If you’ve done home repair or carpentry in your life, you know how important picking the right tool can be. A screwdriver that is just slightly too big or small can make a simple job unbearable. The incorrect screwdriver can strip screw heads, bend the screwdriver, or worse yet, dig into flesh and draw blood. When you have the right screwdriver, the screw seems to almost turn itself. Using the right tool makes any job easier. Honeypots are often the best tool for a security defense. Here, we’ll look at some common reasons for using a honeypot.
The number one reason for using a honeypot is the low number of false-positives and false-negatives it has. A false-positive is when a security tool indicates that nonmalicious activity is malicious. A false-negative is when a security tool does not identify malicious activity as being malicious.
Security logs with many false-positives are considered to contain a lot of noise. False-positives are very common in intrusion detection systems (IDSs) and firewalls, as are false-negatives, to a lesser extent. Much effort is spent trying to decrease noise coming from firewalls and IDSs. Often, the noise is so high that administrators give up reading and analyzing their logs, decreasing the value of the security device.
In comparison, honeypots have no legitimate production value and should never be accessed by anyone but the honeypot administrator. Any honeypot traffic, outside the expected administrative traffic, is probably malicious. Any traffic leaving the honeypot is malicious.
If a honeypot is used internally, it’s not uncommon for the honeypot to detect and report nonmalicious broadcast traffic. Broadcast traffic can be in the form of Address Resolution Protocol (ARP) packets and Windows NetBIOS broadcasts. Honeypot network segments should be designed to filter normal broadcasts away from the honeypot.
The low noise ratio in the captured data is considered to have high value. What a honeypot captures should always be investigated. If you want to get involved with computer and network security only when a real compromise attempt is taking place, then you’ll love honeypots.
The low occurrence of false-positives and false-negatives naturally leads to the rapid detection of legitimate threats. Some administrators use a honeytoken to ensure early detection. A honeytoken is any object without legitimate production value placed only as an early warning mechanism. Honeytokens can be placed on honeypots or on regular production servers. For example, a honeytoken can be an inactive hoax user account called Administrator, without any permissions. (It is common for the actual Administrator account on Windows computers to be renamed to some other nondescript login name as a way to impede hackers and automated hacking tools.) If anyone tries to log in to the computer or network using the hoax Administrator user account, an alert is generated.
The term hacker can be used to describe any computer user who explores computers beyond the normal boundaries of the end-user interface. Throughout this book, the term hacker is meant to imply a person with malicious intent, although it’s widely understood that not all hackers have malicious intent.
Regardless of how the honeypot detects an active exploit, it can alert you immediately to the attempted compromise. You can respond quickly, close the security hole, and minimize the damage. The same principal applies on a larger scale. For example, during the early morning hours of January 25, 2003, honeypots were among the first security solutions to detect the SQL Slammer worm. Slammer attacked vulnerable Microsoft SQL Server 2000 software with a buffer overflow on UDP port 1434 and infected more than 200,000 computers in its first ten minutes of release. It brought down a major banking ATM network and caused denial of service (DoS) attacks across large portions of the Internet. Early detection allowed an internationally coordinated effort to block port 1434 traffic headed across major backbones, stopping the worm from spreading even farther. By the time most of us awoke, the biggest part of the threat was over. The worm was being quickly eradicated, detection signatures were available, and exploited networks were in cleanup mode. This was due in large part to the early detection work by honeypots and IDSs.
Because every connection on a honeypot is a legitimate threat, previously unknown attacks are found just as quickly as known attack vectors. For example, at least two major zero-day exploits were first discovered and documented by honeypots. New hacking methods, while not necessarily zero-day, are discovered routinely by honeypots. There are even research tools, like Honeycomb (http://www.cl.cam.ac.uk/~cpk25/honeycomb), that allow brand-new threats discovered by a honeypot to automatically generate an IDS signature. Unlike a virus scanner or signature-detecting IDS, honeypots are excellent at detecting new threats.
Know Your Enemy is the name of a honeypot book by Lance Spitzner and is one of the many mantras of The Honeynet Project. There is no better tool for learning what hackers are up to than a honeypot. You can learn what hackers are doing in general, or you can discover specifically what particular hackers want to do with your information resources. If you put up a honeypot with the goal of learning in general what hackers are up to, it is considered a research honeypot. If your goal is in learning about or preventing specific attacks against your organization, it is called a production honeypot.
I frequently do work for a large, international, nonprofit religious organization. This organization receives hundreds of attempted attacks a day. Frequently compromised web sites and daily DoS attacks were the norm for the many years. The network administrators have devised a system, using an IDS, that automatically redirects suspected hacking activity to a quarantined area full of different types of honeypots. Now the attackers can attack and malign all day long, without causing a problem to the legitimate targets. The client rarely suffers an attack that is successful against a production asset, and the network administrators use the collected information to better protect their corporate network.
Honeypots can capture everything associated with the hacker, including all network packets, uploaded malware, chat communications, and typed commands. This allows the administrator to learn what the hackers are doing and how they are doing it. As a case in point, it was recently discovered that hackers are setting up Internet Protocol version 6 (IPv6) stacks on machines they have exploited. The hackers then tunnel IPv6 traffic inside the IPv4 traffic, creating a simple but effective virtual private network (VPN). Many IDSs and firewalls, not being designed for IPv6, can’t decode the tunneled traffic and are not able to peer inside the malicious packets. A compromised honeypot in an AT&T Mexican honeynet (http://www.honeynet.org/scans/scan28) captured hackers using IPv6 to tunnel malicious IRC traffic. The discovery of this led to an increased awareness of the importance of firewalls and IDSs in decoding IPv6 traffic. Honeypots are instrumental in knowing what the enemy is up to.
The defense-in-depth security paradigm states that the more defensive tools that are protecting a network, the more successful the overall defense will be. A common use for a honeypot is to place it inside the network perimeter (honeypot placement will be discussed in detail in Chapter 2). If something sneaks past the firewall and IDS and ends up inside the network, there is a chance the honeypot will pick it up. A layered defense will be more likely to catch something that another solution missed. Many of today’s computer viruses and worms spread by attempting to infect weakly password-protected NetBIOS shares. Scans made to ports 137 through 139 (the NetBIOS ports) on your honeypot could indicate that a virus or worm has made it inside the perimeter.
Honeypots aren’t normally promoted for their ability to prevent malicious activity. Most honeypots, by their very nature, are passive recording devices. Unlike a firewall or IDS, most honeypots are only marginally able to prevent further hacking. But this is not always the case. First, if hackers are spending time attacking a honeypot, you are distracting them from attacking a legitimate production target. This is preventing hacking. Second, it is important to design your honeypot so that it cannot be used to attack other computers. It is very common for hackers to use a compromised system to attack other systems. It allows the hacker to hide behind another “innocent” computer. If the hacker’s attack is traced, the trail stops at another previously compromised box, never leading to the hacker’s origination point. A properly designed honeypot will prevent the hacker from successfully attacking other machines.
Some honeypots, like LaBrea and Jackpot, are examples of tarpits. Tarpits (also known as blackholes) are sticky honeypots built explicitly to slow down or prevent malicious activity. Both LaBrea and Jackpot are open-source honeypots capable of running on Windows computers.
LaBrea (http://labrea.sourceforge.net) was developed in response to the Code Red worm. When activated, it listens on the local network to ARP packets and learns all the legitimate IP addresses. When an incoming packet requests an invalid IP address (which should rarely happen for legitimate reasons), LaBrea responds and pretends to be a computer at the corresponding probed IP address. It then works to keep malicious connections hung up in an open, persistent state, maximizing the use of timeout periods transmission retries, actually slowing down automated hacking worms and tools.
Jackpot (http://jackpot.uk.net) is a Java-based antispam relay server. When executed, Jackpot accepts connections on port 25. Since Jackpot is installed only as a honeypot decoy, no legitimate mail traffic should ever try to contact it. But spammers will attempt contact when looking for open relays. Jackpot answers the spammer as a valid SMTP server and pretends to have an open relay. When the spammer sends the spam, Jackpot logs the originating IP address and doesn’t pass along the spam. Jackpot can be used to slow down and frustrate spammers, but it has also been used to track down the spammers and report their illegal activities.
Wireless honeypots are also being used to detect war drivers, who attempt to detect and exploit weakly protected wireless access points (WAPs). The war driver’s Media Access Control (MAC) address can then be recorded and the unauthorized use prevented.
The LaBrea and Jackpot tarpits will be covered in more detail in Chapter 8.
As discussed in the “The GenII Model” section later in this chapter, honeywall gateways can be used to redirect malicious activity away from production assets, or like an IDS, interact with other network defense devices. If the defense system is set up correctly, when an attack is detected, it can be redirected to a honeypot clone of the attacked production system. Clusters of honeypots used in this way make up a honeypot farm. In the future, a global network might be able to redirect attacks occurring anywhere in their network to the honeypot farm. If done appropriately, the honeypot clone will appear to have the same IP and MAC address as the original target. To this end, honeywalls already exist, and hardware redirectors are now being developed to make the switch happen at layer 2 of the International Organization for Standardization’s (ISO’s) Open System Interconnection (OSI) model, a much harder method for the hacker to detect.
Attacks detected by honeypots can also initiate other proactive defenses. For example, if a honeypot detects malicious activity, it can update firewall rules to make sure the hackers never get access to any production assets. On the downside, any type of automated defense tool has the potential to react too quickly to false-positives and generate a self-created DoS attack.
How well the redirector determines what is and isn’t malicious activity is important. Imagine if you run an e-commerce site with a honeypot that is an exact clone of your production computer. If legitimate users are redirected to the honeypot system by mistake, they could be making purchase transactions that do not get posted to the company’s legitimate site.
Although not available in a Windows version yet, the Linux-based Bait and Switch Honeypot (http://violating.us/projects/baitnswitch) is among the most popular redirectors.
Any honeypot has the ability to collect evidence for use against the hacker. With firewall logs, the best you can do is collect meager summary messages as proof of the unauthorized activity. I’ve often had hackers claim to their Internet service providers (ISPs) and authorities (to whom I had reported them) that they were innocent and that they did not know what they were doing. Without hard evidence, most of the time, they get let off with a warning. With a honeypot, you can replay the entire attack. Interested parties can see the entire sequence of events and decide for themselves what the hacker’s intent was.
Any honeypot, by its very nature, will help its administrator improve defenses. For example, if a honeypot is receiving a lot of SQL Slammer worm probes, more than likely, the administrator will make sure the network’s production boxes are patched against Slammer.
When new attacks become popular, honeypot users are the first to warn the Internet community at large. Honeypots help computer security by improving defenses.
Second-generation honeypot products are being developed that will integrate with IDSs, firewalls, antivirus scanners, and other computer-defense mechanisms and report to a common management console. When an attack is noticed, the protected assets can be scanned to see if they have a related vulnerability to the attack. This is known as relevancy. If the attack could be successful against protected computers, and hence, relevant, the security administrator should be alerted. If not, the event can just be logged. This process could even begin the downloading of necessary patches or automatically reconfigure production computers to make them invulnerable to the attack.
Although honeypots are not normally thought of as preventing hacking, clearly they are active in the fight.
Niels Provos, creator of the Honeyd honeypot (described in the “Emulated Honeypots” section later in this chapter), uses his software to simulate networks of machines during classes that he teaches. He has successfully allowed one physical host to respond for 65,536 different IP addresses, each with different personalities and different port services. Honeyd can create entire virtual networks, with routed segments and latency.
How you decide to use a honeypot is up to you. If you want to create a production honeypot to protect your environment, make it mimic your real environment. If you want to learn about hacking no matter what its form, create a research honeypot that simulates a myriad of different environments. As the definition presented earlier in the chapter says, a honeypot is whatever you want it to be.