What Is in the Pot?

A typical honeypot is an immense complex of hardware and software comprising the following components : attraction host, network sensor, and collector, which accumulates information.

An attractor is any server running any operating system and configured for a specific security level. Isolation from other network segments prevents intruders from using it as a bridgehead for attacking the main hosts. However, this allows hackers to quickly understand that they are approaching the trap and must disappear, removing all traces of their activities. In theory, administrators can even organize fictitious LANs. In practice, however, this solution is too expensive; therefore, administrators must find a reasonable compromise between a weakened isolation protecting only critically important hosts and an emulator of a LAN running on a standalone computer. Usually, the solution is to organize several honeypot servers. Some of them contain well-known security holes and are intended for beginners who have started to master the command line and read 10-year-old books. Other honeypot servers are protected at the highest level possible. As a rule, they are oriented toward detection of unknown attacks carried out by experienced intruders. Thus, a clever hacker, even having detected a new security hole, won't rush to intrude the first vulnerable server encountered . After all, if the attack fails, information about the vulnerability will become available to IT security specialists, and the hacker probably will land in court . By the way, lots of honeypots are configured with default security settings. This approach is well grounded. Security holes of default configurations are well known, which ensures the maximum number of attackers. Attackers in this case get the false impression of dealing with an inexperienced administrator who has installed some standard distribution set (not the newest one) and has only a vague idea of network security. Most beginner administrators proceed in this way. However, the risk of being lured and caught in the trap of a honeypot is too high; therefore, it is much better to restrain from attack.

A network sensor is usually implemented on the basis of some UNIX-like operating system. For monitoring information, the tcpdump utility or its analogues are used most often. Depending on the network configuration, the sensor might be located on one of the hosts belonging to the local network segment, or might represent one of the routers located just before the lure. Sometimes, the network sensor might even be combined with the attractor. This considerably simplifies the honeypot system; however, it weakens its immunity (because if the attacker quickly detects the sensor, he or she can quickly kill it). If the sensor is located within a broadcast segment, then it is ensured the highest level of secrecy . The network interface of such a sensor might even lack an IP address of its own and just track the network traffic in the stealth mode, which can be achieved by physically cutting off the transmitting wire of the network adapter (see Chapter 27 for more details). The router is considerably more noticeable in this respect; however, in general, it is impossible to find out whether or not the network sensor is operating on it.

The dumps created by tcpdump are processed by different analyzers (such as intrusion-detection systems), which first recognize the attack and then determine the intruder's IP address. The accumulated information is collected by the collector, the heart of which is the database. This is the most vulnerable point of the honeypot. To succeed, the hacker must determine beforehand, which set of criteria allows him or her to determine unambiguously, which actions are normal and which aren't. Otherwise, the administrator will have to worry about each scan of the port or, probably, will miss slightly modified variants of well-known attacks. There exists another problem here: The honeypot may not receive any traffic except for the hacker's traffic (which is easy to determine by the nature of the changes of the ID field in the headers of IP packets; for more details, see Chapter 23 ). In this case, the attacker would immediately recognize the trap and wouldn't attack it.

If the attractor serves the users from an external network, then direct analysis of the traffic dump becomes impossible and nothing could be easier for the hacker than to get lost in legal queries. Databases storing credit card numbers or other confidential information remain the most promising attractor for hackers (this information must be fictitious). Any attempt at accessing such files, like the attempt at using this information, is evidence of intrusion. There are other methods of catching intruders; however, in most cases they are reduced to hard-encoded templates, which means that they are unable to recognize forward-thinking hackers.

A flowchart of a typical honeypot is shown in Fig. 26.1.

Figure 26.1: Flowchart of the simplest honeypot

The possibilities of honeypots are overexaggerated, and experienced hackers can bypass them. Consider how this is possible.