Chapter 20. Honeypots

A honeypot is a " dummy " target machine set up to observe hacker attacks. A honeynet is a network built around such dummy machines in order to lure and track hackers as they step through the attack process. By studying real-world attacks, researchers hope to predict emerging trends in order to develop defenses in advance. This chapter reviews honeypots and walks you through the steps for constructing your own Linux-based honeynet.

Lance Spitzner, the founder of one such tracking endeavor known as the Honeynet Project (http://project.honeynet.org), defines a honeypot as "a security resource whose value lies in being probed, attacked or compromised." The goal of such a masochistic system is to be compromised and abused. Hopefully, each time a honeypot goes up in smoke, the researcher learns a new technique. For example, you can use a honeypot to find new rootkits, exploits, or backdoors before they become mainstream.

Running a honeynet infrastructure is similar to running a spy network deep behind enemy lines. You have to build defenses and also be able to hide and dodge attacks that you cannot defend against, all the while keeping a low profile on the network. It is important to be able to safely study the computer underground from a distance. Instead of going to them, they come to you. Additionally, honeypot stories can be edifying. For example, a researcher relates this tale:

One intruder broke in to a honeypot and deployed his toolkit packaged as his-hacker-nickname.tar.gz . He then used FTP to access his site using the login name his-hacker-nickname . His IRC (Internet Relay Chat) client software (that he also deployed) had the same name embedded that confirmed that he is indeed known under such alias. Imagine our surprise when we discovered that the IP address that he came from resolves to his-hacker-nickname.ro (Romanian site). Now, that's being covert! It appears that he didn't care at all about victims tracing him back.

Another compromised honeypot showed that an attacker's first action was to change the root password on the system. (It does not help to avoid being noticed if an administrator or system owner tries to log in and fails.) Not a single attacker bothered to check for the presence of Tripwire (an integrity-checking system), which is included by default in Red Hat Linux and was used in the honeypot. On the next Tripwire run, all the "hidden" files were easily discovered. Yet another attacker created a directory for himself as /his-hacker-nickname in the disk root directory. Apparently, he thought that no system administrator would be surprised to see a new directory right smack in the root of the disk.

The Honeynet Project differentiates between research and production honeypots. The former are focused on gaining intelligence information about attackers and their technologies and methods , while the latter are aimed at decreasing the risk to a company's IT resources and providing advance warning of incoming attacks on the network infrastructure, and also presumably diverting attacks away from production systems into the closely monitored environment of the honeypot.

Collectively, the honeypots used by the Project are called honeynets . Lance Spitzner describes them as networks of production systems connected to the Internet (sometimes without even a firewall). The systems are standard production systems with real applications commonly used by companies on the Internet. Nothing is faked or artificial. No new vulnerabilities are created for easier hacking. In fact, it is entirely possible to clone a production system and deploy it into the honeynet, provided confidential information is removed or replaced by similar information with no real value.

It is also possible to run a honeypot or honeynet at home or in a small business. In fact, you can deploy simple software such as Linux's honeyd , by Niels Provos, which imitates the response of many known services. In this case, you might be able to collect data from attacks by automated worms and the initial steps of an attack launched by a human intruder. However, the illusion is limited, and none of the desired high-value , after-penetration data can be acquired . It might be fun to watch the honeypot for a while, or it might serve to collect enough data for a high-school project in computer security, but it is not useful for much else. To really get in touch with the dark side, one needs a honeynet: a real machine connected to a network, which can be probed, attacked, "owned," and abused. It is relatively easy to build a honeynet at home. You need a few computers, an Internet connection (even with a a dynamic IP address, such as a cable modem), and some knowledge of security; you will soon be the proud owner of your own deception network, ready to admit hackers from all over the world. It is important to have a well-defined reason for deploying a honeynet, however, so let's talk about the motivation for doing so.