You are on page 1of 20

HONEYPOTS

TRACKING HACKERS

By Nishesh
Bakshi
A WORD ON SECURITY

“The secret to a good defense


is good offense”

- Anonymous
Brief Background

• Who is a Hacker?

– A Hacker is a person who tries to gain


unauthorized access to a network.
How a hacker affect a server?

• Steals confidential data.


• Imposes someone else.
• Causes loss of resources.
• Sometimes causes even hardware
loss.
What are the security issues?

• To provide secure connection


between the client and the server.
• E.g. email service provided by
various web-sites.
How Hackers work

• Gathers information about the server


• Chooses the weakest link
• Start exploiting that link
How Honeypots work.
Definition of Honeypots

“ A honeypot is a security resource


whose value is in being probed,
attacked or compromised “
HONEYPOT ?

• HoneyPots are not a single tool but a


highly flexible technology.

• HoneyPots come in variety of shapes


and sizes.
everything from a simple windows system emulating a few services to an
entire network of production systems waiting to be hacked !!!

• HoneyPots have a variety of values.


everything from a burglar alarm that detects an intruder to a research tool
that can be used to study the motives of the black hat community !!!
QUESTIONS ON HPs ?

• What are the different values this unique


technology can have? What are the different
HoneyPot technologies available today?
• What the advantages and disadvantages of using
HoneyPots?
• Are there any deployment and maintenance
issues associated with HoneyPots?
• Are all HoneyPots offensive in nature?
IS THIS A HONEYPOT ?

On a network, install a firewall which


restricts all outbound traffic.
Attackers can get into the network
but not use this network to spread
out the infection.
CONCERNS

(THE “WHAT-IF” FACTOR)

• What if the attacker is lured into a


HoneyPot? He/She will be infuriated
by the deception and retaliate
against the organisation.

• What if the HoneyPot is


misconfigured?
THEN WHY USE HONEYPOTS ?

• At the end of year 2000, the life expectancy of a default


installation of Red Hat 6.2 was less than 72 hrs !

• One of the fastest recorded times a HoneyPot was


compromised was 15 min. This means that within 15 min of
being connected to the internet, the system was found,
probed, attacked, and successfully exploited by the
attacker! The record for capturing a worm was 90 sec !!

• During an 11 month period (Apr 2000 – Mar 2001), there


was a 100% increase in IDS alerts based on Snort.

• In the beginning of 2002, a home network was scanned on


an average by three different systems a day.

• The year 2001 saw a 100% increase in reported incidents


from 21,756 to 52,658 reported attacks.
WHAT CAN HONEYPOTS DO ?

• Can they capture known attacks ?

• Can they detect unknown attacks ?


ADVANTAGES OF USING HONEYPOTS

• Data Value
HoneyPots collect very little data, but they collect is
essentially of very high value.
HoneyNet project research group collects less than 1 MB
data per day !
• Resources
HoneyPots typically donot have problems of resource
exhaustion.
• Simplicity
No fancy algorithms to develop.
No signature databases to maintain.
No rule-bases to misconfigure !
DISADVANTAGES OF HONEYPOTS

• Narrow field of view


HoneyPots only see the activity directed against
them.

• Fingerprinting
An incorrectly implemented HoneyPot can
identify itself and others of the same kind.
CLASSIFICATION OF HONEYPOTS
(1/2)

[Based on level of INTERACTION]


Are you hoping to catch the attackers in
action and learn about their tools and
tactics?
OR
Are you interested in detecting unauthorized
activity ?
OR
Are you hoping to capture latest worm for
analysis ?
CLASSIFICATION OF HONEYPOTS
(2/2)

LEVEL OF WORK TO INSTALL WORK TO DEPLOY INFORMATION LEVEL OF

INTERACTION AND CONFIGURE AND MAINTAIN GATHERING RISK

Low Easy Easy Limited Low

Medium Involved Involved Variable Medium

High Difficult Difficult Extensive High


Conclusion

• Honeypots are good resources for


tracing hackers.
• The value of Honeypots is in being
Hacked.
• Honeypots have their own pros and
cons and this technology is still
developing.
REFERENCES

• WWW.SNORT.ORG
• WWW.HACKINGEXPOSED.COM
• WWW.INFOSECWRITERS.COM
• WWW.SECURITYFOCUS.COM
• WWW.SANS.ORG
• WWW.SPECTER.COM