HONEYPOT

AND
INTRUSION DETECTION

Seminar Report By :

ANJANA .S. NANDIHALLI

VIII SEM CSE
S.D.M.C.E.T DHARWAD
Roll No : 705
Reg. No : 2SD98CS006
 Examiner

ABSTRACT
The Internet has undoubtedly become the largest public data network in the
world, enabling and facilitating both personal and business communications worldwide.
Widespread use of the Internet has opened the door to an increasing number of security
threats. Intrusion Detection is the art of detecting inappropriate, incorrect, or anomalous
activity. Network intrusion detection systems (NIDS) are an important part of any
network security architecture. They provide a layer of defense, which monitors network
traffic for predefined suspicious activity or patterns, and alert system administrators when
potential hostile traffic is detected. This paper deals with one of such systems, which uses
'Honeypots' for Intrusion Detection.
The paper helps to learn what a honeypot is and how it can help safeguard
your network from internal intruders. A honeypot is a tool that can help protect for
network from unauthorized access. It is a system that is designed specifically to look
vulnerable so that attacker thinks it's easy prey. Attackers who probe the machine find a
system that's easy to attack and that they believe might contain sensitive information. On
the back end, the system logs all the intruders' probes and attacks. A honeypot can lure
attackers so that administrator can study their methods of operation and resource integrity
tools can tell whether a user or possibly an intruder has altered the files or other system
resources.
Honey Pots do not replace other traditional Internet security systems; they are
an additional level or system. The goals behind setting up a honeypot, the advantages and
disadvantages of honeypot solutions are also discussed.
Honey Pots can be setup inside, outside or in the DMZ of a firewall design or
even in all of the locations although they are most often deployed inside of a firewall for
control purposes. In a sense, they are variants of standard Intruder Detection Systems
(IDS) but with more of a focus on information gathering and deception. The paper also
discusses about the different levels or layers of tracking.
The honeypot solutions discussed in the paper explain how to build a
honeypot, what all features a honeypot should have. Also some commercial honeypot
systems are discussed.

CONTENTS
Page No.

• Introduction 1

• Topic details

6 Introduction to honeypot 2

7 Classification 3

8 Layers or levels of tracing 3

9 Setting a Honeypot 5

10 Value of Honeypots 7

11 HoneyNet project 8

• Conclusion 10

• Bibliography 11
 INTRODUCTION
With the current growth of the Internet and e-commerce, networks are
becoming increasingly vulnerable to damaging attacks. At the same time, downtime from
networks that carry critical business applications can result in production losses and
directly affect a company's bottom line. The volume of traffic moving over the Internet
and corporate networks is expanding exponentially every day as mobile workers,
telecommuters, and branch offices use e-mail and the Internet to remotely connect to
corporate networks. No individual-whether a noncomputer user, a casual Internet surfer,
or even a large enterprise-is immune to network-security breaches. With proper planning,
however, network security breaches can often be prevented. General fear and suspicion of
computers still exists and with that comes a distrust of the Internet. This distrust can limit
the business opportunities for companies, especially those that are completely Web-
based.
Simply put, an intrusion can be defined as any set of actions that attempt to
compromise the integrity, confidentiality or availability of a resource. An intrusion
detection system, or IDS for short, attempts to detect an intruder breaking into the system
or a legitimate user misusing system resources. The IDS will run constantly on the
system, working away in the background, and only notifying when it detects something it
considers suspicious or illegal.
There are two types of potential intruders, Outside Intruders and Inside
Intruders. Despite the fact that most security measures are put in place to protect the
inside from a malevolent outside world, most intrusion attempts actually occur from
within an organization. A mechanism is needed to detect both types of intrusions - a
break-in attempt from the outside, or a knowledgeable insider attack. An effective
intrusion detection system detects both types of attacks.
Several species of butterfly have developed "eyes" on their wings. These
fools predators into thinking it's looking in a direction it isn't, and gives them a "target"
that isn't really there. (Big eyes mean a big body behind it.)
Some forms of protection for computers follow the same principle - giving
the illusion of common vulnerabilities, appearing to have a port active when it isn't, or
even pretending to be an entire network, just waiting to be portscanned - none of it real.
Since any activity on these "non-existent" ports or networks has to be from an intruder, it
becomes trivial to identify when an attack is taking place, and much easier to identify
which packets are from the intruder and which are innocent.
The world of computer hackers is a constant cat-and-mouse game between
"white hats" and "black hats." Some white hats use "honeypots" to learn about their
enemy. Honeypots look like normal Web servers to a black hat, but they are really traps
with special software that allow white hats to track every step a computer vandal takes.

TOPIC DETAILS
WHAT IS A HONEYPOT?
Honey Pot Systems are decoy servers or systems setup to gather information
regarding an attacker or intruder into your system. These are programs that simulate one
or more network services that you designate on your computer's ports. An attacker
assumes you're running vulnerable services that can be used to break into the machine. A
honeypot can be used to log access attempts to those ports including the attackers'
keystrokes.
A honeypot is a network server designed to trap would-be attackers before
they invade the real servers and services. The honeypot contains no data or applications
critical to the company but has enough interesting data to lure a hacker. It is a system
designed to teach how black-hats probe for and exploit a system.
The idea behind a honey pot is to setup a "decoy" system that has a non-
hardened operating system or one that appears to have several vulnerabilities for easy
access to its resources. The decoy system should be loaded with numerous fake files,
directories, and other information that may look real. By making the honey pot appear to
be a legitimate machine with legitimate files, it leads the hacker to believe that they have
gained access to important information. With a little luck the intruder will stay around in
an attempt to collect data while the honey pot collects information about the intruder and
the source of his or her attack.
Ideally honey pots provide an environment where intruders can be trapped or
vulnerabilities accessed before an attack is made on real assets. Decoys are setup not to
capture the bad guy but to monitor and learn from their moves, find how they probe and
exploit the system and how those exploitations can be prevented in production systems
and doing this all without detection from the hacker.

HOW DO HONEY POTS WORK?

Honey pots work on the idea that all traffic to a honeypot should be deemed
suspicious. As stated before honey pots are generally based on a real server, real
operating system, and with data that appears to be real. One of the main differences is the
location of the machine in relation to the actual servers. The decoy machine are usually
placed somewhere in the DMZ. This ensures that the internal network is not exposed to
the hacker. Honey pots work by monitoring the intruder during their use of the honeypot.
This can done whether the attack came from the outside or the inside of the network,
depending on the location of the decoy system. Honey pots are generally designed to
audit the activity of an intruder, save log files, and record such events as the processes
started, compiles, file adds, deletes, changes, and even key strokes. By collecting such
data the honey pots work to improve a corporation’s overall security system. If enough
data is collected it may be used to prosecute in serious situations. In cases where you do
not wish to prosecute the data collected can be used to measure the skill level of hackers,
their intent, and in some cases, even their identity. All in all the honey pot helps a
company prepare for attacks and respond to those attacks by learning from information
gathered
CLASSIFICATION OF HONEYPOTS
Honepots can be break up into two broad categories, as "production" and
"research". The purpose of a production honeypot is to help mitigate risk in an
organization. The honeypot adds value to the security measures of an organization. The
second category, research, is honeypots designed to gain information on the blackhat
community. These honeypots do not add direct value to a specific organization. Instead
they are used to research the threats organizations face, and how to better protect against
those threats. This information is then used to protect against those threats.
The honeypots can also be categorized as Hardware-based and Software-
based honeypots. Hardware-based honeypots are servers, switches or routers that have
been partially disabled and made attractive with commonly known misconfigurations.
They sit on the internal network, serving no purpose but to look real to outsiders. The
operating system of each box, however, has been subtly disabled with tweaks that prevent
hackers from really taking it over or using it to launch new attacks on other servers.
Software emulation honeypots, on the other hand, are elaborate deception
programs that mimic real Linux or other servers and can run on machines as low-power
as a 233-MHz PC. Since an intruder is just dancing with a software decoy, at no time
does he come close to actually seizing control of the hardware, no matter what the fake
prompts seem to indicate. Even if the hacker figures out that it's a software honeypot, the
box on which it's running should be so secure or isolated that he couldn't do anything but
leave anyway.

LEVELS OR LAYERS OF TRACKING

Honey Pots can be setup inside, outside or in the DMZ of a firewall design or
even in all of the locations although they are most often deployed inside of a firewall for
control purposes. In a sense, they are variants of standard Intruder Detection Systems
(IDS) but with more of a focus on information gathering and deception.

Many firewalls allow to place a network in the demilitarized zone (DMZ).

This is a network added between an internal network and an external network in order to
provide an additional layer of security. Sometimes it is also called a perimeter network.
The other option is to place it on a separate, dedicated Internet connection. Ideally, all
traffic to and from the honeypot should also be routed through its own dedicated firewall.
The information provided on an intruder depends on the levels of tracking
that you’ve enabled on your Honey Pot. Common tracking levels include the firewall,
system logs on the Honey Pot and sniffer-based tools.

Firewall Logs
 Firewalls offer the outermost layer of protection for a network, providing a
basic barrier and restricting points of access. Firewalls are useful as part of the overall
Honey Pot design for many reasons. Most firewalls provide activity-logging capabilities,
which can be used to identify how an intruder is attempting to get into a Honey Pot.
Reviewing the order, sequence, time stamps and type of packets used by an intruder to
gain access to you Honey Pot will help you identify the tools, methodology being used by
the intruder and their intentions. Most firewalls can be configured to send alerts by email
or pager to notify you of traffic going to or from your Honey Pot. This can be extremely
useful in letting you review intruder activity while it’s happening.

System Logs

Unix and Microsoft NT seem to have the lion share of the Internet server
markets and both operating systems have logging capabilities built into their operating
systems, which help identify what changes or attempts have been made. There are also
several tools available that greatly increase the information that can be gathered. Many of
the Unix tools are public domain, while many of the Microsoft NT tools are not.

Sniffer Tools

Sniffer tools provide the capability of seeing all of the information or packets
going between the firewall and the Honey Pot system. Using a sniffer tool allows you to
interrogate packets in more detail to determine which methods the intruder is trying to
use in much more detail than firewall or system logging alone. An additional benefit to
sniffer tools is that they can also create and store log files. The log files can then be
stored and used for forensic purposes.

SETTING A HONEYPOT

Implementation of a Honey Pot solution as part of a security system first

involves the decision of whether to purchase a commercial solution or decide to develop
your own. A Honey Pot system is setup to be easier prey for intruders than true
production systems but with minor system modifications so that their activity can be
logged of traced. The general thought is that once an intruder breaks into a system, they
will come back for subsequent visits. During these subsequent visits, additional
information can be gathered and additional attempts at file, security and system access on
the Honey can be monitored and saved.
Building a Honey Pot
There is a variety of public domain tools and software available that can be
useful to help you setup a Honey Pot. ' Set up a server and fill it with tempting files.
Make it hard but not impossible to break into. Then sit back and wait for the crackers to
show up. Observe them as they cavort around in the server. Log their conversations with
each other. Study them like you'd watch insects under a magnifying glass' . That's the
basic concept behind honeypots, systems that are set up specifically so that the security
experts can secretly observe crackers in their natural habitats.
When setting up a Honey Pot is that certain goals have to be considered.
Those goals are:
1. The Honey Pot system should appear as generic as possible
2. You need to be careful in what traffic you allow the intruder to send back out to
the Internet for you don’t want to become a launch point for attacks against other
entities on the Internet. (One of the reasons for installing a Honey Pot inside of
the firewall!)
You will want to make your Honey Pot an interesting site by placing
"Dummy" information or make it appear as though the intruder has found an "Intranet"
server, etc. Expect to spend some time making your Honey Pot appear legitimate so that
intruders will spend enough time investigating and perusing the system so that you are
able to gather as much forensic information as possible.
Any enterprise firewall package will be sufficient for building a honeypot
system.. However, when setting up this firewall, you’ll want to reverse your normal rules.
The goal is to allow all inbound traffic and restrict outbound traffic to the bare minimum
i.e. outbound ICMP, DNS, and Telnet/FTP to a noncompromised IP address. If all
outbound services are closed, intruders will lose interest and attack elsewhere.

Commercial Honey Pot Systems

There are a variety of commercial Honey Pot systems available. The
operating systems most widely supported are Microsoft NT and Unix. Some of the
commercial Honey Pot systems available are:

Deception ToolKit (DTK)

It is a toolkit designed to give defenders a couple of orders of magnitude
advantage over attackers.
The basic idea is not new. We use deception to counter attacks. In the case of
DTK, the deception is intended to make it appear to attackers as if the system running
DTK has a large number of widely known vulnerabilities. DTK's deception is
programmable, but it is typically limited to producing output in response to attacker input
in such a way as to simulate the behavior of a system, which is vulnerable to the attackers
method. This has a few interesting side effects:
• It increases the attacker's workload because they can't easily tell which of their
attack attempts works and which fail.
• It allows us to track attacker attempts at entry and respond before they come
across a vulnerability we are susceptible to.
 • It sours the milk - so to speak. If one person uses DTK, they can see attacks
coming well ahead of time. If a few others start using it, we will probably exhaust
the attackers and they will go somewhere else to run their attacks. If a lot of
people use DTK, the attackers will find that they need to spend 100 times the
effort to break into systems and that they have a high risk of detection well before
their attempts succeed.
• If enough people adopt DTK and work together to keep it's deceptions up to date,
we will eliminate all but the most sophistocated attackers, and all the copy-cat
attacks will be detected soon after they are released to the wide hacking
community. This will not only sour the milk, it will also up the ante for would-be
copy-cat attackers and, as a side effect, reduce the "noise" level of attacks to allow
us to more clearly see the more serious attackers and track them down.
• If DTK becomes very widespread, one of DTK's key deceptions will become very
effective. This deception is port 365 - which we have staked a claim for as the
deception port. Port 365 indicates whether the machine you are attempting to
connect to is running a deception defense. Naturally, attackers who wish to avoid
deceptive defenses will check there first, and eventually, simply running the
deceptive defense notifier will be adequate to eliminate many of the attackers. Of
course some of us defenders will not turn on the deception anouncement message
so we can track new attack attempts by those who avoid deceptive defenses, so...
the attacker's level of uncertainty rises, and the information world becomes a safer
place to work.

FakeBO
This program fakes trojan servers and logs every attempt from client.
It is possible to log attempts to file, stdout, stderr or to syslog. It can send fake
pings and replies back to trojan client. The trojans supported are Back Orifice
(BO) and NetBus

CyberCop Sting by Network Associates

This product is designed to run on Windows NT and is able to emulate several
different systems including Linux, Solaris, Cisco IOS, and NT. It is made to
appeal to hackers for looking as if it has several well-known vulnerabilities.
BackOfficer Friendly by NFR
This product is designed to emulate a Back Orifice server.
Tripwire
This product is for use on NT and Unix machines and is designed to compare
binaries and inform the server operator, which have been altered. This helps
protect machines from would be hackers and is an excellent way to determine if a
system has been compromised

 VALUE OF HONEYPOTS   
Honeypots have certain advantages (and disadvantages) as security tools. It is
the advantages that help define the value of a honeypot. The beauty of a honeypot's lies in
its simplicity. It is a device intended to be compromised, not to provide production
services. This means there is little or no production traffic going to or from the device.
Any time a connection is sent to the honeypot, this is most likely a probe, scan, or even
attack. Any time a connection is initiated from the honeypot, this most likely means the
honeypot was compromised. As there is little production traffic going to or from the
honeypot, all honeypot traffic is suspect by nature. Now, this is not always the case.
Mistakes do happen, such as an incorrect DNS entry or someone from accounting
inputing the wrong IP address. But in general, most honeypot traffic represents
unauthorized activity.
Because of this simplistic model, honeypots have certain inherent advantages
and disadvantages. Some of them are :
1. Advantage - Data Collection
Honeypots collect very little data, and what they do collect is normally of
high value. This cuts the noise level down, make it much easier to collect and archive
data. One of the greatest problems in security is wading through gigabytes of data to
find the data you need. Honeypots can give you the exactly the information you need
in a quick and easy to understand format.
2. Advantage - Resources
Many security tools can be overwhelmed by bandwidth or activity.
Network Intrusion Detection Devices may not be able to keep up with network
activity, dropping packets, and potentially attacks. Centralized log servers may not be
able to collect all the system events, potentially dropping some events. Honeypots do
not have this problem, they only capture that which comes to them.
1. Disadvantage - Single Data Point
Honeypots all share one huge drawback; they are worthless if no one
attacks them. Yes, they can accomplish wonderful things, but if the attacker does not
send any packets to the honeypot, the honeypot will be blissfully unware of any
unauthorized activity.
2. Disadvantages - Risk
Honeypots can introduce risk to your environment. As we discuss later,
different honeypots have different levels of risk. Some introduce very little risk, while
others give the attacker entire platforms from which to launch new attacks. Risk is
variable, depending on how one builds and deploys the honeypot.

HONEYNET PROJECT
A honeypot is easy enough to build, but if an experienced cracker succeeds in
compromising it, he could use it to launch other attacks. A safer option might be to create
an entire network of honeypots, such as the HoneyNet. We call it a 'honeynet' because it's
not a single system, it's actually a network of honeypots, full of real hardware, including
Cisco switches and Windows NT, Linux and Solaris boxes, all partially disabled.
The Honeynet Project, a group of 30 researchers from academia and the
commercial sector, is trying to change that. The group obtains information through the
use of a Honeynet--a computer network on the Internet that's designed to be
compromised. The network is made up of various production systems complete with
sensors as well as a suitably enticing name and content. (The actual IP address changes
regularly and isn't published.) Hackers' actions are recorded as they happen: how the
culprits try to break in, when they're successful and what they do when they succeed.
A Honeynet is a type of honeypot designed specifically for research. A
Honeynet is different from traditional honeypots, it is what we would categorize as a
research honeypot. This does not make it a better solution then traditional honeypots,
merely it has a different purpose. Instead of its value being detecting or deceiving
attackers, its value is gaining information on threats. The two biggest design differences
from a classic honeypot are:

• It is not a single system but a network of multiple systems. This network sits
behind an access control device where all inbound and outbound data is controlled
and captured. This captured information is then analyzed to learn the tools,
tactics, and motives of the blackhat community. Honeynets can utilize multiple
systems at the same time, such as Solaris, Linux, Windows NT, Cisco router,
Alteon switch, etc. This creates a network environment that more realistically
mirrors a production network. Also, by having different systems with different
applications, such as a Linux DNS server, a Windows IIS webserver, and a
Solaris Database server, we can learn about different tools and tactics. Perhaps
certain blackhats target specific systems, applications, or vulnerabilities. By
having a variety of operating systems and applications, we are able to accurately
profile specific blackhat trends and signatures.

• All systems placed within the Honeynet are standard production systems. These
are real systems and applications, the same you find on the Internet. Nothing is
emulated nor is anything done to make the systems less secure. The risks and
vulnerabilities discovered within a Honeynet are the same that exist in many
organizations today. One can simply take a system from a production
environment and place it within the Honeynet.

Conceptually, Honeynets are a simple mechanism. We create a network

similar to a fishbowl, where we can see everything that happens inside it. Similar to fish
in a fishbowl, we can watch and monitor attackers in our network. Also just like a
fishbowl, we can put almost anything in there we want. This controlled network, becomes
our Honeynet. The captured activity teaches us the tools, tactics, and motives of the
blackhat community.
Like all honeypots, the Honeynet solves this problem of data overload
through simplicity. A Honeynet is a network designed to be compromised, not to be used
for production traffic. Any traffic entering or leaving the network is suspicious by
definition. Any connection initiated from outside the Honeynet into the network is most
likely some type of probe, attack, or other malicious activity. Any connection initiated
from the Honeynet to an outside network indicates that a system was compromised. An
attacker has initiated a connection from his newly hacked computer and is now going out
to the Internet. This concept of no production traffic greatly simplifies the data capture
and analysis.
 Over the past several years the Honeynet Project has been dedicated to
learning the tools, tactics, and motives of the blackhat community and sharing the lessons
learned. The primary tool used to gather this information is the Honeynet.
Honeynets (also called honeypots) are a new tool in computer security for
luring and containing a hacker. Like a surveillance camera, the honeypot allows you to
observe hacker behaviour and captures every action a hacker takes. Using real examples
of compromised systems, this volume shows how the bad guys accomplish what they do,
and teaches technical skills to properly study an attack and how to learn from it. It
explains how to build and maintain a honeynet.

CONCLUSION
A honeypot are just a tool. How you use that tool is up to you. There are a
variety of honeypot options, each having different value to organizations. We have
categorized two types of honeypots, production and research. Production honeypots help
reduce risk in an organization. While they do little for prevention, they can greatly
contribute to detection or reaction. Research honeypots are different in that they are not
used to protect a specific organization. Instead they are used as a research tool to study
and identify the threats in the Internet community. Regardless of what type of honeypot
you use, keep in mind the 'level of interaction'. This means that the more your honeypot
can do and the more you can learn from it, the more risk that potentially exists. You will
have to determine what is the best relationship of risk to capabilities that exist for you.
Honeypots will not solve an organization's security problems. Only best practices can do
that. However, honeypots may be a tool to help contribute to those best practices.
Honeypots can act as decoys and can keep intruders away from your other systems.

While not a network security panacea, deception is another option for the
security-conscious organization, especially for monitoring insider threats. Honeynets and
honeypots are best used to track, trap and trace crackers who have already entered a
particular system.

BIBLIOGRAPHY

http://www.linuxsecurity.com
http://project.honeynet.org
http://www.securityfocus.com
http://www.sans.org
http://www.itpapers.com
http://www.networkcomputing.com
http://www.ntsecurity.net
http://www.internetweek.com