People who like to watch monkeys go to the zoo, because there might be monkeys there.
People who like to watch birds put out bird feeders, and the birds come to them. People who
like to watch fish build aquariums, and bring the fish to themselves.
But what do you do if you want to watch hackers?
You put out a honeypot…
Think about it this way – you’re a bear. You may not know much (being a bear) but you do
know that honey is tasty, and there is nothing better on a warm summer day than a big handful of honey. So you see a big pot full of honey sitting out in the center of a clearing, and
you’re thinking, ‘Yum!” But once you stick your paw in the honey pot, you risk getting stuck.
If nothing else, you’re going to leave big, sticky paw prints everywhere, and everyone is going to know that someone has been in the honey, and there’s a good chance that anyone who follows the big, sticky paw prints is going to discover that it’s you. More than one bear has been trapped because of his affection for tasty honey.
A honeypot is a computer system, network, or virtual machine that serves no other purpose
than to lure in hackers. In a honeypot, there are no authorized users – no real data is stored in the system, no real work is performed on it – so, every access, every attempt to use it, can be identified as unauthorized. Instead of sifting through logs to identify intrusions, the system administrator knows that every access is an intrusion, so a large part of the work is already done.
Types of Honeypots
There are two types of honeypots: production and research. Production honeypots are used primarily as warning systems. A production honeypot identifies an intrusion and generates an alarm. They can show you that an intruder has identified the system or network as an object of interest, but not much else. For example, if you wanted to know if bears lived near your clearing, you might set out ten tiny pots of honey. If you checked them in the morning and found one or more of them empty, then you would know that bears had been in the vicinity, but you wouldn’t know anything else about the bears.
Research honeypots are used to collect information about hacker’s activities. A research honeypot lures in hackers, then keeps them occupied while it quietly records their actions. For example, if – instead of simply documenting their presence – you wanted to study the bears, then you might set out one big, tasty, sticky pot of honey in the middle of your clearing, but then you would surround that pot with movie cameras, still cameras, tape recorders and research assistants with clipboards and pith helmets.
The two types of honeypots differ primarily in their complexity. You can more easily set up and maintain a production honeypot because of its simplicity and the limited amount of information that you hope to collect. In a production honeypot, you just want to know that you’ve been hit; you don’t care so much whether the hackers stay around, However, in a
research honeypot, you want the hackers to stay, so that you can see what they are doing.
This makes setting up and maintaining a research honeypot more difficult, because you must make the system look like a real, working system that offers files or services that the hackers find interesting. A bear who knows what a honeypot looks like, might spend a minute looking at an empty pot, but only a full pot full of tasty honey is going to keep the bear hanging around long enough for you to study it.
Building a Honeypot
In the most basic sense, a honeypot is nothing more than a computer system which is set up
with the expectation that it will be compromised by intruders. Essentially, this means that if you connect a computer with a insecure operating system to the Internet, then let it sit there, waiting to be compromised, you have created a honeypot!
But this isn’t a very useful honeypot. It’s more like leaving your honey out in the clearing, then going home to the city. When you come back, the honey will be gone, but you won’t know anything about who, how, when or why. You don’t learn anything from your honeypot, useless you have some way of gathering information regarding it. To be useful, even the most basic honeypot most have some type of intrusion detection system.
The intrusion detection system could be as simple as a firewall. Normally a firewall is used to
prevent unauthorized users from accessing a computer system, but they also log everything
that passes through or is stopped. Reviewing the logs produced by the firewall can provide
basic information about attempts to access the honeypot.
More complex honeypots might add hardware, such as switches, routers or hubs, to further
monitor or control network access. They may also use packet sniffers to gather additional
information about network traffic.
Research honeypots may also run programs that simulate normal use, making it appear that
the honeypot is actually being accessed by authorized users, and teasing potential intruders with falsified emails, passwords and data. These types of programs can also be used to disguise operating systems, making it appear, for example, that a Linux based computer is
But the thing about honey – it’s sticky, and there’s always a chance that your honeypot is
going to turn into a bees nest. And when the bees come home, you don’t want to be the one with your hand stuck in the honey. An improperly configured honeypot can easily be turned into a launching pad for additional attacks. If a hacker compromises your honeypot, then
promptly launches an assault on a large corporation or uses your honeypot to distribute a
flood of spam, there’s a good chance that you will be identified as the one responsible.
Correctly configured honeypots control network traffic going into and out of the computer. A
simple production honeypot might allow incoming traffic through the firewall, but stop all
outgoing traffic. This is a simple, effective solution, but intruders will quickly realize that is not a real, working computer system. A slightly more complex honeypot might allow some outgoing traffic, but not all.
Research honeypots – which want to keep the intruders interested as long as possible –
sometimes use manglers, which audit outgoing traffic and disarm potentially dangerous data
by modifying it so that it is ineffective.