volunteer(non-profit).
 Used to research the threats organization face.
Production
 Easy to use
 Capture only limited information
 Used by companies or corporations
 Mitigates risks in organization

12. Interaction Level:
• Low Interaction
• High Interaction
Note: Interaction measures the amount of activity an attacker
can have with a honeypot.

13. Low Interaction vs. High Interaction
Low-Interaction High-Interaction
Installation Easy More difficult
Maintenance Easy Time consuming
Risk Low High
Need Control No Yes
Data gathering Limited Extensive
Interaction Emulated services Full control

14. Example of Honeypots:
• Symantec Decoy Server (ManTrap) High Interaction
• Honeynets
• Nepenthes
• Honeyd
– (Vitrual honeypot)
• KFSensor
• BackOfficer Friendly Low Interaction

15. Honeynet History:
• Informally began in April 1999
• The Honeynet Project officially formed in
June 2000
• Became a non-profit corporation in
September 2001.
• Is made up of thirty Volunteer security
professionals

16. What is a Honeynet?
• Actual network of computers
• High-interaction honeypot
• Its an architecture, not a product
• Provides real systems, applications, and
services for attackers to interact with.
• Any traffic entering or leaving is suspect”.

17. How the Honeynet works?
• Monitoring, capturing, and analyzing all the
packets entering or leaving through networks.
• All the traffic is entering or leaving through
the Honeynet is naturally suspect.

18. Honeynet Evolution
• 1997, DTK (Deception Toolkit)
• 1999, a single sacricial computer,
• 2000, Generation I Honeynet,
• 2003, Generation II Honeynet,
• 2003, Honeyd software
• 2004, Distributed Honeynets, Malware Collector...
• 2009, Dionaea (multi stage payloads, SIP,...)
Kojoney, Kippo

19. Architecture Requirements:
• Data Control
• Data Capture

20. Data Control of the Honeynet
No Restrictions
Honeypot
Internet
No Restrictions
Honeypot
No Restrictions
Honeypot
Internet
Honeywall
Connections Limited Packet Scrubbed Honeypot

21. Honeynet Generations:
• Gen I:
– Simple Methodology, Limited Capability
– Highly effective at detecting automated attacks
– Use Reverse Firewall for Data Control
– Can be fingerprinted by a skilled hacker
– Runs at OSI Layer 3
• Gen II:
– More Complex to Deploy and Maintain
– Examine Outbound Data and make determination to block, pass,
or modify data
– Runs at OSI Layer 2

22. Advantages and Disadvantages of Honeynet/pots
Advantages :
Honeypots are focused (small data sets)
Honeypots help to reduce false positive
Honeypots help to catch unknown attacks (false negative)
Honeypots can capture encrypted activity (cf. Sebek)
Honeypots work with IPv6
Honeypots are very flexible (advantage/disadvantage?)
Honeypots require minimal resources
Disadvantages :
Honeypots field of view limited (focused)
Risk,

23. Q&A

24. Thank you
1/12/2011