Honeypot: A Survey of Technologies, Tools and Deployment.

Anita Borkar Akshaya Salunke

UG student (PVPPCOE) UG student (PVPPCOE)
anita.borkar@gmail.com akshayasalunke@gmail.com

Ankita Barabde Karlekar N. P.

UG student (PVPPCOE) Lecturer (I.T.) PVPPCOE
ankitabarabde@gmail.com nkarlekar@gmail.com

Abstract: controlling what traffic can flow where. They are used as an
Honeypots are closely monitored decoys that are employed in a access control device. Firewalls are most commonly deployed
network to study the trail of hackers and to alert network around an organization's perimeter to block unauthorized
administrators of a possible intrusion. Using honeypots provides activity. Network Intrusion Detection Systems are designed to
a cost-effective solution to increase the security posture of an detect attacks by monitoring either system or network activity.
organization. Even though it is not a panacea for security They are used to identify unauthorized activity.
breaches, it is useful as a tool for network forensics and
intrusion detection. Nowadays, they are also being extensively Honeypot can be of any computer resource type, such as a
used by the research community to study issues in network firewall, a web server, or even an entire site it runs no real
security, such as Internet worms, spam control, DoS attacks, etc. production services any contact with it is considered potentially
In this paper, we survey the types of honeypot technologies and malicious traffic sent to or from a honeypot is considered either
their deployments as an effective educational tool to study issues an attack or a result of the honeypot being compromised
in network security. In addition to survey of honeypot
classifications, we present a primary tool for each type. Notable features of honeypots include: collect small volumes of
higher value traffic are capable of observing previously
Introduction unknown attacks detect and capture all attackers’ activities
including encrypted traffic and commands, and require minimal
Honeypots are used for some time in computing systems for resources.
detection of intrusion and tracking the attackers. A honeypot is a
deception trap, designed to attract an attacker into attempting to
compromise the information systems in an organization. A
Honeypot Technologies
honeypot can serve as an early-warning and advanced security 1) Types by level of interactions:
surveillance tool, minimizing the risks from attacks on IT
systems and networks. Honeypots can also analyze the ways in a. The Low-Interaction Honeypots (Specter)
which attackers try to compromise an information system,
providing valuable information into potential system loopholes.
b. The High-Interaction Honeypots (Symantec
Decoy Server)
Honeypot definition: A honeypot as a security resource whose
value lies in being probed, attacked, or compromised[1]. A
2) Types by their intended use:
closely monitored computing resource that we want to be
probed, attacked, or compromised[2].
a. Production honeypots (Honeynets)
This means that expectations and goals of a honeypot are to
have the system probed, attacked, and potentially exploited. It b. Research honeypots (Leurre.com)
does not matter what the resource is (a router, scripts running
emulated services, a jail, or an actual production system). The 3) Types by attack role:
resource's value lies in its being attacked. If the system is never
probed or attacked, then it has little or no value. This is the exact a. Server side honeypots (Honeyd)
opposite of most production systems, which you do not want to
be probed or attacked. b. Client side honeypots (HoneyMonkey)

As should be apparent from this definition, honeypots are

different from most security tools in that they can take on
different manifestations. Most of the security technologies used
today were designed to address specific problems. For example
firewalls, are a technology that protect your organization by

Honeypots differentiated by their level
of interactions:
The Low-Interaction Honeypots[3]
Low-interaction honeypots have limited interaction; they work
by emulating services and operating systems. Attacker activity is
limited to the level of emulation by the honeypot. For example,
an emulated SMTP service listening on port 25 may just emulate
a SMTP login, or it may support a variety of additional SMTP
commands. Low level honeypots are easier to deploy and
maintain, with very low risk. You just install honeypot software,
select the operating systems and services you want to emulate
and start monitoring. Attacker's activity is contained, the
attacker never has access to an operating system to attack or
harm others. Disadvantages with low interaction honeypots is
that they log only limited information and capture known
activity. Also, it’s easier for an attacker to detect a low-
interaction honeypot. Example of low-interaction honeypots is
SPECTER.
in the organization to mirror the appearance of a live mail
server. When attacks are directed at the decoy sensor, Symantec
Decoy Server delivers comprehensive attack detection through a
system of data collection modules. Every action is recorded for
analysis, allowing administrators to prioritize and understand the
threat and respond appropriately.
Since the decoy server is not a real system, all traffic directed
towards Symantec Decoy Server is likely suspicious and should
be considered a prelude to an attack. This helps eliminate the
nuisance of false negatives and positives, allowing system
administrators to focus on legitimate attacks and respond much
more effectively.
Symantec Decoy Server is not signature-based, so it
automatically detects unknown attacks without any need for
security signature updates or dynamic policy configurations. It
also detects both host- and network-based attacks, unauthorized
use of passwords and server access for increased network
protection.

Example of a Tool for Low-Interaction Honeypots Low-interaction Honeypots High-interaction Honeypots

SPECTER[4] is a smart honeypot-based intrusion detection Emulates operating systems Real operating systems and
system. It simulates a vulnerable computer, providing an and services. services are provided.
interesting target to lure hackers away from the production
machines. SPECTER offers common Internet services such as  Easy to install and  Can capture
SMTP, FTP, POP3, HTTP and TELNET which appear perfectly deploy. Simple comprehensive
normal to the attackers but in fact are traps for them to mess installing and information,
around and leave traces without even knowing that they are configuring software including new tools,
connected to a decoy system, which does none of the things it on a computer. communications, or
appears to do, but instead logs everything and notifies the  Low risk, as the attacker keystrokes.
appropriate people. Furthermore, SPECTER automatically emulated services  Can be complex to
investigates the attackers while they are still trying to break in. control what install or deploy.
SPECTER provides massive amounts of decoy content attackers can and  Increased risk, as
including images, MP3 files, email messages, password files, cannot do. attackers are
documents and all kinds of software. It dynamically generates  Captures limited provided real
decoy programs that will leave hidden marks on the attacker's amounts of operating systems to
computer. Automated online updates of the system's content and information, like interact with.
vulnerability database allow the honeypot to change constantly transactional data and
without user interaction. limited interaction.

The High-Interaction Honeypots Honeypots differentiated by their

High-interaction honeypots are complex solutions as they
involve real operating systems and applications[5]. With high-
interaction honeypots, you can capture comprehensive
information. You can learn the full extent of attackers’ behavior,
complete from new rootkits to IRC sessions. Also high-
interaction honeypots provide an open environment that captures
all activity. This allows high-interaction honeypots to learn
unexpected behavior. Of course this also increases the risk; as
attackers can use these operating system loopholes to attack
non-honeypot systems. High-interaction honeypots are more
complex to deploy and maintain. Example of high-interaction
honeypots is Symantec Decoy Server.
Example of a Tool for High-Interaction Honeypot.
Symantec Decoy Server provides early detection of threats and
enables attack diversion and confinement by actually becoming
the target of the attack[6]. The decoy sensor acts like a fully
functioning server, and can simulate email traffic between users
intended use:
Production Honeypots:
A production honeypot is used in an organization to protect its
IT infrastructure[7]. Production honeypots secure the
organization by policing its IT environment to identify attacks.
Production honeypots have less purpose and require fewer
functions than research honeypots. Using production honeypots,
we may know the origin of the hackers such what kind of
machine or operating system it uses, which country they are
from, the kind of tools they used and the types of exploits the
blackhat launches. Production honeypots let the blackhat
community spend time and resource into attacking the
honeypots rather than the organization’s production systems.
Example of Production Honeypots is Honeynets.
Research Honeypots Production Honeypots Research Honeypots
Less purpose and require fewer Complex and comprehensive
Research honeypots are complex. They are designed to collect functions. functions.
as much information as possible about hackers’ and their
activities[8]. Their primary mission is to research the threats  Help to reduce or  Complex and capture
organization may face, such as who the attackers are, how they mitigate risk that a complete
are organized, what kind of tools they use to attack other specific organization information,
systems, and where they obtained those tools. From the faces. including new tools,
information gathered by research honeypots, it will help the  Secure the communications, or
organization to better understand on the hackers’ attack patterns, organization by attacker keystrokes.
motives and how they function. With knowledge about potential policing its IT  Help to understand
threats, the organization can use necessary defense mechanisms environment to attack patterns,
and processes. Research honeypots are also an excellent tool to identify attacks. motives and how
capture automated attacks, such as auto-rooters or worms.  The implementation attackers function.
and deployment of  Excellent tool to
Example of a Tool for Production and Research are relatively easier capture automated
and less risky. attacks such as auto-
Honeypots
 Provide less evidence rooters or worms.
A honeynet is a type of honeypot[9]. Specifically, it is a high- about hacker’s attack  difficult and complex
interaction honeypot designed to capture extensive information patterns and motives. to implement, higher
on threats. High-interaction means a honeynet provides real risk and require
systems, applications, and services for attackers to interact with. skilled personnel
It is through this extensive interaction we gain information on
threats, both external and internal to an organization. What
makes a honeynet different from most honeypots is that it is a
network of real computers for attackers to interact with. These Honeypots differentiated by their
victim systems (honeypots within the honeynet) can be any type attack role:
of system, service, or information you want to provide.
Server side honeypots
Conceptually honeynets are very simple; they are a network that
contains one or more honeypots. Since honeypots are not An Internet-attached server that acts as a decoy[1], luring in
production systems, the honeynet itself has no production potential hackers in order to study their activities and monitor
activity, no authorized services. As a result, any interaction with how they are able to break into a system. Honeypots are
a honeynet implies malicious or unauthorized activity. Any designed to mimic systems that an intruder would like to break
connections initiated inbound to your honeynet are most likely a into but limit the intruder from having access to an entire
probe, scan, or attack. Any unauthorized outbound connections network. If a honeypot is successful, the intruder will have no
from your honeynet imply someone has compromised a system idea that s/he is being tricked and monitored. Most honeypots
and has initiated outbound activity. This makes analyzing are installed inside firewalls so that they can better be
activity within your honeynet very simple. With traditional controlled, though it is possible to install them outside of
security technologies, such as firewall logs or IDS sensors, you firewalls. A firewall in a honeypot works in the opposite way
have to sift through gigabytes of data, or thousands of alerts. A that a normal firewall works: instead of restricting what comes
great deal of time and effort is spent looking through this into a system from the Internet, the honeypot firewall allows all
information, attempting to eliminate false positives while traffic to come in from the Internet and restricts what the system
identifying attacks or unauthorized activity. Since a honeynet is sends back out.
nothing more than a network of honeypots, all captured activity
is assumed to be unauthorized or malicious. Using server side honeypots the administrator can watch the
hacker exploit the vulnerabilities of the system, thereby learning
where the system has weaknesses that need to be redesigned.
The hacker can be caught and stopped while trying to obtain
root access to the system. By studying the activities of hackers,
designers can better create more secure systems that are
potentially invulnerable to future hackers.

Example of a Tool for Server side Honeypots

Honeyd is a small daemon that creates virtual hosts on a
network[10]. The hosts can be configured to run arbitrary
services, and their personality can be adapted so that they appear
to be running certain operating systems. Honeyd enables a single
host to claim multiple addresses - tested up to 65536 - on a LAN
for network simulation. Honeyd improves cyber security by
providing mechanisms for threat detection and assessment. It
also deters adversaries by hiding real systems in the middle of
virtual systems.
It is possible to ping the virtual machines, or to traceroute them.
Any type of service on the virtual machine can be simulated
according to a simple configuration file. Instead of simulating a
service, it is also possible to proxy it to another machine.
The different TCP personalities are learned from reading a nmap
fingerprint file. The configured personality is the operating
system that nmap or xprobe will return. Personalities can be
annotated to determine if they allow FIN-scans for open ports or
to select the preference in which they reassemble fragmented IP
packets.
Honeyd can be used to create a virtual honey net or for general
network monitoring. It supports the creation of a virtual network
topology including dedicated routes and routers. The routes can
be attributed with latency and packet loss to make the topology
seem more realistic.
HoneyMonkey is based on the honeypot concept, with the
difference that it actively seeks websites that try to exploit it.
The term was coined by Microsoft Research in 2005. With
honeymonkeys it is possible to find open security holes that
aren't yet publicly known but are exploited by attackers.
A single HoneyMonkey is an automated program, which tries to
mimic the action of a user surfing the net. A series of
HoneyMonkeys are run on virtual machines running Windows
XP, at various levels of patching — some are fully patched,
some fully vulnerable, and others in between these two
extremes. The HoneyMonkey program records every read or
write of the file system and registry, thus keeping a log of what
data was collected by the web-site and what software was
installed by it. Once the program leaves a site, this log is
analyzed to determine if any malware has been loaded. In such
cases, the log of actions is sent for further manual analysis to an
external controller program, which logs the exploit data and
restarts the virtual machine to allow it to crawl other sites
starting in a known uninfected state.

Because Honeyd interacts with potentially malicious

adversaries, you should sandbox it with Systrace. Systrace Server side honeypots Client side honeypots
prevents an adversary from exploiting bugs in your Honeyd Acts as a decoy, luring in Actively in search of servers
scripts. potential hackers. that attack clients.
 Can watch the hacker  Simulates/drives
Client side honeypots exploit the system, so client-side software
as learn the and does not expose
Client Honeypots are active security devices in search of weaknesses that need server based services
malicious servers that attack clients[11]. The client honeypot to be redesigned. to attack.
poses as a client and interacts with the server to examine  The attacker can be  Actively interact with
whether an attack has occurred. Any client that interacts with caught and stopped remote servers to be
servers can be part of a client honeypot (for example Browser, while trying to obtain attacked.
ftp, ssh, email, etc.). root access to the  Evaluates which
system. server is malicious
Client honeypots can be grouped into low interaction and high  Help to create more and which is benign.
interaction honeyclients. Low interaction client honeypots are secure systems that
fast and generally easier to manage, but are weaker at detecting are potentially
new attacks and less likely to be able to obtain malware. High invulnerable to future
interaction client honeypots are slower and more difficult to hackers.
manage in general, but are better suited for the detection of new
attacks and obtaining malware. Client side honeypots
simulates/drives client-side software and does not expose server
based services to be attacked. It cannot lure attacks to itself, but Honeypot Deployments[13]
rather it must actively interact with remote servers to be
[8]
attacked. The client-side honeypot must discern which server is Large-scale Distributed Honeypots
malicious and which is benign.
Deployment:
Example of a Tool for Client side Honeypots Honeypot network Honeynet, which is a network of honeypots
that imitate and replicate an actual or fictitious network. This
HoneyMonkey, short for Strider HoneyMonkey Exploit will appear to attackers as if many different types of applications
Detection System[12], is a Microsoft Research honeypot. The are available on several different platforms. A honeynet offers
implementation uses a network of computers to crawl the World an early warning system against attacks and provides an
Wide Web searching for websites that use browser exploits to excellent way to analyze and understand an attacker’s intention,
install malware on the HoneyMonkey computer. A snapshot of by looking at what kind of machines and Honeypot Security
the memory, executable and registry of the honeypot computer services have been attacked, and what type of attacks have been
is recorded before crawling a site. After visiting the site, the conducted.
state of memory, executable, and registry is compared to the
previous snapshot. The changes are analyzed to determine
Honeynet Project and HoneyLab are examples of this type of
whether the visited site installed malware onto the honeypot
deployment
computer.
Server Honeypot Deployment:
Honeypots are deployed alongside regular production servers[14].
The honeypot will mirror some real data and services from the
production servers in order to attract attackers. The security of
the honeypot can be loosened slightly so as to increase its
chance of being compromised. The honeypot can then collect
attack related information. However, if a successful attack takes
place on the honeypot within the network; that compromised
honeypot machine might be used to scan for other potential
targets in the network. This is the main drawback of installing
honeypots within the production system.
In other method each server is paired with a honeypot, and
suspicious traffic destined for the server is directed to the
honeypot. For instance, traffic at TCP port 80 can be directed to
a web server IP address as normal, while all other traffic to the
web server will be directed towards the honeypot. To
camouflage the honeypot, a certain amount of data, such as the
website contents of a web server, may need to be replicated on
the honeypot. There are several ways to set up a server
honeypot. It can be set in front of a firewall, in the DMZ or
behind a firewall. It is best to deploy the honeypot closer to the
server, as it is more tempting for the attacker. Another way to
deploy a honeypot would be to place it in between servers, but
this method is not very effective. It would only prove use mostly
against sweep scans.
Virtual Honeypot Deployment
Virtual honeypots simulate virtual computer systems at the
network level[15]. The simulated computer systems appear to run
on unallocated network addresses. To deceive network
fingerprinting tools, these honeypots simulate the networking
stack of different operating systems and can provide arbitrary
routing topologies and services for an arbitrary number of
virtual systems. These honeypots help in many areas of system
security, e.g. detecting and disabling worms, distracting
adversaries, or preventing the spread of spam email.
Honeyd is example of Virtual Honeypot framework
Deployment of a Client Honeypot
[16]
Client honeypots focus on malicious webservers, which they
interact with by driving a web browser on the honeypot system.
Honeyclient detects successful attacks by monitoring changes to
a list of files, directories and system configuration after the
Honeyclient has interacted with a server. Honeyclient such as
Honeymonkey also detects intrusions by monitoring changes to
a list of executable files and registry entries, but Honeymonkey
goes a step further by adding monitoring of the child processes
to its repertoire to detect client side attacks. The UW client
honeypot uses event triggers of file system activity, process
creation, registry activity and browser crashes to identify client
side attacks. All these client honeypots can be classified as high
interaction client honeypots because they make use of a real
browser within a real operating system environment and monitor
the state of the entire system.
Deployment of a WEB Honeypot
[7]
Through web interface, one can deploy low-involvement (low-
interaction), production, dynamic and manageable honeypot. It
uses a combination of deployment strategies, such as,
“Deception Ports on Production Systems” to simulate honeypot
services, substituted for well-known services (for instance
HTTP, SMTP, POP, DNS and FTP) and “Proximity Decoys”
where the honeypot decoys are in close proximity to the
production hosts (in the same logical subnet). The risk is
minimized because there is no real Operating System present
and services are simulated.
This deployment is easier to deploy and maintain. Furthermore,
the emulated services reduce the risk by containing the
attacker’s activity. The attacker will never have access to an
operating system to do further damage. However, only limited
information is logged. It is also easier for an attacker to detect a
low-interaction honeypot in this particular architecture. No
matter how good the emulation is, a skilled attacker can
eventually detect its presence. Another disadvantage is that it
will not allow the researcher to capture any additional data
associated with the attack other than the initial probe. The
honeypots are deployed in the same logical subnet to distract an
attacker from the real targets. They are used as a bait to bind
attacking attempts as long as possible and protect the productive
environment in the meantime. The primary interest here is to
protect the real systems. The purpose of running Honeypot in
the intranet is to detect internal attackers. It is also possible to
detect a misconfigured firewall using an internal honeypot. In
addition, implementation of the web honeypot is a great way to
detect worms or Trojans.
References
[1] Honeypots: Tracking Hackers By Lance Spitzner. Publisher
: Addison Wesley Pub Date : September 13, 2002
[2] N. Provos, “A virtual honeypot framework,” in SSYM’04:
Proceedings of the 13th conference on USENIX Security
Symposium. Berkeley, CA, USA: USENIX Association, 2004.
[3] Low Interaction Server Honeypot Evolution Mark
Schloesser Giraffe Honeynet Project FIRST Technical
Colloquium, Kuala Lumpur December 2, 2009
[4] SPECTER a smart honeypot-based intrusion detection
system http://www.specter.com/default50.htm
[5] Security and Results of a Large-Scale High-Interaction
Honeypot J. Briffaut, J.-F. Lalande, C. Toinard; JOURNAL OF
COMPUTERS, VOL. 4, NO. 5, MAY 2009
[6] Symantec Releases Decoy-Based Intrusion Detection
System;
http://www.symantec.com/press/2003/n030623b.html
[7] Issues in Informing Science and Information Technology
Volume 3, 2006 Honeypot through Web (Honeyd@WEB): The
Emerging of Security Application Integration Nor Badrul Anuar,
Omar Zakaria, and Chong Wei Yao University of Malaya, Kuala
Lumpur MY
[8] HoneyLab: Large-scale Honeypot Deployment and Resource
Sharing by P. Akritidis, W. Y. Chin, E. P. Markatos, E.
Kotsovinos, S. Ioannidis, K. G. Anagnostakis
[9] Know Your Enemy: Honeynets What a honeynet is, its
value, overview of how it works, and risk/issues involved.
honeynet Project http://www.honeynet.org 31 May, 2006
[10] Developments of the Honeyd Virtual Honeypot:
http://www.honeyd.org/
[11] HoneyC - The Low-Interaction Client Honeypot by
Christian Seifert, Ian Welch, Peter Komisarczuk
{cseifert, ian.welch, peter.komisarczuk}@mcs.vuw.ac.nz;
August 2006
[12] Strider HoneyMonkey Exploit Detection
http://research.microsoft.com/en-
us/um/redmond/projects/strider/honeymonkey/
[13] Effective Deployment of Honeypots Against Internal and
External Threats Douglas B. Moran
[14] Honeypot Deployment Hanli Ren Member of UNB
Honeynet Project Faculty of Computer Science University of
New Brunswick, Fredericton, Canada
[15] Virtual honeypots: from botnet tracking to intrusion
detection, First edition Authors: Niels Provos, Thorsten Holz.
Publisher Addison-Wesley Professional Year of Publication:
2007
[16] Honeyware: a web-based low interaction client honeypot
Yaser Alosefer, Omer Rana School of Computer Science &
Informatics, Cardiff University, UK