Important: Use custom search function to get better results from our thousands of pages

Use " " for compulsory search eg:"electronics seminar" , use -" " for filter something eg: "electronics seminar" -"/tag/" (used for exclude results from tag pages)
Tags: honeyp, can honeypots be used internally, honeypots legal, honeypots computers, honeypots charity, honeypots crawley, honeypots candles, honeypots coloring pages, honeypots collectors, honeypots charity new forest, honeypots computer security, bears and honeypots coloring pages, honeypots and honeynets, honeypots attacks, honeypots attacker, honeypots and entrapment, honeypots and honey tokens, honeypots advantages, honeypots and legal issues, honeypots are authorized for deployment on all army information systems,
Ask More Info Of  A Seminar Ask More Info Of A Project Post Reply  Follow us on Twitter
31-12-2009, 06:31 PM
Post: #1
honeypots seminar report

.doc  honeypots seminar report.doc (Size: 479.5 KB / Downloads: 1556)
ABSTRACT
Honeypot is an exciting new technology with enormous potential for the security community.It is resource which is intended to be attacked and compromised to gain more information about the attacker and his attack techniques.
They are a highly flexible tool that comes in many shapes and sizes. This paper deals with understanding what a honeypot actually is ,and how it works.
There are different varieties of honeypots. Based on their category they have different applications. This paper gives an insight into the use of honeypots in productive as well as educative environments.
This paper also discusses the advantages and disadvantages of honeypots , and what the future hold in store for them.

INTRODUCTION
The Internet is growing fast and doubling its number of websites every 53 days and the number of people using the internet is also growing. Hence, global communication is getting more important every day. At the same time, computer crimes are also increasing. Countermeasures are developed to detect or prevent attacks - most of these measures are based on known facts, known attack patterns. Countermeasures such as firewalls and network intrusion detection systems are based on prevention, detection and reaction mechanism; but is there enough information about the enemy?
As in the military, it is important to know, who the enemy is, what kind of strategy he uses, what tools he utilizes and what he is aiming for. Gathering this kind of information is not easy but important. By knowing attack strategies, countermeasure scan be improved and vulnerabilities can be fixed. To gather as much information as possible is one main goal of a honeypot. Generally, such information gathering should be done silently, without alarming an attacker. All the gathered information leads to an advantage on the defending side and can therefore be used on productive systems to prevent attacks.
A honeypot is primarily an instrument for information gathering and learning. Its primary purpose is not to be an ambush for the blackhat community to catch them in action and to press charges against them. The focus lies on a silent collection of as much information as possible about their attack patterns, used programs, purpose of attack and the blackhat community itself. All this information is used to learn more about the blackhat proceedings and motives, as well as their technical knowledge and abilities. This is just a primary purpose of a honeypot. There are a lot of other possibilities for a honeypot - divert hackers from productive systems or catch a hacker while conducting an attack are just two possible examples. They are not the perfect solution for solving or preventing computer crimes.
Honeypots are hard to maintain and they need operators with good knowledge about operating systems and network security. In the right hands, a honeypot can be an effective tool for information gathering. In the wrong, unexperienced hands, a honeypot can become another infiltrated machine and an instrument for the blackhat community.
This paper will present the basic concepts behind honeypots and also the legal aspects of honeypots.
HONEYPOT BASICS
Honeypots are an exciting new technology with enormous potential for the security community. The concepts were first introduced by several icons in computer security, specifically Cliff Stoll in the book The Cuckooâ„¢s Egg , and Bill Cheswick's paper "An Evening with Berferd. Since then, honeypots have continued to evolve, developing into the powerful security tools they are today.
Honeypots are neither like Firewalls that are used to limit or control the traffic coming into the network and to deter attacks neither is it like IDS (Intrusion Detection Systems) which is used to detect attacks. However it can be used along with these. Honeypots does not solve a specific problem as such, it can be used to deter attacks, to detect attacks, to gather information, to act as an early warning or indication systems etc. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. It is this flexibility that gives honeypots their true power. It is also this flexibility that can make them challenging to define and understand. The basic definition of honeypots is:
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
The main aim of the honeypot is to lure the hackers or attacker so as to capture their activities. This information proves to be very useful since information can be used to study the vulnerabilities of the system or to study latest techniques used by attackers etc. For this the honeypot will contain enough information (not necessarily real) so that the attackers get tempted. (Hence the name Honeypot “ a sweet temptation for attackers)Their value lies in the bad guys interacting with them. Conceptually almost all honeypots work they same. They are a resource that has no authorized activity, they do not have any production value.
Theoretically, a honeypot should see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise. While this concept sounds very simple (and it is), it is this very simplicity that give honeypots their tremendous advantages (and disadvantages).
TYPES OF HONEYPOTS
Honeypots come in many shapes and sizes, making them difficult to get a grasp of. To better understand honeypots and all the different types, they are broken down into two general categories, low-interaction and high-interaction honeypots. These categories helps to understand what type of honeypot one is dealing with, its strengths, and weaknesses. Interaction defines the level of activity a honeypot allows an attacker.
Low-interaction honeypots have limited interaction, they normally work by emulating services and operating systems. Attacker activity is limited to the level of emulation by the honeypot. For example, an emulated FTP service listening on port 21 may just emulate a FTP login, or it may support a variety of additional FTP commands. The advantages of a low-interaction honeypot is their simplicity. These honeypots tend to be easier to deploy and maintain, with minimal risk. Usually they involve installing software, selecting the operating systems and services you want to emulate and monitor, and letting the honeypot go from there. This plug and play approach makes deploying them very easy for most organizations. Also, the emulated services mitigate risk by containing the attacker's activity, the attacker never has access to an operating system to attack or harm others. The main disadvantages with low interaction honeypots is that they log only limited information and are designed to capture known activity. The emulated services can only do so much. Also, its easier for an attacker to detect a low-interaction honeypot, no matter how good the emulation is, skilled attacker can eventually detect their presence. Examples of low-interaction honeypots include Specter, Honeyd, and KFSensor.
High-interaction honeypots are different, they are usually complex solutions as they involve real operating systems and applications. Nothing is emulated, the attackers are given the real thing. If one wants a Linux honeypot running an FTP server, they build a real Linux system running a real FTP server. The advantages with such a solution are two fold. First, extensive amounts of information are captured. By giving attackers real systems to interact with, one can learn the full extent of the attackers behavior, everything from new rootkits to international IRC sessions. The second advantage is high-interaction honeypots make no assumptions on how an attacker will behave. Instead, they provide an open environment that captures all activity. This allows high-interaction solutions to learn behavior one otherwise would not expect. An excellent example of this is how a Honeynet captured encoded back door commands on a non-standard IP protocol . However, this also increases the risk of the honeypot as attackers can use these real operating system to attack non-honeypot systems. As result, additional technologies have to be implemented that prevent the attacker from harming other non-honeypot systems. In general, high-interaction honeypots can do everything low-interaction honeypots can do and much more. However, they can be more complex to deploy and maintain. Examples of high-interaction honeypots include Symantec Decoy Server and Honeynets.
Low-interaction
Solution emulates operating systems and services. High-interaction
No emulation, real OS and services are provided.
¢ Easy to install and deploy.
¢ Captures limited amounts of information.
¢ Minimal risk, as the emulated services controls attackers . ¢ Can capture far more information
¢ Can be complex to install or deploy
¢ Increased risk, as attackers are provided real OS to interact with.
Some people also classify honeypots as low,mid and high interaction honeypots; where mid-interaction honeypots are those with their interaction level between that of low and high interaction honeypots.
A few examples of honeypots and their varieties are:
BackOfficer Friendly
BOF (as it is commonly called) is a very simple but highly useful honeypot developed by Marcus Ranum and crew at NFR. It is an excellent example of a low interaction honeypot.
It is a great way to introduce a beginner to the concepts and value of honeypots. BOF is a program that runs on most Window based operating system. All it can do is emulate some basic services, such as http, ftp, telnet, mail, or BackOrrifice. Whenever some attempts to connect to one of the ports BOF is listening to, it will then log the attempt. BOF also has the option of "faking replies", which gives the attacker something to connect to. This way one can log http attacks, telnet brute force logins, or a variety of other activity (Screenshot). The value in BOF is in detection, similar to a burglar alarm. It can monitor only a limited number of ports, but these ports often represent the most commonly scanned and targeted services.
Specter
Specter is a commercial product and it is another 'low interaction' production honeypot. It is similar to BOF in that it emulates services, but it can emulate a far greater range of services and functionality. In addition, not only can it emulate services, but emulate a variety of operating systems. Similar to BOF, it is easy to implement and low risk. Specter works by installing on a Windows system. The risk is reduced as there is no real operating system for the attacker to interact with. For example, Specter can emulate a web server or telnet server of the any operating system. When an attacker connects, it is then prompted with an http header or login banner. The attacker can then attempt to gather web pages or login to the system. This activity is captured and recorded by Specter, however there is little else the attacker can do. There is no real application for the attacker to interact with, instead just some limited, emulated functionality. Specters value lies in detection. It can quickly and easily determine who is looking for what. As a honeypot, it reduces both false positives and false negatives, simplifying the detection process. Specter also supports a variety of alerting and logging mechanisms. You can see an example of this functionality in a screen shot of Specter.
One of the unique features of Specter is that it also allows for information gathering, or the automated ability to gather more information about the attacker. Some of this information gathering is relatively passive, such as Whois or DNS lookups. However, some of this research is active, such as port scanning the attacker.
Homemade Honeypots
Another common honeypot is homemade. These honeypots tend to be low interaction. Their purpose is usually to capture specific activity, such as Worms or scanning activity. These can be used as production or research honeypots, depending on their purpose. Once again, there is not much for the attacker to interact with, however the risk is reduced because there is less damage the attacker can do. One common example is creating a service that listens on port 80 (http) capturing all traffic to and from the port. This is commonly done to capture Worm attacks Homemade honeypots can be modified to do (and emulate) much more, requiring a higher level of involvement, and incurring a higher level of risk. For example, FreeBSD has a jail functionality, allowing an administrator to create a controlled environment within the operating system. The attacker can then interact with this controlled environment. The value here is the more the attacker can do, the more can be potentially learned. However, care must be taken, as the more functionality the attacker can interact with, the more can go wrong, with the honeypot potentially compromised.
Honeyd
Created by Niels Provos, Honeyd is an extremely powerful, OpenSource honeypot. Designed to run on Unix systems, it can emulate over 400 different operating systems and thousands of different computers, all at the same time. Honeyd introduces some exciting new features. First, not only does it emulate operating systems at the application level, like Specter, but it also emulates operating systems at the IP stack level. This means when someone Nmaps the honeypot, both the service and IP stack behave as the emulated operating system. Currently no other honeypot has this capability (CyberCop Sting did have this capability, but is no longer available). Second, Honeyd can emulate hundreds if not thousands of different computers all at the same time. While most honeypots can only emulate one computer at any point in time, Honeyd can assume the identity of thousands of different IP addresses. Third, as an OpenSource solution, not only is it free to use, but it will expotentially grow as members of the security community develop and contribute code.

Honeyd is primarily used for detecting attacks. It works by monitoring IP addresses that are unused, that have no system assigned to them. Whenever an attacker attempts to probe or attack an non-existant system, Honeyd, through Arp spoofing, assumes the IP address of the victim and then interacts with the attacker through emulated services. These emulates services are nothing more then scripts that react to predetermined actions. For example, a script can be developed to behave like a Telnet service for a Cisco router, with the Cisco IOS login interface. Honeyd's emulated services are also Open Source, so anyone can develop and use their own. The scripts can be written in almost any language, such as shell or Perl. Once connected, the attacker believes they are interacting with a real system. Not only can Honeyd dynamically interact with attackers, but it can detect activity on any port. Most low interaction honeypots are limited to detecting attacks only on the ports that have emulated services listening on. Honeyd is different, it detects and logs connections made to any port, regardless if there is a service listening. The combined capabilities of assuming the identity of non-existant systems, and the ability to detect activity on any port, gives Honeyd incredible value as a tool to detect unauthorized activity. I highly encourage people to check it out, and if possible to contribute new emulated services.
Mantrap
Produced by Recourse, Mantrap is a commercial honeypot. Instead of emulating services, Mantrap creates up to four sub-systems, often called 'jails'. These 'jails' are logically discrete operating systems separated from a master operating system (see Diagram.) Security administrators can modify these jails just as they normally would with any operating system, to include installing applications of their choice, such as an Oracle database or Apache web server. This makes the honeypot far more flexible, as it can do much more. The attacker has a full operating system to interact with, and a variety of applications to attack. All of this activity is then captured and recorded. Not only can we detect port scans and telnet logins, but we can capture rootkits, application level attacks, IRC chat session, and a variety of other threats. However, just as far more can be learned, so can more go wrong. Once compromised, the attacker can used that fully functional operating system to attack others. Care must be taken to mitigate this risk. As such, it can be categorized this as a mid-high level of interaction. Also, these honeypots can be used as either a production honeypot (used both in detection and reaction) or a research honeypot to learn more about threats. There are limitations to this solution. The biggest one is that we are limited to only what the vendor supplies us. Currently, Mantrap only exists on Solaris operating system.
Honeynets
Honeynets represent the extreme of research honeypots. They are high interaction honeypots, one can learn a great deal, however they also have the highest level of risk.

Fig: A honeynet
Their primary value lies in research, gaining information on threats that exist in the Internet community today. A Honeynet is a network of production systems. Unlike many of the honeypots discussed so far, nothing is emulated. Little or no modifications are made to the honeypots. The idea is to have an architecture that creates a highly controlled network, one where all activity is controlled and captured. Within this network we place our intended victims, real computers running real applications. The bad guys find, attack, and break into these systems on their own initiative. When they do, they do not realize they are within a Honeynet. This gives the attackers a full range of systems, applications, and functionality to attack. All of their activity, from encrypted SSH sessions to emails and files uploads, are captured without them knowing it. This is done by inserting kernel modules on the victim systems that capture all of the attacker's actions. From this we can learn a great deal, not only their tools and tactics, but their methods of communication, group organization, and motives. However, with this capability comes a great deal of risk. A variety of measures must be taken to ensure that once compromised, a Honeynet cannot be used to attack others. Honeynets do this using a Honeywall gateway. This gateway allows inbound traffic to the victim systems, but controls the outbound traffic using intrusion prevention technologies. This gives the attacker the flexibility to interact with the victim systems, but prevents the attacker from harming other non-Honeynet computers. Honeynets are primarily research honeypots. They could be used as production honeypots, specifically for detection or reaction, however it is most likely not worth the time and effort
We have reviewed six different types of honeypots. No one honeypot is better than the other, each one has its advantages and disadvantages, it all depends on what is to be achieved. To more easily define the capabilities of honeypots, we have categorized them based on their level of interaction. The greater interaction an attacker has, the more we can learn, but the greater the risk. For example, BOF and Specter represent low interactions honeypots. They are easy to deploy and have minimal risk. However, they are limited to emulating specific services and operating systems, used primarily for detection. Mantrap and Honeynets represent mid-to-high interaction honeypots. They can give far greater depth of information, however more work and greater risk is involved
Sometimes, honeypots are also classified as Hardware based and Software based honeypots.
Hardware-based honeypots are servers, switches or routers that have been partially disabled and made attractive with commonly known misconfigurations. They sit on the internal network, serving no purpose but to look real to outsiders. The operating system of each box, however, has been subtly disabled with tweaks that prevent hackers from really taking it over or using it to launch new attacks on other servers.
Software emulation honeypots, on the other hand, are elaborate deception programs that mimic real Linux or other servers and can run on machines as low-power as a 233-MHz PC. Since an intruder is just dancing with a software decoy, at no time does he come close to actually seizing control of the hardware, no matter what the fake prompts seem to indicate. Even if the hacker figures out that it's a software honeypot, the box on which it's running should be so secure or isolated that he couldn't do anything but leave anyway.Software emulation might be more useful for corporate environments where business secrets are being safeguarded.

VALUE OF HONEYPOTS
Now that we have understanding of two general categories of honeypots, we can focus on their value. Specifically, how we can use honeypots. Once again, we have two general categories, honeypots can be used for production purposes or research. When used for production purposes, honeypots are protecting an organization. This would include preventing, detecting, or helping organizations respond to an attack. When used for research purposes, honeypots are being used to collect information. This information has different value to different organizations. Some may want to be studying trends in attacker activity, while others are interested in early warning and prediction, or law enforcement. In general, low-interaction honeypots are often used for production purposes, while high-interaction honeypots are used for research purposes. However, either type of honeypot can be used for either purpose. When used for production purposes, honeypots can protect organizations in one of three ways; prevention, detection, and response. We will take a more in-depth look at how a honeypot can work in all three.
1. Prevention : Honeypots can help prevent attacks in several ways. The first is against automated attacks, such as worms or auto-rooters. These attacks are based on tools that randomly scan entire networks looking for vulnerable systems. If vulnerable systems are found, these automated tools will then attack and take over the system (with worms self-replicating, copying themselves to the victim). One way that honeypots can help defend against such attacks is slowing their scanning down, potentially even stopping them. Called sticky honeypots, these solutions monitor unused IP space. When probed by such scanning activity, these honeypots interact with and slow the attacker down. They do this using a variety of TCP tricks, such as a Windows size of zero, putting the attacker into a holding pattern. This is excellent for slowing down or preventing the spread of a worm that has penetrated the internal organization. One such example of a sticky honeypot is LaBrea Tarpit. Sticky honeypots are most often low-interaction solutions (one can almost call them 'no-interaction solutions', as they slow the attacker down to a crawl ).
Honeypots can also be used to protect the organization from human attackers. The concept is deception or deterrence. The idea is to confuse an attacker, to make him waste his time and resources interacting with honeypots. Meanwhile, the organization being attacked would detect the attacker's activity and have the time to respond and stop the attacker.
This can be even taken one step farther. If an attacker knows an organization is using honeypots, but does not know which systems are honeypots and which systems are legitimate computers, they may be concerned about being caught by honeypots and decided not to attack your organizations. Thus the honeypot deters the attacker. An example of a honeypot designed to do this is Deception Toolkit, a low-interaction honeypot.
2. Detection : The second way honeypots can help protect an organization is through detection. Detection is critical, its purpose is to identify a failure or breakdown in prevention. Regardless of how secure an organization is, there will always be failures, if for no other reasons then humans are involved in the process. By detecting an attacker, you can quickly react to them, stopping or mitigating the damage they do. Traditionally, detection has proven extremely difficult to do. Technologies such as IDS sensors and systems logs have proved ineffective for several reasons. They generate far too much data, large percentage of false positives (i.e. alerts that were generated when the sensor recognized the configured signature of an "attack", but in reality was just valid traffic), inability to detect new attacks, and the inability to work in encrypted or IPv6 environments. Honeypots excel at detection, addressing many of these problems of traditional detection. Since honeypots have no production activity, all connections to and from the honeypot are suspect by nature. By definition, anytime a connection is made to the honeypot, this is most likely an unauthorized probe, scan, or attack. Anytime the honeypot initiates a connection, this most likely means the system was successfully compromised. This helps reduce both false positives and false negatives greatly simplifying the detection process by capturing small data sets of high value, it also captures unknown attacks such as new exploits or polymorphic shellcode, and works in encrypted and IPv6 environments. In general, low-interaction honeypots make the best solutions for detection. They are easier to deploy and maintain then high-interaction honeypots and have reduced risk.
3. Response : The third and final way a honeypot can help protect an organization is in reponse. Once an organization has detected a failure, how do they respond? This can often be one of the greatest challenges an organization faces. There is often little information on who the attacker is, how they got in, or how much damage they have done. In these situations detailed information on the attacker's activity are critical. There are two problems compounding incidence response. First, often the very systems compromised cannot be taken offline to analyze. Production systems, such as an organization's mail server, are so critical that even though its been hacked, security professionals may not be able to take the system down and do a proper forensic analysis. Instead, they are limited to analyze the live system while still providing production services. This cripples the ability to analyze what happened, how much damage the attacker has done, and even if the attacker has broken into other systems. The other problem is even if the system is pulled offline, there is so much data pollution it can be very difficult to determine what the bad guy did. By data pollution, I mean there has been so much activity (user's logging in, mail accounts read, files written to databases, etc) it can be difficult to determine what is normal day-to-day activity, and what is the attacker. Honeypots can help address both problems. Honeypots make an excellent incident resonse tool, as they can quickly and easily be taken offline for a full forensic analysis, without impacting day-to-day business operations. Also, the only activity a honeypot captures is unauthorized or malicious activity. This makes hacked honeypots much easier to analyze then hacked production systems, as any data you retrieve from a honeypot is most likely related to the attacker. The value honeypots provide here is quickly giving organizations the in-depth information they need to rapidly and effectively respond to an incident. In general, high-interaction honeypots make the best solution for response. To respond to an intruder, you need in-depth knowledge on what they did, how they broke in, and the tools they used. For that type of data you most likely need the capabilities of a high-interaction honeypot.
Up to this point we have been talking about how honeypots can be used to protect an organization. We will now talk about a different use for honeypots, research.
Honeypots are extremely powerful, not only can they be used to protect your organization, but they can be used to gain extensive information on threats, information few other technologies are capable of gathering. One of the greatest problems security professionals face is a lack of information or intelligence on cyber threats. How can we defend against an enemy when we don't even know who that enemy is? For centuries military organizations have depended on information to better understand who their enemy is and how to defend against them. Why should information security be any different?
Research honeypots address this by collecting information on threats. This information can then be used for a variety of purposes, including trend analysis, identifying new tools or methods, identifying attackers and their communities, early warning and prediction, or motivations. One of the most well known examples of using honeypots for research is the work done by the Honeynet Project, an all volunteer, non-profit security research organization. All of the data they collect is with Honeynet distributed around the world. As threats are constantly changing, this information is proving more and more critical.
IMPLEMENTATION
Honeypot Location
A honeypot does not need a certain surrounding environment as it is a standard server with no special needs.A honeypot can be placed anywhere a server could be placed. But certainly, some places are better for certain approaches as others.
A honeypot can be used on the Internet as well as the intranet, based on the needed service. Placing a honeypot on the intranet can be useful if the detection of some bad guys inside a private network is wished. It is especially important to set the internal thrust for a honeypot as low as possible as this system could be compromised, probably without immediate knowledge.
If the main concern is the Internet, a honeypot can be placed at two locations:
¢ In front of the firewall (Internet)
¢ DMZ
¢ Behind the firewall (intranet)
Each approach has its advantages as well as disadvantages. Sometimes it is even impossible to choose freely as placing a server in front of a firewall is simply not possible or not wished.
By placing the honeypot in front of a firewall , the risk for the internal network does not increase. The danger of having a compromised system behind the firewall is eliminated. A honeypot will attract and generate a lot of unwished traffic like portscans or attack patterns. By placing a honeypot outside the firewall, such events do not get logged by the firewall and an internal IDS system will not generate alerts. Otherwise, a lot of alerts would be generated on the firewall or IDS.Probably the biggest advantage is that the firewall or IDS, as well as any other resources, have not to be adjusted as the honeypot is outside the firewall and viewed as any other machine on the external network. The disadvantage of placing a honeypot in front of the firewall is that internal attackers cannot be located or trapped that easy, especially if the firewall limits outbound traffic and therefore limits the traffic to the honeypot.
Placing a honeypot inside a DMZ seems a good solution as long as the other systems inside the DMZ can be secured against the honeypot. Most DMZs are not fully accessible as only needed services are allowed to pass the firewall. In such a case,placing the honeypot in front of the firewall should be favored as opening all corresponding ports on the firewall is too time consuming and risky.
A honeypot behind a firewall can introduce new security risks to the internal network, especially if the internal network is not secured against the honeypot through additional firewalls. This could be a special problem if the IPâ„¢s are used for authentication. It is important to distinguish between a setup where the firewall enables access to the honeypot or where access from the Internet is denied. By placing the honeypot behind a firewall, it is inevitable to adjust the firewall rules if access from the Internet should be permitted. The biggest problem arises as soon as the internal honeypot is compromised by an external attacker. He gains the possibility to access the internal network through the honeypot. This traffic will be unstopped by the firewall as it is regarded as traffic to the honeypot only, which in turn is granted. Securing an internal honeypot is therefore mandatory, especially if it is a high-involvement honeypot. With an internal honeypot it is also possible to detect a misconfigured firewall which forwards unwanted traffic from the Internet to the internal network. The main reason for placing a honeypot behind a firewall could be to detect internal attackers.
The best solution would be to run a honeypot in its own DMZ, therefore with a preliminary firewall. The firewall could be connected directly to the Internet or intranet, depending on the goal. This attempt enables tight control as well as a flexible environment with maximal security.
How does a Honeypot Gather Information
Obviously a honeypot must capture data in an area that is not accessible to an attacker. Data capture happens on a number of levels.
Firewall Logs”A Packet Sniffer (or similar IDS sensor)”The IDS should be configured to passively monitor network traffic (for an added level of invisibility, one might set the system up to have no IP address or, in some instances, the sniffer could be configured to completely lack an IP stack). This will capture all cleartext communication, and can read keystrokes.
Local and Remote Logs”These should be set up just as it would on any other system, and will possibly be disabled, deleted, or modified by an experienced hacker, but plenty of useful information will still be available from all the previous capture methods.
Remotely Forwarded Logs”Will capture data on a remote log and then instantly forward the data to a system even further out of the range of the attacker,so that the attacker cannot be warned that all his activities are watched or try to modify the captured data.

Limiting Outbound Attacks
To protect oneself from any sort of third party liabilities, an individual deploying a honeypot will likely want some kind of safeguard. Firewalls can be configured to let an unlimited number of inbound connections, while limiting outbound connections to a specific number (be it 10 outbound connections, or 50). This method lacks flexibility, and could shut an attacker out at a critical point (in the middle of an IRC session, or before they have retrieved all of their tools). A more flexible option is as follows: a system configured as a layer 2 bridge (which will lack all TCP activity, thus being harder to detect). The system can be configured to monitor all activity and can utilize a signature database to distinguish a known attack from any non-aggressive activity (and instead of blocking the attack, it can simply add some data to the packet to render it ineffectual). It can also throttle bandwidth (to quench a DDoS attack). This is a very effective way to protect other systems; however, it will not block unknown or new attacks.
Putting the Honey into the Pot
An advanced honeypot is a fully functional OS, and therefore can be filled with financial information, e-mails with passwords for other honeypots, databases of fake customers”anything that might motivate an attacker to compromise the system. An individual could set up a web server that explains that the law services of so and so and so and so from San Francisco are currently setting up their systems to do online consultation for big banks and other big businesses. A whole network of honeypots sits in a secure environment behind a firewall that an attacker would need to break through. The network might have loads of fake data and e-mail; a large playing field for an advanced hacker to wander through.

MERITS AND DEMERITS
Merits: Honeypots have a large number of merits in its favour. They are :
¢ Small data sets of high value: Honeypots collect small amounts of information. Instead of logging a one GB of data a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day. Remember, honeypots only capture bad activity, any interaction with a honeypot is most likely unauthorized or malicious activity. As such, honeypots reduce 'noise' by collectin only small data sets, but information of high value, as it is only the bad guys. This means its much easier (and cheaper) to analyze the data a honeypot collects and derive value from it.
¢ New tools and tactics: Honeypots are designed to capture anything thrown at them, including tools or tactics never seen before.
¢ Minimal resources: Honeypots require minimal resources, they only capture bad activity. This means an old Pentium computer with 128MB of RAM can easily handle an entire class B network sitting off an OC-12 network.
¢ Encryption or IPv6: Unlike most security technologies (such as IDS systems) honeypots work fine in encrypted or IPv6 environments. It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it.
¢ Information: Honeypots can collect in-depth information that few, if any other technologies can match.
¢ Simplicty: Finally, honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update. The simpler a technology, the less likely there will be mistakes or misconfigurations.
Demerits: Like any technology, honeyopts also have their weaknesses. It is because of this they do not replace any current technology, but work with existing technologies.
¢ Limited view: Honeypots can only track and capture activity that directly interacts with them. Honeypots will not capture attacks against other systems, unless the attacker or threat interacts with the honeypots also.
¢ Risk: All security technologies have risk. Firewalls have risk of being penetrated, encryption has the risk of being broken, IDS sensors have the risk of failing to detect attacks. Honeypots are no different, they have risk also. Specifically, honeypots have the risk of being taken over by the bad guy and being used to harm other systems. This risk various for different honeypots. Depending on the type of honeypot, it can have no more risk then an IDS sensor, while some honeypots have a great deal of risk.
LEGAL ISSUES
In the past there has been some confusion on what are the legal issues with honeypots. There are several reasons for this. First, honeypots are relatively new. Second, honeypots come in many different shapes and sizes and accomplish different goals. Based on the different uses of honeypots different legal issues apply. Last, there are no precedents for honeypots. There are no legal cases recorded on the issues. The law is developed through cases. Without cases directly on point, we are left trying to predict, based on cases in other contexts, how courts will treat honeypots. Until a judge gives a court order, we will really never know.
With honeypots, there are three main issues that are commonly discussed: entrapment, privacy, and liability.
¢ Liability: You can potentially be held liable if your honepyot is used to attack or harm other systems or organizations. This risk is the greatest with Research honeypots.
¢ Privacy: Honeypots can capture extensive amounts of information about attackers, which can potentially violate their privacy. Once again, this risk is primarily with Research honeypots. However in case of honeypot there is exemption. It means that security technologies can collect information on people (and attackers), as long as that technology is being used to protect or secure your environment. In other words, these technologies are now exempt from privacy restrictions. For example, an IDS sensor that is used for detection and captures network activity is doing so to detect (and thus enable organizations to respond to) unauthorized activity. Such a technology is most likely not considered a violation of privacy.
¢ Entrapment: For some odd reason, many people are concerned with the issue of entrapment. Entrapment, by definition is "a law-enforcement officer's or government agent's inducement of a person to commit a crime, by means of fraud or undue persuasion, in an attempt to later bring a criminal prosecution against that person." Think about it, entrapment is when you coerce or induce someone to do something they would not normally do. Honeypots do not induce anyone. Attackers find and break into honeypots on their own initiative. People often question the idea of creating targets of high value, for example honeypots that are ecommerce sites or advertised as having government secrets. Even then, such honeypots are most likely not a form of entrapment as you are not coercing them into breaking into the honeypot. The bad guy has already decided to commit unauthorized activity, one is merely providing a different target for the blackhat to attack. Therefore, in most cases involving honeypots, entrapment is not an issue.
FUTURE OF HONEYPOTS
Mr. Lance spitzner who has played a major role in the development of honeypots has made certain predictions about the future of honeypots. They are as follows:
¢ Government projects: Currently honeypots are mainly used by organizations, to detect intruders within the organization as well as against external threats and to protect the organization. In future, honeypots will play a major role in the government projects, especially by the military, to gain information about the enemy, and those trying to get the government secrets.
¢ Ease of use: In future honeypots will most probably appear in prepackaged solutions, which will be easier to administer and maintain. People will be able to install and develop honeypots at home and without difficulty.
¢ Closer integration: Currently honeypots are used along with other technologies such as firewall, tripwire, IDS etc. As technologies are developing, in future honeypots will be used in closer integration with them. For example honeypots are being developed for WI-FI or wireless computers. However the development is still under research.
¢ Specific purpose: Already certain features such as honeytokens are under development to target honeypots only for a specific purpose. Eg: catching only those attempting credit card fraud etc.
¢ Honeypots will be used widely for expanding research applications in future.
CONCLUSION
This paper has given an in depth knowledge about honeypots and their contributions to the security community. A honeypot is just a tool. How one uses this tool is upto them.
Honeypots are in their infancy and new ideas and technologies will surface in the next time. At the same time as honeypots are getting more advanced, hackers will also develop methods to detect such systems. A regular arms race could start between the good guys and the blackhat community.

Letâ„¢s hope that such a technology will be used to restore the peace and prosperity of the world and not to give the world a devastating end.


REFERENCES
¢ Spitzner, Lance.
Honeypots Tracking Hackers. Addison-Wesley: Boston,2002
¢ Spitzner, Lance.
The value of Honeypots, Part Two:Honeypot Solutions and legal Issues 10Nov.2002
<http://online.securityfocusinfocus/1498>
¢ Spitzner, Lance.
Know Your Enemy: Honeynets. 18 Sep. 2002.
<http://project.honeynetpapers/honeynet/>.
¢ Honeypots-Turn the table on hackers June 30,2003 <www.itmanagement.earthwebsecu/article.php/143 6291>
¢ <www.tracking-hackers.com >
¢ Posted By: Brian Hatch
Honeypots”What the Hell are They? Published By: NewOrder ,1/6/2003 11:36
<www.linuxsecurity.com>

ACKNOWLEDGEMENT
I express my sincere gratitude to Dr. Agnisarman Namboodiri, Head of Department of Information Technology and Computer Science , for his guidance and support to shape this paper in a systematic way.
I am also greatly indebted to Mr. Saheer H.B. and
Ms. S.S. Deepa, Department of IT for their valuable suggestions in the preparation of the paper.
In addition I would like to thank all staff members of IT department and all my friends of S7 IT for their suggestions and constrictive criticism.

CONTENTS

1. INTRODUCTION 01
2. HONEYPOT BASICS 03
3. TYPES OF HONEYPOTS 05
4. VALUE OF HONEYPOT 17
5. IMPLEMENTATION 23
6. MERITS AND DEMERITS 29
7. LEGAL ISSUES 31
8. FUTURE OF HONEYPOTS 33
9. CONCLUSION 34

10. REFERENCES 35

Please Use Search http://www.seminarprojects.com/search.php wisely To Get More Information About A Seminar Or Project Topic
13-02-2010, 04:42 PM
Post: #2
RE: honeypots seminar report

.doc  HONEY POT.doc (Size: 164.5 KB / Downloads: 543)

ABSTRACT

A honeypot is a closely monitored network decoy serving several purposes: it can distract adversaries from more valuable machines on a network, can provide early warning about new attack and exploitation trends, or allow in-depth examination of adversaries during and after exploitation of a honeypot. Deploying a physical honeypot is often time intensive and expensive as different operating systems require specialized hardware and every honeypot requires its own physical system.

Honey pots are a powerful, new technology with incredible potential. They can do everything from detecting new attacks never seen in the wild before, to tracking automated credit card fraud and identity theft. In the past several years the technology is rapidly developing, with new concepts such as honeypot farms, commercial and open source solutions, and documented findings released.

A great deal of research has been focused on identifying, capturing, and researching external threats. While malicious and dangerous, these attacks are often random with attackers more interested in how many systems they can break into then which systems they break into. To date, limited research has been done on how honey pots can apply to a far more dangerous and devastating threat, the advanced insider. This trusted individual knows networks and organization. Often, these individuals are not after computers, but specific information. This is a risk that has proven far more dangerous, and far more difficult to mitigate.

1.INTRODUCTION

A honey pot is an information system resource whose value lies in unauthorized or illicit use of that resource.

Internet security is increasing in importance as more and more business is conducted there. Yet, despite decades of research and experience, it is still unable to make secure computer systems or even measure their security. As a result, exploitation of newly discovered vulnerabilities often catches us by surprise. Exploit automation and massive global scanning for vulnerabilities enable adversaries to compromise computer systems shortly after vulnerabilities become known.

One way to get early warnings of new vulnerabilities is to install and monitor computer systems on a network that is expected to be broken into. Every attempt to contact these systems via the network is suspect. Such a system is called honeypot. If a honeypot is compromised, it is studied for vulnerability that was used to compromise it. A honeypot may run any operating system and any number of services.

The configured services determine the vectors an adversary may choose to compromise the system. A physical honeypot is a real machine with its own IP address. A virtual honeypot is simulated by another machine that responds to network traffic sent to the virtual honeypot. Virtual honey pots are attractive because they require fewer computer systems, which reduce maintenance costs. Using virtual honey pots, it is possible to populate a network with hosts running numerous operating systems. IT the enemy does not interact or use the honeypot, then it has little value. This is very different from most security mechanisms. For example, the last thing you want an attacker to do is interact with your firewall. IDS sensor. Honey pots are very different, and it is this difference that makes them such a powerful tool in your arsenal.
First, honey pots do not solve a specilic problem. Instead, they are a highly flexible tool that has many applications to security. They can be used everything from slowing down or stopping automated attacks, capturing new exploits to gathering intelligence on emerging threats or early warning and prediction.

Second, honey pots come in many different shapes and sizes. They can be everything from a Windows program that emulates common services, such as the Windows honeypot KFSensor3. to entire networks of real computers to be attacked, such as Honey nets.

All honey pots share the concept: they are a resource or entity with no production value. By definition, your honeypot should not see any activity. Anything or anyone interacting with the honeypot is an anomaly, it should not be happening. Most likely, it implies you have unauthorized or malicious activity. For example, a honeypot could be nothing more then a web server deployed in your DMZ network. The web server is not used for production purposes, its does not even have an entry in DNS, its merely physically located with other web servers.

Any interaction with the honeypot is assumed unauthorized and most likely malicious. If the web server honeypot is probed by external systems from the Internet, you have identified an attack, most likely the same one your other production web servers are facing. If honeypot is probed by one of the production web servers on the DMZ. that can imply that the production web server has been compromised by an attacker, and is now being used as a launching pad to compromise other systems on the DMZ.


Advantages Of Honey pots

¢ Small Data Sets: Honey pots only collect data when someone or something is interacting with them. Organizations that may log thousands of alerts a day with traditional technologies will only log a hundred alerts with honey pots. This makes the data honey pots collect much higher value, easier to manage and simpler to analyze.
¢ Reduced False Positives: One of the greatest challenges with most detection technologies is the generation of false positives or false alerts. The larger the probability that a security technology produces a false positive the less likely the technology will be deployed. Honey pots dramatically reduce false positives. Any activity with honey pots is by definition unauthorized, making it extremely efficient at detecting attacks.
¢ Catching False Negatives: Another challenge of traditional technologies is failing to detect unknown attacks. This is a critical difference between honey pots and traditional computer security technologies which rely upon known signatures or upon statistical detection. Signature-based security technologies by definition imply that "someone is going to get hurt" before the new attack is discovered and a signature is distributed.

Statistical detection also suffers from probabilistic failures - there is some non-zero probability that a new kind of attack is going to go undetected. Honey pots on the other hand can easily identify and capture new attacks against them. Any activity with the honeypot is an anomaly, making new or unseen attacks easily stand out.
¢ Encryption: It does not matter if an attack or malicious activity is encrypted, the honeypot will capture the activity. As more and more organizations adopt encryption within their environments this becomes a major issue. Honey pots can do this because the encrypted probes and attacks interact with the honeypot as an end point, where the activity is decrypted by the honeypot.
¢ IPv6: Honey pots work in any IP environment, regardless of the IP protocol, including IPv6. IPv6 is the new IP standard that many organizations, such as the Department of Defense, and many countries, such as Japan, are actively adopting. Many current technologies, such as firewalls or IDS sensors, cannot handle IPv6.
¢ Highly Flexible: Honey pots are extremely adaptable, with the ability to be used in a variety of environments, everything from a Social Security Number embedded into a database, to an entire network of computers designed to be broken into.
¢ Minimal Resources: Honey pots require minimal resources, even on the largest of networks. A simple, aging Pentium computer can monitor literally millions of IP addresses.

For insider threats, these advantages can be leveraged. Honey pots also share several disadvantages.


Disadvantages Of Honey pots
¢ Risk: Honey pots are a security resource you want the bad guys to interact with, there is a risk that an attacker could use a honeypot to attack or harm other non-honeypot systems. This risk varies with the type of honeypot used. For example, simple honey pots such as KFSensor have very little risk. Honey nets, a more complex solution, have a great deal of risk.
¢ Limited Field of View: Honey pots only see or capture that which interacts with them. They are not a passive device that captures activity to all other systems.

Instead, they only have value when directly interacted with. In many ways honey pots are like a microscope. They have a limited field of view, but a field of view that gives them great detail of information.
1.1 THE INSIDER


The goal is to detect, identify, and confirm insider threats. This means leveraging Honey pots to not only indicate that there is an insider, but also confirm their actions, and potentially learn their motives and resources.

What makes the goal difficult is the threat, the sophisticated insider. It may be someone who is technically skilled, highly motivated, and has access to extensive resources. For example, this threat may be an employee working for a large corporation, but in reality they are employed by a competitor to engage in corporate espionage. A second example is highly skilled, disgruntled employee motivated to cause a great deal of damage before they are fired. A third example could be a spy working for a foreign country.

Regardless of who the insider is, it is a highly dangerous threat, one that is extremely difficult to detect. They have access to critical information: they know the structure of the organization. They are most likely after information, not systems. As a result, there may be few attacks and their access to information may even be authorized. It is what they do with that information that comprises the threat.


1.2 THE STRATEGY

Traditionally, honeypots have been used to detect or capture the activity of outsider or perimeter threats. The purpose of these honeypots varied. Some organizations are interested in learning what threats exist and gaining intelligence on those threats, others want to detect attacks against their perimeter, while others were attempting early warning and prediction of new attack tools, exploits, or malicious code. When focusing on such a threat, the strategy for deploying honeypots is relatively simple, deploy the honeypots and the attackers will come. Honeypots would be placed on a perimeter network, or a direct connection to the
Internet, such as a cable modem. Once deployed, security administrators took the attitude 'sit back and wait'.

II' you build it, they will come. And come they do. An unprotected honeypot deployed on an external network can expect to see 10-30 probes a day. A vulnerable honeypot (such as a default RH 7.2 installation or unpatched Windows XP computer) can expect to be compromised in less then seventy-two hours. What makes these numbers even more amazing is nothing is done to advertise the honeypots or entice the attackers. These honeypots are not registered in DNS, they have no entries in Google or in any search engines, no one should know about these deployed honeypots.

And yet, attackers find and attack these systems repeatedly on their own initiative. Once you understand the enemy you are dealing with, this is not as amazing as it seems. An extremely large percentage of cyber threats are what can be classified as script kiddies, or automated, random attackers. These individuals targets systems of opportunity. They are not interested in what systems they compromise, but how many.

Their goal is to compromise as many computers as possible. Their motives for this vary extensively (creating networks to be used for Distributed Denial of Service attacks, networked bots, stealing credit cards, identity theft, scouring for email address to be sold to spammers).







ODD

Production 192.168.1.15
Production 192.168.1.20
Production 192.168.1.23






sal ethO

Honeywall
Gateway
| [ eth2 ” 10.1.1.1

eth1






Ws.
\ i I'I ''"'i * 'i t. * ¦ i
RHM^Aim P.Bi'iKW.1 PiBi'-y.Vr'il
Honeypot Honeypot Honeypot 192.168.1.101 192.168.1.102 192.168.1.103
Diagram of a 2nd generation Honey net. All an acker activity sent to the honeypots (systems in yellow) must go through the Honey wall gateway, a layer two bridging device that controls and captures all of the attackers' activity.

They share the same goal: literally break into thousands of computers. The Honey net Project has had honeypots controlled by attackers who own over 15,000 compromised systems. These attackers do this by simply running automated tools they find on the Internet, or given to them by other blackhats. These automated tools do all the work for the attacker. Once launched, the tools scour the entire Internet., probing every IP address they can find.


Once attackers find a vulnerable system, the tool compromises the box, takes over it. and then continues probing. While not an elegant or subtle approach, it's effective. The majority of today's attackers are not highly skilled, but they don't need to be. These automated tools do the work for them. When dealing with this clientele, the strategy for deploying honeypots is simple.

The attackers scan entire blocks of networks. By Global Characteristics and Prevalence, they estimate 25 billion intrusion attempts per day, based on 1600 firewall logs collected over a four month period. Because of this brute force method, external threats will also attack and break into honeypots that are on the same networks.

When attempting to detect and learn about sophisticated insiders, a different strategy is needed. First, when dealing with insider threats, the honeypots must be from external networks to your internal networks, move the honeypots to where the threat is. Second is to address one of the disadvantages of honeypots, the fact they have a limited view, they only see what interacts with them.

Simply deploying honeypots on your internal network most likely will not detect the advanced insiders. Such honeypots will detect common threats, such as automated attacks, worms, or insider threats taking a brute force approach, such as scanning internal networks for open shares. These threats represent the same clientele as most external threats, taking a target of opportunity force, sweeping entire networks or actively probing many systems. Regardless of where you deploy your honeypots. they will easily capture such activity.

The insider will not be so careless, so noisy. This threat will be far more selective, they do not want to be caught. Also, they have better knowledge of the environment, and as such can focus on specific targets. Simply deploying honeypots on your internal network will not do the trick. There are technical ways to increase the likelihood. For example, honeypots such as Honeyd create virtual honeypots that populate all of your internal, unused IP space.
Instead of having one honeypot, one has thousands all over your networks. If an attacker attempts to interact with an unused IP address, the honeypot dynamically creates a virtual honeypot that interact with the attacker. This method exponentially increases the likelihood of capturing attacks. It must be assumed that the insider knows what systems they are after, and what information they want to compromise.

As such, the insider threat will most likely not go after unknown or unused IP addresses or systems. As a result, strategy must be modified for deploying honeypots. Instead of the threat coming to the honeypot, there must be some way of directing the attacker to the honeypot, without them knowing it. The honeypots themselves should also be more advanced. To learn more about the attacker, the honeypots cannot simply be basic, emulated services.

Instead, the honeypots should be more advanced, real systems with the same applications, data, appearance, and behavior the insider expects. Once the attacker interacts with the honeypot, there is the initial indication that there is an insider threat. Based on what the attacker does with the honeypot, continue to monitor their actions and then potentially confirm if there is an insider, who that threat is. how they are operating and why. So. the strategy for insider honeypots is not one of just building the honeypot. Instead, the insider must be guided to it, a honeypot realistic enough for the attacker to interact with.


1.3 THE TACTICS

There are two problems for implementation of honeypot. The first one is the redirection of an insider to a honeypot. The second problem is one of creating a realistic honeypot for the insider to interact with. Combined, these two elements can not only be used to indicate an insider threat, but conlirm who the threat is. their identity, motives, and operations.
To redirect the attacker, it is better understand the problem. Most insiders are after specific information. In many cases, they already know what that information is. where it is. and potentially even how to access it. The goal will be to create information that the insider will want, but information that represents an indication of insider attack. This is information that the attacker is not authorized to have, or information that is inappropriate. One of the lessons learned from the ARDA Cyber Indications and Warning workshop was that in many cases insider threats have authorization to access information, but may access information they do not have need to know.

In many cases, an insider may use a sniffer to passively monitor and collect sensitive network activity. This approach is very safe as it is difficult to detect, yet it can give the insider tremendous amount of information. Not only can fhe attacker recover highly sensitive data, but who is using it and how. Also, for many organizations, the more trusted the environment, the less likely you will find advanced security precautions, such as encrypted communications. This makes it very easy for the insider to passively monitor communications, as the insider is part of that trusted environment. Honey tokens can be used to detect such activity.

A honey token is created, one of perceived value, and inserted into network traffic. If an attacker is monitoring that network, they will most likely capture the honey token. As such, the honey token needs to have perceived value, one the insider will follow up on. The honey token could be a login and password for a system perceived of high value, fhe insider recovers this login and password, and attempts to use it on a system. Since it's a honey token, no one is authorized to use this login/password combination.

Any use of this honey token on any system is an indication of an insider. A step further is by using different login/password combinations inserted into different networks. Then, not only that there will be an indication of an insider when the honey token is used, but it can determined where the honey token was sniffed by matching the different login/password combination to the different networks it was inserted into.

To direct an attacker to a honeypot. it needs to have the honey tokens point to the honeypot. Users can login to a honeypot using the honey token. When the insider recovers the information from the network, not only will they recover the bogus login and password, but they will see it successfully used on a system (such as a database). What they don't know is that the database is really a honeypot. When the attacker accesses the database with the honey token login and password, not only there is an early indication of an insider, but by monitoring activities on database honeypot, it can be learned more about who the insider is, their motives, etc.

An insider may know what resources or individuals are of high value. Honey tokens can be placed in those environments. Any uses of those honey tokens are indication of an insider. For example, an insider is accessing VP's or senior manager's emails. Inside each of these individuals' mailboxes a bogus email is created, this email is the honey token. No one should be reading or accessing it.

Once there is an indication of an attacker, he must be redirected to a more advanced honeypot, specifically a Honey net. Honey nets can then be used to gather more information, including confirming if the insider has malicious or unauthorized intent, which the insider is, and perhaps their motives. Honey nets have repeatedly demonstrated their ability to capture information on external attackers. When the honey token directs the insider to the systems within the Honey net their activities can be monitored. The Honey nets are crafted to meet the insider's expectations.

In addition to combining the capabilities of honey tokens and Honey nets is the concept of adaptive behavior. One of the interesting concepts is the idea of dynamically changing honey tokens or Honey nets based on the actions of an insider threat. In the overall scheme of detecting insiders honeypots are not the complete solution. Instead, they are hut one of many sensors or data input to detecting insiders. Multiple inputs exist. All the data collected from various sources can then be directed to a central collection system. Once correlated, indications can be found of insider activity. Honeypots are only one component in that overall architecture. Honeypots have a unique advantage, the ability to adapt to the threat.

Once the central collection systems have early indications of an insider threat, honeypots could be adapted to that threat. A short list of suspects is made from a broad and shallow search and a vital database can be monitored. If a user not on the suspect list submits a query, the system responds with an unaltered production item.

If there is a user that is on the suspect list, then honey tokens can be adapted and introduced into the suspect's activity. If suspect A submits a query and, as an additional constraint., that query is tagged as inappropriate, then the system responds with honey token A. For suspect B. the system responds with honey token B, and so on. Depending upon what the user does with the honey token, he or she may be removed from the suspect list. In this case, future queries will return production items rather than honey tokens. Also, Honey nets themselves could be adapted. An insider may be interested in researching a database. Once a suspect has been identified. Honey nets could be adapted to reflect what systems the attacker is interested in, the information those systems should contain.



In the diagram, you see a central Common Data system collecting, and then correlating data, from multiple sources (including Honey nets). Once fused and analyzed, correlated data can indicate insider activity. These indications can be redirected to honey tokens, or a Honey net, to adapt to the insider, allowing us to learn more information.
2. RISKS

While honeypots represent a powerful tool in the arsenal to fight the insider threat, they are not the only solution. There are several reasons for this.

First, the insider threat may not ever use or interact with a honeypot or honey token. If that is the case, then honeypots will have little value as an observable. As such, other observables must also be considered. In contrast, individuals use information technology extensively, including the use of search engines. As such, honeypots have far greater effectiveness against such threats.

Second, honeypots will not work if their identity is known or discovered by the insider. The individual will know to avoid the honeypot, and thus avoid an indication of their activity. Potentially even worse, if an insider has discovered a honeypot, they can introduce bogus or false information to it, misleading security organizations. To counter such issues, the use and deployments of honeypots has to be highly controlled information.

The fewer people who know its identity, the less likely its identity will be compromised. One of the advantages of honeypots is their identity can easily be changed. Honeypots can monitor different IP addresses, emulate different services, or even different operating systems. Honey tokens can easily be changed as different files, search engine queries, or deployed on different systems. By not only securing the identity of honeypots, but changing its identity, they become more difficult to detect.
3. COMPARISON BETWEEN HONEYPOT & NIPS

The amount of useful in formation provided by NIDS is decreasing in the face of ever more sophisticated evasion techniques and an increasing number of protocols that employ encryption to protect network traffic from eavesdroppers. NIDS also suffer from high false positive rates that decrease their usefulness even further.

Honeypots can help with some of these problems. A honeypot is as a closely monitored computing resource that intends to be probed, attacked, or compromised. The value of a honeypot is determined by the information obtained from it. Monitoring the data that enters and leaves a honeypot lets us gather information that is not available to NIDS.

For example, key strokes can be logged of an interactive session even if encryption is used to protect the network traffic. To detect malicious behavior. NIDS require signatures of known attacks and often fail to detect compromises dial were unknown at the time it was deployed.

On the other hand, honeypots can detect vulnerabilities that are not yet understood. For example, compromises can be detected by observing network traffic leaving the honeypot even if the means of the exploit has never been seen before.

Because a honeypot has no production value, any attempt to contact it is suspicious. Consequently, forensic analysis of data collected from honeypots is less likely to lead to false positives than data collected by NIDS. Honeypots can run any operating system and any number of services. The configured services determine the vectors available to an adversary for compromising or probing the system.
A high-interaction honeypot simulates all aspects of an operating system. A low-interaction honeypots simulates only some parts, for example the network.
stack. A high-interaction honeypot can be compromised completely, allowing an adversary to gain full access to the system and use it to launch further network attacks.

In contrast, low interaction honeypots simulate only services that cannot be exploited to get complete access to the honeypot. Low-interaction honeypots are more limited, but they are useful to gather information at a higher level, e.g., learn about network probes or worm activity. They can also be used to analyze spammers or for active countermeasures against worms.

There are two types of honeypots. physical and virtual honeypots. A physical honeypot is a real machine on the network with its own IP address. A virtual honeypot is simulated by another machine that responds to network traffic-sent to the virtual honeypot. When gathering information about network attacks or probes, the number of deployed honeypots influences the amount and accuracy of the collected data.

A good example is measuring the activity of HTTP based worms. These worms can be identified only after they complete a TCP handshake and send their payload. But most of their connection requests will go unanswered because they contact randomly chosen IP addresses. A honeypot can capture the worm payload by configuring it to function as a web server.

The more honeypots arc deployed the more likely one of them is contacted by a worm. Physical honeypots are often high-interaction, so allowing the system to be compromised completely, they are expensive to install and maintain. For large address spaces, it is impractical or impossible to deploy a physical honeypot for each IP address. In that case, deploy virtual honeypots.
4. APPLICATIONS

The Honeypot can be used in different areas of system security which are network decoys and detecting and countering of worms.


4.1 NETWORK DECOYS


The traditional role of a honeypot is that of a network decoy. The framework can be used to instrument the unallocated addresses of a production network with virtual honeypots.
Adversaries that scan the production network can potentially be confused and deterred by the virtual honeypots. In conjunction with a NIDS. the resulting network traffic may help in getting early warning of attacks.


4.2 DETECTING AND COUNTERING WORMS

Honeypots are ideally suited to intercept traffic from adversaries that randomly scan the network. This is especially true for Internet worms that use some form of random scanning for new targets, e.g. Blaster, Code Red, Nimda, Slammer, etc. A virtual honeypot deployment can be used to detect new worms and how to launch active counter measures against infected machines once a worm has been identified.

To intercept probes from worms, virtual honeypots are instrumented on unallocated network addresses. The probability of receiving a probe depends on the number of infected machines, the worm propagation chance and the number of deployed honeypots h. The worm propagation chance depends on the worm propagation algorithm, the number of vulnerable hosts and the size of the address space.

In general, the larger the honeypot deployment the earlier one of the honeypots receives a worm probe. To detect new worms, Honeyd framework can

be used in two different ways. A large number of virtual honeypots have to be deployed as gateways in front of a smaller number of high-interaction honeypots.

5. FUTURE SCOPE

Some of the future HONEY POT Technologies are:

Honey Tokens Wireless Honey pots Spam Honey pots Search-engine Honey pots

6. CONCLUSION

Honeypots are an emerging technology, with extensive potential. They have tremendous advantages that can be applied to a variety of different environments. They dramatically reduce false positives, while providing an extremely flexible tool that is easy to customize for different environments and threats.

Traditionally, honeypots have been applied against external threats or common internal threats. By combining the capabilities of honey tokens and Honey nets, honeypots contribute to the early indication and confirmation of advanced insider threats. The research in this area is still in the early stages, with the intent of greater testing and development in the future.

7. BIBLIOGRAPHY

[I] http://www.wikipedia.org [2] http://www.totse.com [3] http://www.honeypot.com [41 http://www.seminartopics.net [51 http://www.projecthoneypot.org

CONTENTS


1. INTRODUCTION 1
1.1 THE INSIDER 5
1.2 THE STRATEGY 5
1.3 THE TACTICS 9
2.RISKS 14
3.COMPARISON BETWEEN HONEY POTS AND NIDS 15
4. APPLICATIONS 17
4.1 NETWORK DECOYS 17
4.2 DETECTING AND COUNTERING WORMS 17
5.FUTURE SCOPE 19
6.CONCLUSION 20
7.BIBLIOGRAPHY 21
18-03-2010, 12:03 PM
Post: #3
RE: honeypots seminar report

.doc  HONEYPOT REPORT.doc (Size: 248 KB / Downloads: 399)


Chapter 1
INTRODUCTION
The Internet is growing fast and doubling its number of websites every 53 days and the number of people using the internet is also growing. Hence, global communication is getting more important every day. At the same time, computer crimes are also increasing. Countermeasures are developed to detect or prevent attacks - most of these measures are based on known facts, known attack patterns. Countermeasures such as firewalls and network intrusion detection systems are based on prevention, detection and reaction mechanism; but is there enough information about the enemy
As in the military, it is important to know, who the enemy is, what kind of strategy he uses, what tools he utilizes and what he is aiming for. Gathering this kind of information is not easy but important. By knowing attack strategies, countermeasure scan be improved and vulnerabilities can be fixed. To gather as much information as possible is one main goal of a honeypot. Generally, such information gathering should be done silently, without alarming an attacker. All the gathered information leads to an advantage on the defending side and can therefore be used on productive systems to prevent attacks.
In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network, but is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource of value to attackers.
A honeypot is primarily an instrument for information gathering and learning. Its primary purpose is not to be an ambush for the blackhat community to catch them in action and to press charges against them. The focus lies on a silent collection of as much information as possible about their attack patterns, used programs, purpose of attack and the blackhat community itself. All this information is used to learn more about the blackhat proceedings and motives, as well as their technical knowledge and abilities. This is just a primary purpose of a honeypot. There are a lot of other possibilities for a honeypot - divert hackers from productive systems or catch a hacker while conducting an attack are just two possible examples. They are not the perfect solution for solving or preventing computer crimes.
Honeypots are hard to maintain and they need operators with good knowledge about operating systems and network security. In the right hands, a honeypot can be an effective tool for information gathering. In the wrong, unexperienced hands, a honeypot can become another infiltrated machine and an instrument for the blackhat community.
This paper will present the basic concepts behind honeypots and also the legal aspects of honeypots.
Chapter 2
HONEYPOT AND ITS TYPES
2.1 Basics
Honeypots are an exciting new technology with enormous potential for the security community. The concepts were first introduced by several icons in computer security, specifically Cliff Stoll in the book The Cuckooâ„¢s Egg , and Bill Cheswick's paper "An Evening with Berferd. Since then, honeypots have continued to evolve, developing into the powerful security tools they are today.
Honeypots are neither like Firewalls that are used to limit or control the traffic coming into the network and to deter attacks neither is it like IDS (Intrusion Detection Systems) which is used to detect attacks. However it can be used along with these. Honeypots does not solve a specific problem as such, it can be used to deter attacks, to detect attacks, to gather information, to act as an early warning or indication systems etc. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. It is this flexibility that gives honeypots their true power. It is also this flexibility that can make them challenging to define and understand. The basic definition of honeypots is:
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
The main aim of the honeypot is to lure the hackers or attacker so as to capture their activities. This information proves to be very useful since information can be used to study the vulnerabilities of the system or to study latest techniques used by attackers etc. For this the honeypot will contain enough information (not necessarily real) so that the attackers get tempted. (Hence the name Honeypot “ a sweet temptation for attackers)Their value lies in the bad guys interacting with them. Conceptually almost all honeypots work they same. They are a resource that has no authorized activity, they do not have any production value.
Theoretically, a honeypot should see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise. While this concept sounds very simple (and it is), it is this very simplicity that give honeypots their tremendous advantages (and disadvantages).A typical Honeypot is as shown in the figure.
Fig 2.1:A Honeypot
A Honeypot system is setup to be easier prey for intruders than true production systems but with minor system modifications so that their activity can be logged of traced. The general thought is that once an intruder breaks into a system, they will come back for subsequent visits. During these subsequent visits, additional information can be gathered and additional attempts at file, security and system access on the honeypot can be easily monitored and can be easily saved.
The common line of thought in setting up Honey Pot systems is that it is acceptable to use lies or deception when dealing with intruders. What this means to you when setting up a Honey Pot is that certain goals have to be considered.
Those goals are:
1. The Honey Pot system should appear as generic as possible. If you are deploying a Microsoft NT based system, it should appear to the potential intruder that the system has not been modified or they may disconnect before much information is collected.
2. You need to be careful in what traffic you allow the intruder to send back out to the Internet for you donâ„¢t want to become a launch point for attacks against other entities on the Internet. (One of the reasons for installing a Honey Pot inside of the firewall!)
3. You will want to make your Honey Pot an interesting site by placing "Dummy" information or make it appear as though the intruder has found an "Intranet" server, etc. Expect to spend some time making your Honey Pot appear legitimate so that intruders will spend enough time investigating and perusing the system so that you are able to gather as much forensic information as possible.
2.2 Types of honeypots
Honeypots come in many shapes and sizes, making them difficult to get a grasp of. To better understand honeypots and all the different types, they are broken down into categories depending on various aspects.
2.2.1 Classification based on their Deployment and based on their involvement.
¢ Production honeypots
¢ Research honeypots
2.2.1.1 Production honeypots
Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations. Production honeypots are placed inside the production network with other production server by organization to improve their over all state of security. Normally, production honeypots are low- interaction honeypots, which are easy to deploy. They give less information about the attacks or attackers than research honeypots do. The purpose of a production honeypot is to help mitigate risks in an organization. The honeypot adds value to the security measures of an organization.
2.2.1.2 Research honeypots
Research honeypots are run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of the Blackhat community targeting different networks. These honeypots do not add direct value to a specific organization. Instead they are used to research the threats organization face., and to learn how to protect better against those threats. This information is then used to protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information and are used primarily by research, military or government organization.
2.2.2 Classification based on their Interaction with intruder.
¢ low-interaction honeypots
¢ high-interaction honeypots.
Interaction defines the level of activity a honeypot allows an attacker.
2.2.2.1 low-interaction honeypots
Low-interaction honeypots have limited interaction, they normally work by emulating services and operating systems. Attacker activity is limited to the level of emulation by the honeypot. For example, an emulated FTP service listening on port 21 may just emulate a FTP login, or it may support a variety of additional FTP commands. The advantages of a low-interaction honeypot is their simplicity. These honeypots tend to be easier to deploy and maintain, with minimal risk. Usually they involve installing software, selecting the operating systems and services you want to emulate and monitor, and letting the honeypot go from there. This plug and play approach makes deploying them very easy for most organizations. Also, the emulated services mitigate risk by containing the attacker's activity, the attacker never has access to an operating system to attack or harm others. The main disadvantages with low interaction honeypots is that they log only limited information and are designed to capture known activity. The emulated services can only do so much. Also, its easier for an attacker to detect a low-interaction honeypot, no matter how good the emulation is, skilled attacker can eventually detect their presence. Examples of low-interaction honeypots include BOF,Specter, Homemade honeypots and Honeyd
¢ BackOfficer Friendly
BOF (as it is commonly called) is a very simple but highly useful honeypot developed by Marcus Ranum and crew at NFR. It is an excellent example of a low interaction honeypot.
It is a great way to introduce a beginner to the concepts and value of honeypots. BOF is a program that runs on most Windows based operating system. All it can do is emulate some basic services, such as http, ftp, telnet, mail, or BackOrrifice. Whenever some attempts to connect to one of the ports BOF is listening to, it will then log the attempt. BOF also has the option of "faking replies", which gives the attacker something to connect to. This way one can log http attacks, telnet brute force logins, or a variety of other activity (Screenshot). The value in BOF is in detection, similar to a burglar alarm. It can monitor only a limited number of ports, but these ports often represent the most commonly scanned and targeted services.
¢ Specter
Specter is a commercial product and it is another 'low interaction' production honeypot. It is similar to BOF in that it emulates services, but it can emulate a far greater range of services and functionality. In addition, not only can it emulate services, but emulate a variety of operating systems. Similar to BOF, it is easy to implement and low risk. Specter works by installing on a Windows system. The risk is reduced as there is no real operating system for the attacker to interact with. For example, Specter can emulate a web server or telnet server of the any operating system. When an attacker connects, it is then prompted with an http header or login banner. The attacker can then attempt to gather web pages or login to the system. This activity is captured and recorded by Specter, however there is little else the attacker can do. There is no real application for the attacker to interact with, instead just some limited, emulated functionality. Specters value lies in detection. It can quickly and easily determine who is looking for what. As a honeypot, it reduces both false positives and false negatives, simplifying the detection process. Specter also supports a variety of alerting and logging mechanisms. You can see an example of this functionality in a screen shot of Specter.
One of the unique features of Specter is that it also allows for information gathering, or the automated ability to gather more information about the attacker. Some of this information gathering is relatively passive, such as Whois or DNS lookups. However, some of this research is active, such as port scanning the attacker.
¢ Homemade Honeypots
Another common honeypot is homemade. These honeypots tend to be low interaction. Their purpose is usually to capture specific activity, such as Worms or scanning activity. These can be used as production or research honeypots, depending on their purpose. Once again, there is not much for the attacker to interact with, however the risk is reduced because there is less damage the attacker can do. One common example is creating a service that listens on port 80 (http) capturing all traffic to and from the port. This is commonly done to capture Worm attacks Homemade honeypots can be modified to do (and emulate) much more, requiring a higher level of involvement, and incurring a higher level of risk. For example, FreeBSD has a jail functionality, allowing an administrator to create a controlled environment within the operating system. The attacker can then interact with this controlled environment. The value here is the more the attacker can do, the more can be potentially learned. However, care must be taken, as the more functionality the attacker can interact with, the more can go wrong, with the honeypot potentially compromised.
¢ Honeyd
Created by Niels Provos, Honeyd is an extremely powerful, OpenSource honeypot. Designed to run on Unix systems, it can emulate over 400 different operating systems and thousands of different computers, all at the same time. Honeyd introduces some exciting new features. First, not only does it emulate operating systems at the application level, like Specter, but it also emulates operating systems at the IP stack level. This means when someone Nmaps the honeypot, both the service and IP stack behave as the emulated operating system. Currently no other honeypot has this capability (CyberCop Sting did have this capability, but is no longer available). Second, Honeyd can emulate hundreds if not thousands of different computers all at the same time. While most honeypots can only emulate one computer at any point in time, Honeyd can assume the identity of thousands of different IP addresses. Third, as an OpenSource solution, not only is it free to use, but it will expotentially grow as members of the security community develop and contribute code.
Fig 2.2: Working of a Honeyd
As shown in the figure 2.1, Honeyd monitors unused IP space (1).When an attacker (2) probes an unused IP, Honeyd detects the probe, takes over that IP via ARP spoofing, then creates a virtual honeypot (3) for the attacker to interact with (Honeyd can create multiple virtual honeypots to fool attackers on all unused addresses) .The attacker is fooled into thinking he is interacting with a successful hacked system (4).In addition, Honeyd automatically updates its list of unused IPs as systems are added or removed from the network.
Honeyd is primarily used for detecting attacks. It works by monitoring IP addresses that are unused, that have no system assigned to them. Whenever an attacker attempts to probe or attack an non-existant system, Honeyd, through Arp spoofing, assumes the IP address of the victim and then interacts with the attacker through emulated services. These emulates services are nothing more then scripts that react to predetermined actions. For example, a script can be developed to behave like a Telnet service for a Cisco router, with the Cisco IOS login interface. Honeyd's emulated services are also Open Source, so anyone can develop and use their own. The scripts can be written in almost any language, such as shell or Perl. Once connected, the attacker believes they are interacting with a real system. Not only can Honeyd dynamically interact with attackers, but it can detect activity on any port. Most low interaction honeypots are limited to detecting attacks only on the ports that have emulated services listening on. Honeyd is different, it detects and logs connections made to any port, regardless if there is a service listening. The combined capabilities of assuming the identity of non-existant systems, and the ability to detect activity on any port, gives Honeyd incredible value as a tool to detect unauthorized activity. I highly encourage people to check it out, and if possible to contribute new emulated services.
2.2.2.2 High-interaction honeypots
High-interaction honeypots are different, they are usually complex solutions as they involve real operating systems and applications. Nothing is emulated, the attackers are given the real thing. If one wants a Linux honeypot running an FTP server, they build a real Linux system running a real FTP server. The advantages with such a solution are two fold. First, extensive amounts of information are captured. By giving attackers real systems to interact with, one can learn the full extent of the attackers behavior, everything from new rootkits to international IRC sessions. The second advantage is high-interaction honeypots make no assumptions on how an attacker will behave. Instead, they provide an open environment that captures all activity. This allows high-interaction solutions to learn behavior one otherwise would not expect. An excellent example of this is how a Honeynet captured encoded back door commands on a non-standard IP protocol . However, this also increases the risk of the honeypot as attackers can use these real operating system to attack non-honeypot systems. As result, additional technologies have to be implemented that prevent the attacker from harming other non-honeypot systems. In general, high-interaction honeypots can do everything low-interaction honeypots can do and much more. However, they can be more complex to deploy and maintain. Examples of high-interaction honeypots include Mantraps and Honeynets.
¢ Mantrap
Produced by Recourse, Mantrap is a commercial honeypot. Instead of emulating services, Mantrap creates up to four sub-systems, often called 'jails'. These 'jails' are logically discrete operating systems separated from a master operating system. Security administrators can modify these jails just as they normally would with any operating system, to include installing applications of their choice, such as an Oracle database or Apache web server. This makes the honeypot far more flexible, as it can do much more. The attacker has a full operating system to interact with, and a variety of applications to attack. All of this activity is then captured and recorded. Not only can we detect port scans and telnet logins, but we can capture rootkits, application level attacks, IRC chat session, and a variety of other threats. However, just as far more can be learned, so can more go wrong. Once compromised, the attacker can used that fully functional operating system to attack others. Care must be taken to mitigate this risk. As such, it can be categorized this as a mid-high level of interaction. Also, these honeypots can be used as either a production honeypot (used both in detection and reaction) or a research honeypot to learn more about threats. There are limitations to this solution. The biggest one is that we are limited to only what the vendor supplies us. Currently, Mantrap only exists on Solaris operating system.
¢ Honeynets
Honeynets represent the extreme of research honeypots.They are high interaction honeypots, one can learn a great deal, however they also have the highest level of risk.
Fig2.3: A honeynet
Their primary value lies in research, gaining information on threats that exist in the Internet community today. A Honeynet is a network of production systems. Unlike many of the honeypots discussed so far, nothing is emulated. Little or no modifications are made to the honeypots. The idea is to have an architecture that creates a highly controlled network, one where all activity is controlled and captured. Within this network we place our intended victims, real computers running real applications. The bad guys find, attack, and break into these systems on their own initiative. When they do, they do not realize they are within a Honeynet. This gives the attackers a full range of systems, applications, and functionality to attack. All of their activity, from encrypted SSH sessions to emails and files uploads, are captured without them knowing it. This is done by inserting kernel modules on the victim systems that capture all of the attacker's actions. From this we can learn a great deal, not only their tools and tactics, but their methods of communication, group organization, and motives. However, with this capability comes a great deal of risk. A variety of measures must be taken to ensure that once compromised, a Honeynet cannot be used to attack others. Honeynets do this using a Honeywall gateway. This gateway allows inbound traffic to the victim systems, but controls the outbound traffic using intrusion prevention technologies. This gives the attacker the flexibility to interact with the victim systems, but prevents the attacker from harming other non-Honeynet computers. Honeynets are primarily research honeypots. They could be used as production honeypots, specifically for detection or reaction, however it is most likely not worth the time and effort.
Two or more honeypots on a network form a honeynet. Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network intrusion-detection systems. A honeyfarm is a centralized collection of honeypots and analysis tools.
"A honeynet is a network of high interaction honeypots that simulates a production network and configured such that all activity is monitored, recorded and in a degree, discretely regulated."
We have reviewed six different types of honeypots. No one honeypot is better than the other, each one has its advantages and disadvantages, it all depends on what is to be achieved. To more easily define the capabilities of honeypots, we have categorized them based on their level of interaction. The greater interaction an attacker has, the more we can learn, but the greater the risk. For example, BOF and Specter represent low interactions honeypots. They are easy to deploy and have minimal risk. However, they are limited to emulating specific services and operating systems, used primarily for detection. Mantrap and Honeynets represent mid-to-high interaction honeypots. They can give far greater depth of information, however more work and greater risk is involved
Low-interaction
Solution emulates operating systems and services.
High-interaction
No emulation, real OS and services are provided.
¢ Easy to install and deploy.
¢ Captures limited amounts of information.
¢ Minimal risk, as the emulated services controls attackers . ¢ Can be complex to install or deploy
¢ Can capture far more information
¢ Increased risk, as attackers are provided real OS to interact with.
Some people also classify honeypots as low,mid and high interaction honeypots; where mid-interaction honeypots are those with their interaction level between that of low and high interaction honeypots.
2.2.3 Classification based on their physical presence in the network.
¢ Hardware based honeypots
¢ Software based honeypots.
2.2.3.1 Hardware based honeypots
Hardware-based honeypots are servers, switches or routers that have been partially disabled and made attractive with commonly known misconfigurations. They sit on the internal network, serving no purpose but to look real to outsiders. The operating system of each box, however has been subtly disabled with tweaks that prevent hackers from really taking it over or using it to launch new attacks on other servers.
2.2.3.2 Software emulation honeypots
Software emulation honeypots, on the other hand, are elaborate deception programs that mimic real Linux or other servers and can run on machines as low-power as a 233-MHz PC. Since an intruder is just dancing with a software decoy, at no time does he come close to actually seizing control of the hardware, no matter what the fake prompts seem to indicate. Even if the hacker figures out that it's a software honeypot, the box on which it's running should be so secure or isolated that he couldn't do anything but leave anyway.Software emulation might be more useful for corporate environments where business secrets are being safeguarded.
Chapter 3
VALUE OF HONEYPOTS
Now that we have understanding of two general categories of honeypots, we can focus on their value. Specifically, how we can use honeypots. Once again, we have two general categories, honeypots can be used for production purposes or research. When used for production purposes, honeypots are protecting an organization. This would include preventing, detecting, or helping organizations respond to an attack. When used for research purposes, honeypots are being used to collect information. This information has different value to different organizations. Some may want to be studying trends in attacker activity, while others are interested in early warning and prediction, or law enforcement. In general, low-interaction honeypots are often used for production purposes, while high-interaction honeypots are used for research purposes. However, either type of honeypot can be used for either purpose. Honeypots can help address both problems as they can quickly and easily be taken offline for a full forensic analysis without impacting day-to-day business operations. Also, because the only activity a honeypot captures is unauthorized or malicious activity, this makes hacked honeypots much easier to analyze than hacked production systems, as any data you retrieve from a honeypot is most likely related to the attacker. The value honeypots provide is thus that they are able to quickly give organizations the in-depth information they need to rapidly and effectively respond to an incident. In general, high-interaction honeypots make the best solution for response purposes. To respond to intruders, you need in-depth knowledge on what they did, how they broke in, and what tools they used. For that type of data you most likely need the capabilities of a high-interaction honeypot. When used for production purposes, honeypots can protect organizations in one of three ways; prevention, detection, and response. We will take a more in-depth look at how a honeypot can work in all three.
1. Prevention: Honeypots can help prevent attacks in several ways. The first is against automated attacks, such as worms or auto-rooters. These attacks are based on tools that randomly scan entire networks looking for vulnerable systems. If vulnerable systems are found, these automated tools will then attack and take over the system (with worms self-replicating, copying themselves to the victim). One way that honeypots can help defend against such attacks is slowing their scanning down, potentially even stopping them. Called sticky honeypots, these solutions monitor unused IP space. When probed by such scanning activity, these honeypots interact with and slow the attacker down. They do this using a variety of TCP tricks, such as a Windows size of zero, putting the attacker into a holding pattern. This is excellent for slowing down or preventing the spread of a worm that has penetrated the internal organization. One such example of a sticky honeypot is LaBrea Tarpit. Sticky honeypots are most often low-interaction solutions (one can almost call them 'no-interaction solutions', as they slow the attacker down to a crawl ).
Honeypots can also be used to protect the organization from human attackers. The concept is deception or deterrence. The idea is to confuse an attacker, to make him waste his time and resources interacting with honeypots. Meanwhile, the organization being attacked would detect the attacker's activity and have the time to respond and stop the attacker.
This can be even taken one step farther. If an attacker knows an organization is using honeypots, but does not know which systems are honeypots and which systems are legitimate computers, they may be concerned about being caught by honeypots and decided not to attack your organizations. Thus the honeypot deters the attacker. An example of a honeypot designed to do this is Deception Toolkit, a low-interaction honeypot.
2. Detection: The second way honeypots can help protect an organization is through detection. Detection is critical, its purpose is to identify a failure or breakdown in prevention. Regardless of how secure an organization is, there will always be failures, if for no other reasons then humans are involved in the process. By detecting an attacker, you can quickly react to them, stopping or mitigating the damage they do. Traditionally, detection has proven extremely difficult to do. Technologies such as IDS sensors and systems logs have proved ineffective for several reasons. They generate far too much data, large percentage of false positives (i.e. alerts that were generated when the sensor recognized the configured signature of an "attack", but in reality was just valid traffic), inability to detect new attacks, and the inability to work in encrypted or IPv6 environments. Honeypots excel at detection, addressing many of these problems of traditional detection. Since honeypots have no production activity, all connections to and from the honeypot are suspect by nature. By definition, anytime a connection is made to the honeypot, this is most likely an unauthorized probe, scan, or attack. Anytime the honeypot initiates a connection, this most likely means the system was successfully compromised. This helps reduce both false positives and false negatives greatly simplifying the detection process by capturing small data sets of high value, it also captures unknown attacks such as new exploits or polymorphic shellcode, and works in encrypted and IPv6 environments. In general, low-interaction honeypots make the best solutions for detection. They are easier to deploy and maintain then high-interaction honeypots and have reduced risk.
3. Response : The third and final way a honeypot can help protect an organization is in reponse. Once an organization has detected a failure, how do they respond This can often be one of the greatest challenges an organization faces. There is often little information on who the attacker is, how they got in, or how much damage they have done. In these situations detailed information on the attacker's activity are critical. There are two problems compounding incidence response. First, often the very systems compromised cannot be taken offline to analyze. Production systems, such as an organization's mail server, are so critical that even though its been hacked, security professionals may not be able to take the system down and do a proper forensic analysis. Instead, they are limited to analyze the live system while still providing production services. This cripples the ability to analyze what happened, how much damage the attacker has done, and even if the attacker has broken into other systems. The other problem is even if the system is pulled offline, there is so much data pollution it can be very difficult to determine what the bad guy did. By data pollution, I mean there has been so much activity (user's logging in, mail accounts read, files written to databases, etc) it can be difficult to determine what is normal day-to-day activity, and what is the attacker. Honeypots can help address both problems. Honeypots make an excellent incident resonse tool, as they can quickly and easily be taken offline for a full forensic analysis, without impacting day-to-day business operations. Also, the only activity a honeypot captures is unauthorized or malicious activity. This makes hacked honeypots much easier to analyze then hacked production systems, as any data you retrieve from a honeypot is most likely related to the attacker. The value honeypots provide here is quickly giving organizations the in-depth information they need to rapidly and effectively respond to an incident. In general, high-interaction honeypots make the best solution for response.
Chapter 4
IMPLEMENTATION
Honeypot Location
A honeypot does not need a certain surrounding environment as it is a standard server with no special needs.A honeypot can be placed anywhere a server could be placed. But certainly, some places are better for certain approaches as others.
A honeypot can be used on the Internet as well as the intranet, based on the needed service. Placing a honeypot on the intranet can be useful if the detection of some bad guys inside a private network is wished. It is especially important to set the internal thrust for a honeypot as low as possible as this system could be compromised, probably without immediate knowledge.
Honey Pots can be setup inside, outside or in the DMZ of a firewall design or even in all of the locations although they are most often deployed inside of a firewall for control purposes. In a sense, they are variants of standard Intruder Detection Systems (IDS) but with more of a focus on information gathering and deception.
If the main concern is the Internet, a honeypot can be placed at two locations:
¢ In front of the firewall (Internet)
¢ DMZ
¢ Behind the firewall (intranet)
Each approach has its advantages as well as disadvantages. Sometimes it is even impossible to choose freely as placing a server in front of a firewall is simply not possible or not wished.
By placing the honeypot in front of a firewall , the risk for the internal network does not increase. The danger of having a compromised system behind the firewall is eliminated. A honeypot will attract and generate a lot of unwished traffic like portscans or attack patterns. By placing a honeypot outside the firewall, such events do not get logged by the firewall and an internal IDS system will not generate alerts. Otherwise, a lot of alerts would be generated on the firewall or IDS.Probably the biggest advantage is that the firewall or IDS, as well as any other resources, have not to be adjusted as the honeypot is outside the firewall and viewed as any other machine on the external network. The disadvantage of placing a honeypot in front of the firewall is that internal attackers cannot be located or trapped that easy, especially if the firewall limits outbound traffic and therefore limits the traffic to the honeypot.
Placing a honeypot inside a DMZ seems a good solution as long as the other systems inside the DMZ can be secured against the honeypot. Most DMZs are not fully accessible as only needed services are allowed to pass the firewall. In such a case,placing the honeypot in front of the firewall should be favored as opening all corresponding ports on the firewall is too time consuming and risky.
A honeypot behind a firewall can introduce new security risks to the internal network, especially if the internal network is not secured against the honeypot through additional firewalls. This could be a special problem if the IPâ„¢s are used for authentication. It is important to distinguish between a setup where the firewall enables access to the honeypot or where access from the Internet is denied. By placing the honeypot behind a firewall, it is inevitable to adjust the firewall rules if access from the Internet should be permitted. The biggest problem arises as soon as the internal honeypot is compromised by an external attacker. He gains the possibility to access the internal network through the honeypot. This traffic will be unstopped by the firewall as it is regarded as traffic to the honeypot only, which in turn is granted. Securing an internal honeypot is therefore mandatory, especially if it is a high-involvement honeypot. With an internal honeypot it is also possible to detect a misconfigured firewall which forwards unwanted traffic from the Internet to the internal network. The main reason for placing a honeypot behind a firewall could be to detect internal attackers.
The best solution would be to run a honeypot in its own DMZ, therefore with a preliminary firewall. The firewall could be connected directly to the Internet or intranet, depending on the goal. This attempt enables tight control as well as a flexible environment with maximal security.
How does a Honeypot Gather Information
Obviously a honeypot must capture data in an area that is not accessible to an attacker. Data capture happens on a number of levels.
Firewall Logs”A Packet Sniffer (or similar IDS sensor)”The IDS should be configured to passively monitor network traffic (for an added level of invisibility, one might set the system up to have no IP address or, in some instances, the sniffer could be configured to completely lack an IP stack). This will capture all cleartext communication, and can read keystrokes.
Local and Remote Logs”These should be set up just as it would on any other system, and will possibly be disabled, deleted, or modified by an experienced hacker, but plenty of useful information will still be available from all the previous captured methods.
Remotely Forwarded Logs”Will capture data on a remote log and then instantly forward the data to a system even further out of the range of the attacker,so that the attacker cannot be warned that all his activities are watched or try to modify the captured data.
Limiting Outbound Attacks
To protect oneself from any sort of third party liabilities, an individual deploying a honeypot will likely want some kind of safeguard. Firewalls can be configured to let an unlimited number of inbound connections, while limiting outbound connections to a specific number (be it 10 outbound connections, or 50). This method lacks flexibility, and could shut an attacker out at a critical point (in the middle of an IRC session, or before they have retrieved all of their tools). A more flexible option is as follows: a system configured as a layer 2 bridge (which will lack all TCP activity, thus being harder to detect). The system can be configured to monitor all activity and can utilize a signature database to distinguish a known attack from any non-aggressive activity (and instead of blocking the attack, it can simply add some data to the packet to render it ineffectual). It can also throttle bandwidth (to quench a DDoS attack). This is a very effective way to protect other systems; however, limiting outbound attacks will not block new attacks.
Putting the Honey into the Pot
An advanced honeypot is a fully functional OS, and therefore can be filled with financial information, e-mails with passwords for other honeypots, databases of fake customers anything that might motivate an attacker to compromise the system. An individual could set up a web server that explains that the law services of so and so and so and so from San Francisco are currently setting up their systems to do online consultation for big banks and other big businesses. A whole network of honeypots sits in a secure environment behind a firewall that an attacker would need to break through. The network might have loads of fake data and e-mail; a large playing field for an advanced hacker to wander through.
Chapter 5
MERITS , DEMERITS AND LEGAL ISSUES
5.1 Merits
Honeypots have a large number of merits in its favour. They are :
¢ Small data sets of high value: Honeypots collect small amounts of information. Instead of logging a one GB of data a day, they can log only one MB of data a day. Instead of generating 10,000 alerts a day, they can generate only 10 alerts a day. Remember, honeypots only capture bad activity, any interaction with a honeypot is most likely unauthorized or malicious activity. As such, honeypots reduce 'noise' by collectin only small data sets, but information of high value, as it is only the bad guys. This means its much easier (and cheaper) to analyze the data a honeypot collects and derive value from it.
¢ New tools and tactics: Honeypots are designed to capture anything thrown at them, including tools or tactics never seen before.
¢ Minimal resources: Honeypots require minimal resources, they only capture bad activity. This means an old Pentium computer with 128MB of RAM can easily handle an entire class B network sitting off an OC-12 network.
¢ Encryption or IPv6: Unlike most security technologies (such as IDS systems) honeypots work fine in encrypted or IPv6 environments. It does not matter what the bad guys throw at a honeypot, the honeypot will detect and capture it.
¢ Information: Honeypots can collect in-depth information that few, if any other technologies can match.
¢ Simplicty: Finally, honeypots are conceptually very simple. There are no fancy algorithms to develop, state tables to maintain, or signatures to update. The simpler a technology, the less likely there will be mistakes or misconfigurations.
5.2 Demerits
Like any technology, honeyopts also have their weaknesses. It is because of this they do not replace any current technology, but work with existing technologies.
¢ Limited view: Honeypots can only track and capture activity that directly interacts with them. Honeypots will not capture attacks against other systems, unless the attacker or threat interacts with the honeypots also.
¢ Risk: All security technologies have risk. Firewalls have risk of being penetrated, encryption has the risk of being broken, IDS sensors have the risk of failing to detect attacks. Honeypots are no different, they have risk also. Specifically, honeypots have the risk of being taken over by the bad guy and being used to harm other systems. This risk various for different honeypots. Depending on the type of honeypot, it can have no more risk then an IDS sensor, while some honeypots have a great deal of risk.
5.3 Legal issues
In the past there has been some confusion on what are the legal issues with honeypots. There are several reasons for this. First, honeypots are relatively new. Second, honeypots come in many different shapes and sizes and accomplish different goals. Based on the different uses of honeypots different legal issues apply. Last, there are no precedents for honeypots. There are no legal cases recorded on the issues. The law is developed through cases. Without cases directly on point, we are left trying to predict, based on cases in other contexts, how courts will treat honeypots. Until a judge gives a court order, we will really never know.
With honeypots, there are three main issues that are commonly discussed: entrapment, privacy, and liability.
¢ Liability: You can potentially be held liable if your honepyot is used to attack or harm other systems or organizations. This risk is the greatest with Research honeypots.
¢ Privacy: Honeypots can capture extensive amounts of information about attackers, which can potentially violate their privacy. Once again, this risk is primarily with Research honeypots. However in case of honeypot there is exemption. It means that security technologies can collect information on people (and attackers), as long as that technology is being used to protect or secure your environment. In other words, these technologies are now exempt from privacy restrictions. For example, an IDS sensor that is used for detection and captures network activity is doing so to detect (and thus enable organizations to respond to) unauthorized activity. Such a technology is most likely not considered a violation of privacy.
¢ Entrapment: For some odd reason, many people are concerned with the issue of entrapment. Entrapment, by definition is "a law-enforcement officer's or government agent's inducement of a person to commit a crime, by means of fraud or undue persuasion, in an attempt to later bring a criminal prosecution against that person." Think about it, entrapment is when you coerce or induce someone to do something they would not normally do. Honeypots do not induce anyone. Attackers find and break into honeypots on their own initiative. People often question the idea of creating targets of high value, for example honeypots that are ecommerce sites or advertised as having government secrets. Even then, such honeypots are most likely not a form of entrapment as you are not coercing them into breaking into the honeypot. The bad guy has already decided to commit unauthorized activity, one is merely providing a different target for the blackhat to attack. Therefore, in most cases involving honeypots, entrapment is not an issue.
Chapter 6
CONCLUSION AND FUTURE SCOPE
6.1 Conclusion
This paper has given an in depth knowledge about honeypots and their contributions to the security community. A honeypot is just a tool. How one uses this tool is upto them.
Honeypots are in their infancy and new ideas and technologies will surface in the next time. At the same time as honeypots are getting more advanced, hackers will also develop methods to detect such systems. A regular arms race could start between the good guys and the blackhat community.
Letâ„¢s hope that such a technology will be used to restore the peace and prosperity of the world and not to give the world a devastating end.
6.2 Future scope
Mr. Lance spitzner who has played a major role in the development of honeypots has made certain predictions about the future of honeypots. They are as follows:
¢ Government projects: Currently honeypots are mainly used by organizations, to detect intruders within the organization as well as against external threats and to protect the organization. In future, honeypots will play a major role in the government projects, especially by the military, to gain information about the enemy, and those trying to get the government secrets.
¢ Ease of use: In future honeypots will most probably appear in prepackaged solutions, which will be easier to administer and maintain. People will be able to install and develop honeypots at home and without difficulty.
¢ Closer integration: Currently honeypots are used along with other technologies such as firewall, tripwire, IDS etc. As technologies are developing, in future honeypots will be used in closer integration with them. For example honeypots are being developed for WI-FI or wireless computers. However the development is still under research.
¢ Specific purpose: Already certain features such as honeytokens are under development to target honeypots only for a specific purpose. Eg: catching only those attempting credit card fraud etc.
Honeypots will be used widely for expanding research applications in future.


CONTENTS
CHAPTER 1: INTRODUCTION 1
CHAPTER 2: HONEYPOT AND ITS TYPES 3
2.1: Basics 3
2.2 :Tyes of honeypots 5
2.2.1: Classification based on their deployment and
involvement 5
2.2.2 :Classification based on their interaction with
intruder 6
2.2.3 :Classification based on their physical presence 13
CHAPTER 3: VALUE OF HONEYPOT 15
CHAPTER 4: IMPLEMENTATION 19
CHAPTER 5: MERITS , DEMERITS AND LEGAL ISSUES 23
5.1 Merits 23
5.2 Demerits 24 5.3 Legal issues 24
CHAPTER 6: CONCLUSION AND FUTURE SCOPE 26
6.1 Conclusion 26
6.2 Future Scope 26

REFERENCES
ABSTRACT
Honeypot is an exciting new technology with enormous potential for the security community. It is a resource which is intended to be attacked and compromised to gain more information about the attacker and his attack techniques.
They are a highly flexible tool that comes in many shapes and sizes. This paper deals with understanding what a honeypot actually is ,and how it works.
There are different varieties of honeypots. Based on their category they have different applications. This paper gives an insight into the use of honeypots in productive as well as educative environments.
This paper also discusses the advantages and disadvantages of honeypots, and what the future hold in store for them.
REFERENCES
¢ Spitzner, Lance.
Honeypots Tracking Hackers. Addison-Wesley: Boston,2002
¢ Spitzner, Lance.
The value of Honeypots, Part Two:Honeypot Solutions and legal Issues 10Nov.2002
<http://online.securityfocusinfocus/1498>
¢ Spitzner, Lance.
Know Your Enemy: Honeynets. 18 Sep.2002.
<http://project.honeynetpapers/honeynet/>.
¢ Honeypots-Turn the table on hackers 30 jun.2003 <www.itmanagement.earthwebsecu/article.php/143 6291>
¢ <www.tracking-hackers.com >
¢ Posted By: Brian Hatch
Honeypots”What the Hell are They Published By: NewOrder ,1/6/2003 11:36
<www.linuxsecurity.com>

.ppt  HONEYPOT.ppt (Size: 209.5 KB / Downloads: 606)

Honeypots
Introduction


Honeypot is an Internet-attached server that acts as a trap, luring in potential hackers in order to study their activities and monitor how they are able to break into a system

3 main features of Honeypots

The virtual system should look as real as possible to attract intruders.
The virtual system should be frequently watched
The virtual system should look and feel like a regular system
Classifications of Honeypots
Classification is based on their deployment and based on their level of involvement

Production honeypots
Research honeypots




Classification is based on their interaction with the intruder


Low-interaction
High-interaction

Note: Interaction measures the amount of activity an attacker can have with a honeypot.

Difference between Low-Interaction & High Interaction Honeypots
Types of Low-Interaction Honeypots
Back Officer Honeypots [BOF]
Specter
Home made Honeypots
Honeyd

Back Officer Friendly [BOF]

Simple but highly useful honeypot
Itâ„¢s a program which runs on all windows operating systems.
It emulates some services like http, ftp, telnet etc.
It provides faking replies.
Acts as an burglar alarm.
Monitors limited number of ports which are commonly scanned and targeted.
Specter
Commercial product similar to BOF.
Can emulate far greater range of services and functionalities compared to BOF.
Can also emulate a variety of operating system.
Value lies in detection.
It also gathers lots of information on the attacker.

Home made Honeypots
Captures specific activities like worms or scanning activities.
There is no much interaction with the attacker.
Also there is less damage done to the network by the attacker.
Can be modified depending on the requirement.
Honeyd
Honeyd is an extremely powerful, OpenSource honeypot.
It emulate operating systems at the application level
It also emulates operating systems at the IP stack level
Honeyd can emulate hundreds if not thousands of different computers all at the same time.
Not only is it free to use, but it will exponentially grow as members of the security community develop and contribute code.

Types of High-Interaction Honeypots

Mantrap
Honeynets
Mantrap
Does not emulates services.
Instead creates up to four sub-systems, often called 'jails'
New applications can be added like database or a web server to create a complete virtual system.
Along with port scan, protocol login, also detects application level attacks, chat sessions etc.
These honeypots can be used as either a production honeypot or a research honeypot
Honeynets
A Honeynet is a network of production systems

Value of Honeypots

Honeypots can protect organizations in one of three ways
Prevention
Detection
Response

Implementation

A honeypot does not need a certain surrounding environment as it is a standard server with no special needs
If the main concern is the Internet, a honeypot can be placed at two locations:
* In front of the firewall (Internet)
* DMZ (DeMilitarized Zone)
* Behind the firewall (intranet)
Advantages

Based on how honeypots conceptually work, they have several advantages.
Small data sets of high value
New tools and tactics
Minimal resources
Encryption
Information
Simplicity

Disadvantages

Based on the concept of honeypots, they also have disadvantages:
* Narrow Field of View
* Risk

Legal issues

There are three main issues that are commonly discussed:
* Liability
* Privacy
* Entrapment

Future of Honeypots
Government projects
Ease of use
Closer integration
Specific purpose

Conclusion

Honeypots are an extremely effective tool for observing hacker movements as well as preparing the system for future attacks
References
Spitzner, Lance.Honeypots Tracking Hackers. Addison-Wesley: Boston,2002
Spitzner, Lance. The value of Honeypots, Part Two:Honeypot Solutions and legal Issues 10Nov.2002
http://online.securityfocusinfocus/1498
Spitzner, Lance. Know Your Enemy: Honeynets. 18 Sep. 2002.
http://project.honeynetpapers/honeynet/.
Thank you
Production Honeypots
Easy to use
Capture only limited information
Used by companies or corporations
Mitigates risks in organization
Research Honeypots
Complex to deploy and maintain.
Captures extensive information.
Run by a volunteer, non profit research organization, educational institute, military.
Used to research the threats organization face.
Low-Interaction Honeypots
Limited interaction with the intruder.
They work by emulating services and operating systems.
Easier to deploy and maintain.

High-Interaction Honeypots

They are complex
They involve real operating systems and applications.
Extensive amount of information is captured.
Hardware-based Honeypots
Hardware devices like servers, switches or routers are partially disabled and used as honeypots.
Though they look like real systems, intruders cannot use them to launch attacks on other servers.
Software emulation Honeypots
They are elaborate deception programs.
They mimic real servers.
Useful for corporate environment to safeguard business secrets
Prevention
Aim: Keeping the burglar out of your house.
Protects the organization from human attackers.
Prevention is done by confusing the attacker, waste his time while organization detects the attackerâ„¢s activity.


Detection

Detecting the burglar when he breaks in.
Purpose is to identify failure or breakdown in prevention.
Honeypots excel at this capability, due to their advantages.
Low interaction honeypots are best, since they are easier to deploy.

Response

Honeypots make excellent responders.
They can be quickly taken offline for a full forensic analysis.
Gives in-depth information to the organization about the intruder.
Questions???

Please Use Search http://seminarprojects.com/search.php wisely To Get More Information About A Seminar Or Project Topic
28-09-2010, 09:34 AM
Post: #4
Thumbs Up RE: honeypots seminar report

.ppt  Honey nets Detecting Insider Threats.ppt (Size: 405 KB / Downloads: 307)
INTRODUCTION
in·sid·er n.
An accepted member of a group.
One who has special knowledge or access to confidential information.

Network, System, and Database Administrators
Employees and Contractors
Business Partners

How can being an accepted member of the group be used by an insider?

Leverage existing credentials on valuable systems.
Sniff clear text protocols to obtain valid credentials.
Use valid accounts to exploit unpatched local vulnerabilities to escalate privileges.
System Administrators can obviously access any sensitive information on the machines.
Companies typically focus on external threats.
Less secure intranet web applications and databases.
Ability to share internal data easily often more important that to share data securely.


13-10-2010, 11:16 AM
Post: #5
RE: honeypots seminar report

.doc  477.doc (Size: 68 KB / Downloads: 191)

honeypots seminar report


honeypots seminar report.doc (Size: 479.5 KB / Downloads: 393)
ABSTRACT
Honeypot is an exciting new technology with enormous potential for the security community.It is resource which is intended to be attacked and compromised to gain more information about the attacker and his attack techniques.
They are a highly flexible tool that comes in many shapes and sizes. This paper deals with understanding what a honeypot actually is ,and how it works.
There are different varieties of honeypots. Based on their category they have different applications. This paper gives an insight into the use of honeypots in productive as well as educative environments.
This paper also discusses the advantages and disadvantages of honeypots , and what the future hold in store for them.

INTRODUCTION
The Internet is growing fast and doubling its number of websites every 53 days and the number of people using the internet is also growing. Hence, global communication is getting more important every day. At the same time, computer crimes are also increasing. Countermeasures are developed to detect or prevent attacks - most of these measures are based on known facts, known attack patterns. Countermeasures such as firewalls and network intrusion detection systems are based on prevention, detection and reaction mechanism; but is there enough information about the enemy?
As in the military, it is important to know, who the enemy is, what kind of strategy he uses, what tools he utilizes and what he is aiming for. Gathering this kind of information is not easy but important. By knowing attack strategies, countermeasure scan be improved and vulnerabilities can be fixed. To gather as much information as possible is one main goal of a honeypot. Generally, such information gathering should be done silently, without alarming an attacker. All the gathered information leads to an advantage on the defending side and can therefore be used on productive systems to prevent attacks.
A honeypot is primarily an instrument for information gathering and learning. Its primary purpose is not to be an ambush for the blackhat community to catch them in action and to press charges against them. The focus lies on a silent collection of as much information as possible about their attack patterns, used programs, purpose of attack and the blackhat community itself. All this information is used to learn more about the blackhat proceedings and motives, as well as their technical knowledge and abilities. This is just a primary purpose of a honeypot. There are a lot of other possibilities for a honeypot - divert hackers from productive systems or catch a hacker while conducting an attack are just two possible examples. They are not the perfect solution for solving or preventing computer crimes.
Honeypots are hard to maintain and they need operators with good knowledge about operating systems and network security. In the right hands, a honeypot can be an effective tool for information gathering. In the wrong, unexperienced hands, a honeypot can become another infiltrated machine and an instrument for the blackhat community.
This paper will present the basic concepts behind honeypots and also the legal aspects of honeypots.
HONEYPOT BASICS
Honeypots are an exciting new technology with enormous potential for the security community. The concepts were first introduced by several icons in computer security, specifically Cliff Stoll in the book “The Cuckoo’s Egg” , and Bill Cheswick's paper "An Evening with Berferd”. Since then, honeypots have continued to evolve, developing into the powerful security tools they are today.
Honeypots are neither like Firewalls that are used to limit or control the traffic coming into the network and to deter attacks neither is it like IDS (Intrusion Detection Systems) which is used to detect attacks. However it can be used along with these. Honeypots does not solve a specific problem as such, it can be used to deter attacks, to detect attacks, to gather information, to act as an early warning or indication systems etc. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. It is this flexibility that gives honeypots their true power. It is also this flexibility that can make them challenging to define and understand. The basic definition of honeypots is:
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
The main aim of the honeypot is to lure the hackers or attacker so as to capture their activities. This information proves to be very useful since information can be used to study the vulnerabilities of the system or to study latest techniques used by attackers etc. For this the honeypot will contain enough information (not necessarily real) so that the attackers get tempted. (Hence the name Honeypot – a sweet temptation for attackers)Their value lies in the bad guys interacting with them. Conceptually almost all honeypots work they same. They are a resource that has no authorized activity, they do not have any production value.
Theoretically, a honeypot should see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise. While this concept sounds very simple (and it is), it is this very simplicity that give honeypots their tremendous advantages (and disadvantages).
TYPES OF HONEYPOTS
Honeypots come in many shapes and sizes, making them difficult to get a grasp of. To better understand honeypots and all the different types, they are broken down into two general categories, low-interaction and high-interaction honeypots. These categories helps to understand what type of honeypot one is dealing with, its strengths, and weaknesses. Interaction defines the level of activity a honeypot allows an attacker.
Low-interaction honeypots have limited interaction, they normally work by emulating services and operating systems. Attacker activity is limited to the level of emulation by the honeypot. For example, an emulated FTP service listening on port 21 may just emulate a FTP login, or it may support a variety of additional FTP commands. The advantages of a low-interaction honeypot is their simplicity. These honeypots tend to be easier to deploy and maintain, with minimal risk. Usually they involve installing software, selecting the operating systems and services you want to emulate and monitor, and letting the honeypot go from there. This plug and play approach makes deploying them very easy for most organizations. Also, the emulated services mitigate risk by containing the attacker's activity, the attacker never has access to an operating system to attack or harm others. The main disadvantages with low interaction honeypots is that they log only limited information and are designed to capture known activity. The emulated services can only do so much. Also, its easier for an attacker to detect a low-interaction honeypot, no matter how good the emulation is, skilled attacker can eventually detect their presence. Examples of low-interaction honeypots include Specter, Honeyd, and KFSensor.
High-interaction honeypots are different, they are usually complex solutions as they involve real operating systems and applications. Nothing is emulated, the attackers are given the real thing. If one wants a Linux honeypot running an FTP server, they build a real Linux system running a real FTP server. The advantages with such a solution are two fold. First, extensive amounts of information are captured. By giving attackers real systems to interact with, one can learn the full extent of the attackers behavior, everything from new rootkits to international IRC sessions. The second advantage is high-interaction honeypots make no assumptions on how an attacker will behave. Instead, they provide an open environment that captures all activity. This allows high-interaction solutions to learn behavior one otherwise would not expect. An excellent example of this is how a Honeynet captured encoded back door commands on a non-standard IP protocol . However, this also increases the risk of the honeypot as attackers can use these real operating system to attack non-honeypot systems. As result, additional technologies have to be implemented that prevent the attacker from harming other non-honeypot systems. In general, high-interaction honeypots can do everything low-interaction honeypots can do and much more. However, they can be more complex to deploy and maintain. Examples of high-interaction honeypots include Symantec Decoy Server and Honeynets.


http://www.seminarprojectsThread-honey-pot--2657
15-11-2010, 05:29 PM
Post: #6
RE: honeypots seminar report
plzz send me the complete documentaion....
plzz send me the complete doc of honeypots..
04-01-2011, 10:35 PM
Post: #7
RE: honeypots seminar report
thanks for the information it is so useful...
06-01-2011, 11:24 AM
Post: #8
RE: honeypots seminar report
you are welcome...
24-02-2011, 02:45 PM
Post: #9
RE: honeypots seminar report
presented by:
Lance Spitzner


.ppt  honeypots-0.2.ppt (Size: 515 KB / Downloads: 239)
Honeypots
Problem

• Variety of misconceptions about honeypots, everyone has their own definition.
• This confusion has caused lack of understanding, and adoption.
Honeypot Timeline
• 1990/1991 The Cuckoo’s Egg and Evening with Berferd
• 1997 - Deception Toolkit
• 1998 - CyberCop Sting
• 1998 - NetFacade (and Snort)
• 1998 - BackOfficer Friendly
• 1999 - Formation of the Honeynet Project
• 2001 - Worms captured
• 2002 - dtspcd exploit capture
Definition
Any security resource who’s value lies in being probed, attacked, or compromised
How honeypots work
• Simple concept
• A resource that expects no data, so any traffic to or from it is most likely unauthorized activity
Not limited to specific purpose
• Honeypots do not solve a specific problem, instead they are a tool that contribute to your overall security architecture.
• Their value, and the problems they help solve, depend on how build, deploy, and you use them
Types
• Production (Law Enforcment)
• Research (Counter-Intelligence)
26-02-2011, 03:29 PM
Post: #10
RE: honeypots seminar report

.ppt  honeypots.ppt (Size: 4.52 MB / Downloads: 391)
HoneyPots
• The Internet security is hard
– New attacks every day
– Our computers are static targets
• What should we do?
• The more you know about your enemy, the better you can protect yourself
• Fake target?
• Fake Target
• Collect Infomation
History of Honeypots
• 1990/1991 The Cuckoo’s Egg and Evening with Berferd
• 1997 - Deception Toolkit
• 1998 - CyberCop Sting
• 1998 - NetFacade (and Snort)
• 1998 - BackOfficer Friendly
• 1999 - Formation of the Honeynet Project
• 2001 - Worms captured
Definition
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
• Has no production value; anything going to/from a honeypot is likely a probe, attack or compromise
• Used for monitoring, detecting and analyzing attacks
• Does not solve a specific problem. Instead, they are a highly flexible tool with different applications to security.
Classification
• By level of interaction
• High
• Low
• Middle?
• By Implementation
• Virtual
• Physical
• By purpose
• Production
• Research
Level of Interaction
• Low Interaction
• Simulates some aspects of the system
• Easy to deploy, minimal risk
• Limited Information
• Honeyd
• High Interaction
• Simulates all aspects of the OS: real systems
• Can be compromised completely, higher risk
• More Information
• Honeynet
Physical V.S. Virtual Honeypots
• Two types
– Physical
• Real machines
• Own IP Addresses
• Often high-interactive
– Virtual
• Simulated by other machines that:
– Respond to the traffic sent to the honeypots
– May simulate a lot of (different) virtual honeypots at the same time
Production HPs: Protect the systems
• Prevention
• Keeping the bad guys out
• not effective prevention mechanisms.
• Deception, Deterence, Decoys do NOT work against automated attacks: worms, auto-rooters, mass-rooters
• Detection
• Detecting the burglar when he breaks in.
• Great work
• Response
• Can easily be pulled offline
• Little to no data pollution
18-03-2011, 11:08 AM
Post: #11
RE: honeypots seminar report

.ppt  Honeypots.ppt (Size: 63 KB / Downloads: 228)
Honeypots
Building Honeypots

Commercial honeypots-emulating services
• Specter,Honeyed,Deception Toolkit.
Setting up of dedicated firewall (data control device)
Data collecting devices
• Firewall logs
• System logs
• Packet sniffers
• IDS logs
Stand alone Honeypots
 Easy to set up and no limit on any operating system installation
 Disadvantages
• Sub-optimal utilisation of computational resourses
• Reinstallation of polluted system is difficult
• Difficulty in Monitoring of such systems in a safe way
Virtual honeypots
 Virtual machines Allows different os to run at the same time on same machine
 Honeypots are guests on top of another OS
 We can implement guest OS on host OS in 2 ways
• Rawdisc-actual disc partition
• Virtual disc-file on host file system
Advantages
• Can peek into guest operating system at anytime.
• Reinstallation of contaminated guest is also easy
• And it is cheaper way
Disadvantages
• detecting the honeypot is easy.
Building honeypot with UML
 UML allows you to run multiple instances of Linux on the same system at the same time.
 The UML kernel receives system calls from its applications and sends/requests them to the Host kernel
 UML has many capabilities, among them
• It can log all the keystrokes even if the attacker uses encryption
• It reduces the chance of revealing its identity as honeypot
• makes UML kernel data secure from tampering by its processes.
Firewall rules
 variables
Scale = “day”
Tcprate=“15”
Udprate = “20”
Icmprate= “50”
Otherrate=“10”
$laniface-internal lan interface to firewall
$ethiface-ethernet interface to outside from firewall
 Iptables –F
 Iptables -N tcpchain
 Iptables –N udpchain
 iptables –N icmpchain
 Iptables –N otherchain
 Inbound traffic
 For broadcasting and netBIOS information
 Iptables –A FORWARD –s honeypot –d 255.255.255.255 –j LOG –-log-prefix “broadcast”
 Iptables –A FORWARD –s honeypot –d 255.255.255.255 –j ACCEPT
 Inbound TCP
 Iptables –A FORWARD –d honeypot –p tcp –m state -–state NEW –j LOG –log-prefix “tcpinbound”
 Iptables –A FORWARD –d honeypot –p tcp –m state –- state NEW –j ACCEPT
 inplace of tcp use udp ,icmp for respective data.
for established connections
 Iptables –A FORWARD –d honeypot –j ACCEPT
Outbound traffic
DHCP requests
 Iptables – FORWARD -s honeypot –p udp –sport 68 –d 255.255.255.255 –dport 67 –j LOG –-log-prefix “dhcp request”
 Iptables – FORWARD -s honeypot –p udp –sport 68 –d 255.255.255.255 –dport 67 –j ACCEPT
DNS requests
 Iptables –A FORWARD –p udp –s host –d server –dport 53 –j LOG –-log-prefix “DNS”
 Iptables –A FORWARD –p udp –s host –d server –dport 53 –j ACCEPT
honeypots talking to each other
 Iptables –A FORWARD –i $laniface –o $laniface –j LOG -–log-prefix “ honeypot to honeypot”
 Iptables –A FORWARD –i $laniface –o $laniface –j ACCEPT
Counting and limiting the the outbound traffic
 Iptables -A FORWARD –p tcp –m state -–state NEW –m limit –-limit $tcprate/$scale -–limit –burst $tcprate –s honeypot –j tcpchain
 Iptables _a FORWARD –p tcp –m state -–state NEW –m limit –-limit 1/$scale –-limit–burst 1 –s honeypot –j LOG --log-prefix “drop after $tcprate attempts”
 Iptables – A FORWARD –p tcp –s honeypot –m state –-state NEW –s $host –j DROP
For related information of a connection
 Iptables – A FORWARD –p tcp –m state –-state RELATED –s $host –j tcpchain
Same rules goes for UDP and icmp otherdata also to allow all the packets from the established connection to outside
 Iptables –A FORWARD –s honeypot –m state -–state RELATED ESTABLISHED –j ACCEPT
TCPchain
 Iptables –A tcpchain –j ACCEPT
UDP chain
 Iptables –A udpchain –j ACCEPT
ICMP chain
 Iptables –A icmpchain –j ACCEPT
other chain
 Iptables –A otherchain –j ACCEPT
 Iptables –A INPUT –m state -–state RELATED,ESTABLISHED –j ACCEPT
Firewall talking to itself
 Iptables –A INPUT –i lo –j ACCEPT
 Iptables –A OUTPUT –o lo –j ACCEPT
Default policies
 Iptables –P INPUT DROP
 Iptables –p OUTPUT ACCEPT
 Iptables –P FORWARD DROP
19-03-2011, 04:34 PM
Post: #12
RE: honeypots seminar report
PRESENTED BY:
‘Lance Spitzner


.ppt  honeypots-0.2.ppt (Size: 515 KB / Downloads: 161)
Purpose
To introduce you to honeypots, what they are, how they work, their value.
Problem
• Variety of misconceptions about honeypots, everyone has their own definition.
• This confusion has caused lack of understanding, and adoption.
Honeypot Timeline
• 1990/1991 The Cuckoo’s Egg and Evening with Berferd
• 1997 - Deception Toolkit
• 1998 - CyberCop Sting
• 1998 - NetFacade (and Snort)
• 1998 - BackOfficer Friendly
• 1999 - Formation of the Honeynet Project
• 2001 - Worms captured
• 2002 - dtspcd exploit capture
Definition
Any security resource who’s value lies in being probed, attacked, or compromised
• How honeypots work
Simple concept
• A resource that expects no data, so any traffic to or from it is most likely unauthorized activity
• Not limited to specific purpose
• Honeypots do not solve a specific problem, instead they are a tool that contribute to your overall security architecture.
• Their value, and the problems they help solve, depend on how build, deploy, and you use them.
Types
• Production (Law Enforcment)
• Research (Counter-Intelligence)
Marty’s idea
• Value
What is the value of honeypots?
• One of the greatest areas of confusion concerning honeypot technologies.
Advantages
• Based on how honeypots conceptually work, they have several advantages.
– Reduce False Positives and False Negatives
– Data Value
– Resources
– Simplicity
– Disadvantages
• Based on the concept of honeypots, they also have disadvantages:
– Narrow Field of View
– Fingerprinting
– Risk
• Production
• Prevention
• Detection
• Response
Prevention
• Keeping the burglar out of your house.
• Honeypots, in general are not effective prevention mechanisms.
• Deception, Deterence, Decoys, are phsychological weapons. They do NOT work against automated attacks:
– worms
– auto-rooters
– mass-rooters
Detection
• Detecting the burglar when he breaks in.
• Honeypots excel at this capability, due to their advantages.
Response
• Honeypots can be used to help respond to an incident.
– Can easily be pulled offline (unlike production systems.
– Little to no data pollution.
Research Honeypots
• Early Warning and Prediction
• Discover new Tools and Tactics
• Understand Motives, Behavior, and Organization
• Develop Analysis and Forensic Skills
• Early Warning and Prediction
• Tools
Tactics
• Motives and Behavior
• Level of Interaction
• Level of Interaction determines amount of functionality a honeypot provides.
• The greater the interaction, the more you can learn.
• The greater the interaction, the more complexity and risk.
Risk
• Chance that an attacker can use your honeypot to harm, attack, or infiltrate other systems or organizations.
Low Interaction
• Provide Emulated Services
• No operating system for attacker to access.
• Information limited to transactional information and attackers activities with emulated services.
High Interaction
• Provide Actual Operating Systems
• Learn extensive amounts of information.
• Extensive risk.
Honeypots
• BackOfficer Friendly
http://www.nfrproducts/bof/
• SPECTER
http://www.specter.com
• Honeyd
http://www.citi.umich.edu/u/provos/honeyd/
• ManTrap
http://www.recourse.com
• Honeynets
http://project.honeynetpapers/honeynet/
• BackOfficer Friendly
• Specter
• Honeyd
• ManTrap
• Honeynets
• Which is best?
None, they all have their advantages and disadvantages. It depends on what you are attempting to achieve.
• Legal Issues
• Privacy
• Entrapment
• Liability
• Legal Contact for
.mil / .gov
Department of Justice, Computer Crime and Intellectual Property Section
– General Number: (202) 514-1026
– Specific Contact: Richard Salgado
• Direct Telephone (202) 353-7
Summary
Honeypos are a highly flexible security tool that can be used in a variety of different deployments.
21-03-2011, 03:56 PM
Post: #13
RE: honeypots seminar report

.doc  36924807-Honeypots-Seminar-Report.doc (Size: 501 KB / Downloads: 67)
INTRODUCTION
The Internet is growing fast and doubling its number of websites every 53 days and the number of people using the internet is also growing. Hence, global communication is getting more important every day. At the same time, computer crimes are also increasing. Countermeasures are developed to detect or prevent attacks - most of these measures are based on known facts, known attack patterns. Countermeasures such as firewalls and network intrusion detection systems are based on prevention, detection and reaction mechanism; but is there enough information about the enemy?
As in the military, it is important to know, who the enemy is, what kind of strategy he uses, what tools he utilizes and what he is aiming for. Gathering this kind of information is not easy but important. By knowing attack strategies, countermeasure scan be improved and vulnerabilities can be fixed. To gather as much information as possible is one main goal of a honeypot. Generally, such information gathering should be done silently, without alarming an attacker. All the gathered information leads to an advantage on the defending side and can therefore be used on productive systems to prevent attacks.
A honeypot is primarily an instrument for information gathering and learning. Its primary purpose is not to be an ambush for the blackhat community to catch them in action and to press charges against them. The focus lies on a silent collection of as much information as possible about their attack patterns, used programs, purpose of attack and the blackhat community itself. All this information is used to learn more about the blackhat proceedings and motives, as well as their technical knowledge and abilities. This is just a primary purpose of a honeypot. There are a lot of other possibilities for a honeypot - divert hackers from productive systems or catch a hacker while conducting an attack are just two possible examples. They are not the perfect solution for solving or preventing computer crimes.
Honeypots are hard to maintain and they need operators with good knowledge about operating systems and network security. In the right hands, a honeypot can be an effective tool for information gathering. In the wrong, unexperienced hands, a honeypot can become another infiltrated machine and an instrument for the blackhat community.
This paper will present the basic concepts behind honeypots and also the legal aspects of honeypots.
HONEYPOT BASICS
Honeypots are an exciting new technology with enormous potential for the security community. The concepts were first introduced by several icons in computer security, specifically Cliff Stoll in the book “The Cuckoo’s Egg” , and Bill Cheswick's paper "An Evening with Berferd”. Since then, honeypots have continued to evolve, developing into the powerful security tools they are today.
Honeypots are neither like Firewalls that are used to limit or control the traffic coming into the network and to deter attacks neither is it like IDS (Intrusion Detection Systems) which is used to detect attacks. However it can be used along with these. Honeypots does not solve a specific problem as such, it can be used to deter attacks, to detect attacks, to gather information, to act as an early warning or indication systems etc. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud. It is this flexibility that gives honeypots their true power. It is also this flexibility that can make them challenging to define and understand. The basic definition of honeypots is:
A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource.
The main aim of the honeypot is to lure the hackers or attacker so as to capture their activities. This information proves to be very useful since information can be used to study the vulnerabilities of the system or to study latest techniques used by attackers etc. For this the honeypot will contain enough information (not necessarily real) so that the attackers get tempted. (Hence the name Honeypot – a sweet temptation for attackers)Their value lies in the bad guys interacting with them. Conceptually almost all honeypots work they same. They are a resource that has no authorized activity, they do not have any production value.
Theoretically, a honeypot should see no traffic because it has no legitimate activity. This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise. While this concept sounds very simple (and it is), it is this very simplicity that give honeypots their tremendous advantages (and disadvantages).
TYPES OF HONEYPOTS
Honeypots come in many shapes and sizes, making them difficult to get a grasp of. To better understand honeypots and all the different types, they are broken down into two general categories, low-interaction and high-interaction honeypots. These categories helps to understand what type of honeypot one is dealing with, its strengths, and weaknesses. Interaction defines the level of activity a honeypot allows an attacker.
Low-interaction honeypots have limited interaction, they normally work by emulating services and operating systems. Attacker activity is limited to the level of emulation by the honeypot. For example, an emulated FTP service listening on port 21 may just emulate a FTP login, or it may support a variety of additional FTP commands. The advantages of a low-interaction honeypot is their simplicity. These honeypots tend to be easier to deploy and maintain, with minimal risk. Usually they involve installing software, selecting the operating systems and services you want to emulate and monitor, and letting the honeypot go from there. This plug and play approach makes deploying them very easy for most organizations. Also, the emulated services mitigate risk by containing the attacker's activity, the attacker never has access to an operating system to attack or harm others. The main disadvantages with low interaction honeypots is that they log only limited information and are designed to capture known activity. The emulated services can only do so much. Also, its easier for an attacker to detect a low-interaction honeypot, no matter how good the emulation is, skilled attacker can eventually detect their presence. Examples of low-interaction honeypots include Specter, Honeyd, and KFSensor.
High-interaction honeypots are different, they are usually complex solutions as they involve real operating systems and applications. Nothing is emulated, the attackers are given the real thing. If one wants a Linux honeypot running an FTP server, they build a real Linux system running a real FTP server. The advantages with such a solution are two fold. First, extensive amounts of information are captured. By giving attackers real systems to interact with, one can learn the full extent of the attackers behavior, everything from new rootkits to international IRC sessions. The second advantage is high-interaction honeypots make no assumptions on how an attacker will behave. Instead, they provide an open environment that captures all activity. This allows high-interaction solutions to learn behavior one otherwise would not expect. An excellent example of this is how a Honeynet captured encoded back door commands on a non-standard IP protocol . However, this also increases the risk of the honeypot as attackers can use these real operating system to attack non-honeypot systems. As result, additional technologies have to be implemented that prevent the attacker from harming other non-honeypot systems. In general, high-interaction honeypots can do everything low-interaction honeypots can do and much more. However, they can be more complex to deploy and maintain. Examples of high-interaction honeypots include Symantec Decoy Server and Honeynets.
28-03-2011, 11:31 AM
Post: #14
RE: honeypots seminar report
SUBMITTED BY
M.Bhanu Prasanthi


.doc  honey pots new.doc (Size: 544.5 KB / Downloads: 67)
Abstract
For every consumer and business that is on the Internet, viruses, worms and crackers are a few security threats. There are the obvious tools that aid information security professionals against these problems such as anti-virus software, firewalls and intrusion detection systems, but these systems can only react to or prevent attacks-they cannot give us information about the attacker, the tools used or even the methods employed. Given all of these security questions, honeypots are a novel approach to network security and security research alike.
A honeypot is used in the area of computer and Internet security. It is a resource, which is intended to be attacked and compromised to gain more information about the attacker and the used tools. It can also be deployed to attract and divert an attacker from their real targets. One goal of this paper is to show the possibilities of honeypots and their use in a research as well as productive environment.
Compared to an intrusion detection system, honeypots have the big advantage that they do not generate false alerts as each observed traffic is suspicious, because no productive components are running on the system. This fact enables the system to log every byte that flows through the network to and from the honeypot, and to correlate this data with other sources to draw a picture of an attack and the attacker.
This paper will first give an introduction to honeypots-the types and uses. We will then look at the nuts and bolts of honeypots and how to put them together. With a more advanced idea of how honeypots work, we will then look at the possible legal ramifications for those who deploy them. Finally we shall conclude by looking at what the future holds for the honeypots and honeynets.
INTRODUCTION
Global communication is getting more important every day. At the same time, computer crimes are increasing.
Countermeasures are developed to detect or prevent attacks - most of these measures are based on known facts, known attack patterns. As in the military, it is important to know, who your enemy is, what kind of strategy he uses, what tools he utilizes and what he is aiming for. Gathering this kind of information is not easy but important. By knowing attack strategies, countermeasures can be improved and vulnerabilities can be fixed. To gather as much information as possible is one main goal of a honeypot.
Generally, such information gathering should be done silently, without alarming an attacker. All the gathered information leads to an advantage on the defending side and can therefore be used on productive systems to prevent attacks.
WHAT IS A HONEYPOT?
A honeypot is primarily an instrument for information gathering and learning. A honeypot is an information system resource whose value lies in the unauthorized or illicit use of that resource. More generally a honeypot is a trap set to detect attempts at unauthorized use of information systems. Essentially; honeypots are resources that allow anyone or anything to access it and al production value. More often than not, a honeypot is more importantly, honeypots do not have any resimply an unprotected, unpatched, unused workstation on a network being closely watched by administrators.
Its primary purpose is not to be an ambush for the blackhat community to catch them in action and to press charges against them. The focus lies on a silent collection of as much information as possible about their attack patterns, used programs, purpose of attack and the blackhat community itself. All this information is used to learn more about the blackhat proceedings and motives, as well as their technical knowledge and abilities. This is just a primary purpose of a honeypot. There are a lot other possibilities for a honeypot - divert hackers
from productive systems or catch a hacker while conducting an attack are just two possible examples.
WHAT IS A HONEYNET?
Two or more honeypots on a network form a honeynet.Typically, a honeynet is used for monitoring and/or more diverse network in which one honeypot may not be sufficient. Honeynets (and honeypots) are usually implemented as parts of larger network intrusion-detection systems.
Honeynet is a network of production systems. Honeynets represent the extreme of research honeypots. Their primary value lies in research, gaining information on threats that exist in the Internet community today.
The two main reasons why honeypots are deployed are:
1. To learn how intruders probe and attempt to gain access to your systems and gain insight into attack methodologies to better protect real production systems.
2. To gather forensic information required to aid in the apprehension or prosecution of intruders.
TYPES OF HONEYPOTS:
Honeypots came in two flavors:

• Low-interaction
• High-interaction.
Interaction measures the amount of activity that an intruder may have with honeypot.In addition, honeypots can be used to combat spam.
Spammers are constantly searching for sites with vulnerable open relays to forward spam on the other networks. Honeypots can be set up as open proxies or relays to allow spammers to use their sites .This in turn allows for identification of spammers
We will break honeypots into two broad categories, as defined by Snort ,two types of honeypots are:
• Production honeypots
• Research honeypots
The purpose of a production honeypot is to help mitigate risk in an organization. The honeypot adds value to the security measures of an organization. Think of them as 'law enforcement', their job is to detect and deal with bad guys. Traditionally, commercial organizations use production honeypots to help protect their networks. The second category, research, is honeypots designed to gain information on the blackhat community. These honeypots do not add direct value to a specific organization. Instead they are used to research the threats organizations face, and how to better protect against those threats.
HONEYPOT ARCHITECTURE:
1. STRUCTURE OF A LOW-INTERACTION HONEYPOT (GEN-I):-

A typical low-interaction honeypot is also known as GEN-I honeypot. This is a simple system which is very effective against automated attacks or beginner level attacks.
Honeyd is one such GEN-I honeypot which emulates services and their responses for typical network functions from a single machine, while at the same time making the intruder believe that there are numerous different operating systems .It also allows the simulation of virtual network topologies using a routing mechanism that mimics various network parameters such as delay, latency and ICMP error messages.
The primary architecture consists of a routing mechanism, a personality engine, a packet dispatcher and the service simulators. The most
important of these is the personality engine, which gives services a different ‘avatar’ for every operating system that they emulate.
DRAWBACKS:
1. This architecture provides a restricted framework within which emulation is carried out. Due to the limited number of services and functionality that it emulates, it is very easy to fingerprint.
2. A flawed implementation (a behavior not shown by a real service) can also render itself to alerting the attacker.
3. It has constrained applications in research, since every service which is to be studied will have to be re-built for the honeypot.
2. STRUCTURE OF A HIGH INTERACTION HONEYPOT (GEN-II):-
A typical high-interaction honeypot consists of the following elements: resource of interest, data control, data capture and external logs (“known your enemy: Learning with Vmware, Honeynet project”); these are also known as GEN-II honeypots and started development in 2002.They provide better data capture and control mechanisms. This makes them more complex to deploy and maintain in comparison to low-interaction honeypots.
High interaction honeypots are very useful in their ability to identify vulnerable services and applications for a particular target operating system. Since the honeypots have full fledged operating systems, attackers attempt various attacks providing administrators with very detailed information on attackers and their methodologies. This is essential for researchers to identify new and unknown attack, by studying patterns generated by these honeypots
DRAWBACKS:
However, GEN-II honeypots do have their drawbacks as well.
1. To simulate an entire network, with routers and gateways, would require an extensive computing infrastructure, since each virtual element would have to be installed in it entirely. In addition this setup is comprehensive: the attacker can know that the network he is on is not the real one. This is one primary drawback of GEN-II.
2. The number of honeypots in the network is limited.
3. The risk associated with GEN-II honeypots is higher because they can be used easily as launch pads for attacks.
COMPARISON:
BUILDING A HONEYPOT:

To build a honeypot, a set of Virtual Machines are created. They are then setup on a private network with the host operating system. To facilitate data control, a stateful firewall such as IP Tables can be used to log connections. This firewall would typically be configured in Layer 2 bridging mode, rendering it transparent to the attacker.
The final step is data capture, for which tools such as Sebek and Term Log can be used. Once data has been captured, analysis on the data can be performed using tools such as Honey Inspector, PrivMsg and SleuthKit.
Honeypot technology under development will eventually allow for a large scale honeypot deployment that redirects suspected attack traffic to honeypot. In the figure an external attacker: 1.penetrates DMZ and scans the network IP address 2.the redirection appliance 3.monitors all unused addresses, and uses Layer 2 VPN technology to enable firewall 4.to redirect the intruder to honeypot 5.which may have honeypot computers mirroring all types of real network devices. 6. Scanning the network for vulnerable systems is redirected 7. By the honeypot appliance when he probes unused IP addresses
RESEARCH USING HONEYPOTS:
Honeypots are also used for research purposes to gain extensive information on threats, information few other technologies are capable of gathering. One of the greatest problems security professionals face is lack of information or intelligence on cyber threats. How can your organization defend itself against an enemy when you do not know who the enemy is? Research honeypots address this problem by collecting information on threats. Organizations can then use this information for a variety of purposes including analyzing trends, identifying new methods or tools, identifying the attackers and their communities, ensuring early warning and prediction or understanding attackers motivation.
ADVANTAGES OF HONEYPOTS:
1. They collect small amounts of information that have great value. This captured information provides an in-depth look at attacks that very few other technologies offer.
2. Honeypots are designed to capture any activity and can work in encrypted networks.
3. They can lure the intruders very easily.
4. Honeypots are relatively simple to create and maintain.
03-04-2011, 08:22 PM
Post: #15
RE: honeypots seminar report
hi friends
plz tell me few steps to build own honeypot
skysdlimit10[at]gmail.com
04-04-2011, 02:41 PM
Post: #16
RE: honeypots seminar report
Presented By
CH.KAMALAKAR


.doc  Honey.doc (Size: 148.5 KB / Downloads: 97)
INTRODUCTION
One of the greatest challenges the security community faces is lack of information on the enemy. Questions like who is the threat, why do they attack, and possibly when will they attack? It is questions like these the security community often cannot answer. Now a new tool called Honeypots has came together information about enemy.
Over the past several years there has been a growing interest in honeypots and honeypot related technologies. Honeypots are an exciting new technology with enormous potential for the security community. Unlike firewalls or Intrusion Detection Systems, honeypots do not solve a specific problem. Instead, they are a highly flexible tool that comes in many shapes and sizes. They can do everything from detecting encrypted attacks in IPv6 networks to capturing the latest in on-line credit card fraud.This flexibility gives honeypots their true power. In one way the honeypot is defined as.
“A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource”.
Honeypots are a resource that has no authorized activity, they do not have any production value.This means any interaction with a honeypot is most likely unauthorized or malicious activity. Any connection attempts to a honeypot are most likely a probe, attack, or compromise.The glory of a honeypot is that it lets you catch unknown attacks as well.
Setup a server and fill it with tempting files. Make it hard but not impossible to break into. Then sit back and wait for the crackers to show up. Observe them as they cavort around in the server. Log their conversations with each other. Study them like like you’d watch insects under a magnifying glass.
WHAT IS A HONEYPOT ?
A Honeynet is a type of honeypot designed specifically for research. A honeypot is a resource who's value is being probed, attacked, or compromised. Traditionally their value has been for deception or detecting attacks. They are usually single systems that emulate other systems, emulate known services or vulnerabilities, or create jailed environments. Some excellent examples of honeypots include Specter, Mantrap, or The Deception Toolkit.
• It is not a single system but a network of multiple systems. This network sits behind an access control device where all inbound and outbound data is controlled and captured. This captured information is then analyzed to learn the tools, tactics, and motives of the blackhat community. Honeynets can utilize multiple systems at the same time, such as Solaris, Linux, Windows NT, Cisco router, Alteon switch, etc. This creates a network environment that more realistically mirrors a production network. Also, by having different systems with different applications, such as a Linux DNS server, a Windows IIS web server, and a Solaris Database server, we can learn about different tools and tactics. Perhaps certain blackhats target specific systems, applications, or vulnerabilities. By having a variety of operating systems and applications, we are able to accurately profile specific blackhat trends and signatures.
• All systems placed within the Honeynet are standard production systems. These are real systems and applications, the same you find on the Internet. Nothing is emulated nor is anything done to make the systems less secure. The risks and vulnerabilities discovered within a Honeynet are the same that exist in many organizations today. One can simply take a system from a production environment and place it within the Honeynet.
It is these two design differences that make a Honeynet primarily a tool for research. It can be used as a traditional honeypot, such as detecting unauthorized activity, however a Honeynet requires a great deal more work, risk and administration. Its simply not worth all the effort of building and maintaining a Honeynet just to detect attacks. You are far better off with the simpler honeypot solutions mentioned above.
Often organizations are so overwhelmed with production activity, such as GBs of system logging, that it can be extremely difficult to detect when a system is attacked, or even when successfully compromised.Instruction detection Systems are one solution designed for detecting attacks. Isolated honeypots have a much easier time because they are systems that should not normally be accessed.
IDS administrators can be overwhelmed with alerts that were generated whenthe sensor recognized the configuired signature of an “attack”. The problem here is that system administrator may receive so many alerts on a daily basis that they cannot respond to all of them.
Another risk is false negatives, when IDS systems fail to detect a valid attack.honeypots happily capture any attacks thrown their way.
Honeypots can simplify the detection process. Since honeypots have no production activity, all connections to an from the honeypot are suspect by nature.
VALUE OF A HONEYPOT
Traditionally, information security has been purely defensive. Firewalls, Intrusion Detection Systems, encryption; all of these mechanisms are used defensively to protect one's resources. The strategy is to defend one's organization as best as possible, detect any failures in the defense, and then react to those failures. The problem with this approach is it purely defensive, the enemy is on the attack. Honeynets attempt to change that, they give organizations the ability to take the initiative.
The primary purpose of a Honeynet is to gather information about threats that exist. New tools can be discovered, worms can be captured and analyzed, attack patterns can be determined, and attacker motives studied. Captured information can also be used as an early indications and warning system, alerting to attacks before they happen. The ultimate goal of Honeynets is to provide information that can be used to protect against threats. Honeynets can be compared to the Navy's use of SOSUS during the Cold War. During the 1950-1980's, enemy submarines posed a threat as they could silently approach and attack from anywhere in the world's oceans. To detect these threats, devices were placed throughout the ocean's floor to passively capture the activity of enemy submarines. Honeynets can be considered the SOSUS of cyber space, passively gathering information on threats. The only difference is, for a Honeynet to passively gather information, blackhats have to probe, attack, or exploit Honeynet systems.

Traditionally, the greatest problem security professionals face in detecting and capturing blackhat activity is information overload. The challenge for most organizations is determining from vast amounts of information what production traffic is and what is malicious activity.
The Honeynet solves this problem of data overload through simplicity. A Honeynet is a network designed to be compromised, not to be used for production traffic. Any traffic entering or leaving the network is suspicious by definition. Any connection initiated from outside the Honeynet into the network is most likely some type of probe, attack, or other malicious activity. Any connection initiated from the Honeynet to an outside network indicates that a system was compromised. An attacker has initiated a connection from his newly hacked computer and is now going out to the Internet. This concept of no production traffic greatly simplifies the data capture and analysis.
There are three critical requirements that define every Honeynet, they are
 Data Control
 Data Capture.
 Data Collection.
Data Control
Data Control is what mitigates risk. It controls the attacker's activity by limiting what can happen inbound and outbound. The risk is that once an attacker compromises a system within the Honeynet, they can use that system to attack other non-Honeynet systems, such as organizations on the Internet. The attacker has to be controlled so they cannot do that. They can attack other systems within the Honeynet, but we have to protect non-Honeynet systems.
It took the blackhat only fifteen minutes to figure out something was wrong, wipe the system drive, and leave the network. So, the trick is to give the blackhat flexibility to execute whatever they need, but without allowing them to use the compromised system to attacks others.
Data Capture
Data Capture is what collecting all the activity that happens inbound, outbound, or within the Honeynet. This is how we learn, by capturing the attackers's activities. The trick to these requirements is meeting them without the attacker knowing. Our goal is to both control and capture all of the attacker's activity, without them realizing they are within a Honeynet.
Data captured cannot be stored on locally on the honeypot. Information stored locally can potentially be detected by the blackhat, alerting them the system is a Honeynet. The stored data can also be lost or destroyed. Not only do we have to capture the blackhats every move without them knowing, but we have to store the information remotely. The key to this is capturing data in layers. You cannot depend on a single layer for information. You gather data from a variety of resources. Combined, these layers then allow you to paint the big picture. We will now discuss these layers and there uses.
Data Collection
There is a third requirement, Data Collection, but this is only for organizations that have multiple Honeynets in distributed environments. Many organizations will have only one single Honeynet, so all they need to do is both Control and Capture data. However, organizations that have multiple Honeynets logically or physically distributed around the world have to collect all of the captured data and store it in a central location. This way the captured data can be combined, exponentially increasing its value. The Data Collection requirement provides the secure means of centrally collecting all of the captured information from distributed Honeynets.
INTEGRATING HONEYPOTS
The integration of honey pot into network is a great determining factor into how effective it will be. You should position the decoy system close to your production servers to tempt intruders that are targeting production servers. One such possibility is to emulate non-production services on production servers. By using port redirection on an upstream ruter or firewall, it will appear that honeypot services are running on production systems. This would require an upstream router or firewall capable of performing port/service redirection; in this case the upstream device is responsible for transparently handling the address translation of the honeypot in order to help conceal its real destination IP address. One example of this is if you run a production web server (port 80), telnet (port 23) and SMTP (port 25) could then be redirected to a honeypot.
Because these services should not be accessed on a production system, the honeypot should send off an immediate alert or at the very least, log (record, register) the incident. In the scenario listed above, you can detect probing and tampering on production systems but only on non-production services so you would not be alserted to tampering on the production server because the service is not redirected to the honey pot. It is also important to realize the limitaions of service emulation. Intrusion detection systems must know about the vulnerability prior the exploitaion in order for it to emulate properly. Another way to deploy a honey pot is to place it logically between production servers. If production servers are addressed as .9,.10,.11, and .13 it is ideal to address the honeypt as .12. the idea behind this is to catch intruders that “sweep scan” entire network ranges looking for vulnerable services. This is achieved by straight network addressing of the honey pot. You can even make the honey pot appear as multiple hosts by using IP aliasing (assigning multiple IP addresses to the same host). Because this method uses standard network addressing, you don’t need any special configuratins on your upstream router or firewall.
The goal in this setup is to catch intruders who will “sweep” (scan) an entire network range, looking for vunerable services.
If your production servers are running the DNS service, so should your honey pot, an intruder scanning for the latest DNS servcice vulnerability will hone (break up) right in. however, if the intruder focuses only on your production systems, he or she will avoid the honey pot, rendering it useless.
Any existing system can also be “honeypotized”, for example, on winNT, it is possible to rename the default “administrator” account, then create a dummy account called “admininstrator” with no password. winNT allows extensive logging of a person’s activities, so this honey pot will track users attempting to gain administrator access and exploit that access.
21-07-2011, 12:04 PM
Post: #17
RE: honeypots seminar report

.pdf  honeypots.pdf (Size: 200.21 KB / Downloads: 100)
Due to emerge of the Internet and everyone are link together by network. The security
and privacy of each local network or each user become more and more important issue. There
are many technologies that provide this kind of abilities such as Intrusion detection system,
Firewall and other security measures. But all these tools often give us too many information
that need us to dig the useful information from a few gigabytes data a day.
Honeypots come in to help us in three ways that is prevention, detection and how we react to an
attack. There are two general types of honeypots which is Low interaction honeypots such as
Honeyd, Specter and KFSensor. The highly interactive honeypots is like Honeynet. Honeypots
basically sit on an unused IP where any attempt connection to that IP will consider as an authorized
and malicious attack. This will help to reduce the size of the information logged and the security
professional can easily detect an intrusion and can response to it more effectively and fast.
The most critical part of a dynamic honeypot is how the Dynamic Honeypots learns about our
network, what systems our organization using and how these systems are being used. With this
knowledge, the dynamic honeypot can intelligently map and respond to our environment. One
possible approach is to actively probe the organization network, determine what systems are live,
types of systems they are, and what kind of services they are using. We would constantly need to
scan our environment to get the latest update of the system. That’s why it’s not a very elegant
approach .
Another approach is passive fingerprinting which also takes the same approach; it has a database of
known signatures for specific systems. However, the data is taken passively. Instead of actively
probing the remote systems, the passive fmgerprinting sniff traffic from the network and analyzes
the packets from that network. It is passively gathering data rather than actively interacting with
systems. This will reduce the network bandwidth and network traffic or damaging or taking down a
system or service in the network. This method is continuous -- as organization networks changes,
these changes can be captured in real time and this becomes critical for maintaining realistic
honeypots over the long term. But we do have some disadvantage of passive mapping, it may not
work well across routed networks; it’s more effective on organization local LAN. In some cases,
more then just one dynamic honeypot would have to be physically deployed in the organization,
depending on the organization size, number of networks, and configuration.
The dynamic honeypot could leverage this concept of passive fingerprinting to learn our networks.
The honeypot could be deployed as an appliance or single box. This device is then physically
connected to your network. Once connected, it spends the somc time watching and learning the
organi~ation network. By passively analyzing all of the trafic it sees, it will then determine how
many systems are on your networks, what are the operating system types, the kind of the services
they offer, and potentially even which systems are communicating with whom and how often is it.
All these information is then used to learn and map the organization network. Once the honeypot
learns the environment, it can begin deploying more honeypots. The strong point of the Dynamics
Honeypots here is that the honeypots are crafted to mirror your environment.
30-01-2012, 10:28 AM
Post: #18
RE: honeypots seminar report
to get information about the topic Data Security Using Honeypot full report, ppt and related topic refer the link bellow

http://www.seminarprojectsThread-data-security-using-honey-pot-system

http://www.seminarprojectsThread-data-security-using-honey-pot-system?pid=37714#pid37714

http://www.seminarprojectsThread-honeypots-seminar-report?page=3

http://www.seminarprojectsThread-honey-pot--2657

http://www.seminarprojectsThread-honeypots-seminar-report
03-04-2012, 11:52 AM
Post: #19
RE: honeypots seminar report
to get information about the topic "honeypots" full report ppt and related topic refer the link bellow

http://seminarprojectsThread-honeypots-seminar-report

http://seminarprojectsThread-honeypots-seminar-report?pid=37901

http://seminarprojectsThread-honey-pot

http://seminarprojectsThread-honey-pot--2657

http://seminarprojectsThread-honeypots-seminar-report?page=6

http://seminarprojectsThread-honeypots-seminar-report?page=4
21-11-2012, 01:00 PM
Post: #20
RE: honeypots seminar report
Honeypots


.ppt  honeypots-0.2.ppt (Size: 515 KB / Downloads: 70)

Lance Spitzner

Senior Security Architect, Sun Microsystems
Founder of the Honeynet Project
Author of Honeypots: Tracking Hackers
Co-author of Know Your Enemy
Moderator of <honeypots[at]securityfocus.com> maillist
Former ‘tread head’.

Problem

Variety of misconceptions about honeypots, everyone has their own definition.
This confusion has caused lack of understanding, and adoption.

Honeypot Timeline

1990/1991 The Cuckoo’s Egg and Evening with Berferd
1997 - Deception Toolkit
1998 - CyberCop Sting
1998 - NetFacade (and Snort)
1998 - BackOfficer Friendly
1999 - Formation of the Honeynet Project
2001 - Worms captured
2002 - dtspcd exploit capture

How honeypots work

Simple concept
A resource that expects no data, so any traffic to or from it is most likely unauthorized activity

Not limited to specific purpose

Honeypots do not solve a specific problem, instead they are a tool that contribute to your overall security architecture.
Their value, and the problems they help solve, depend on how build, deploy, and you use them.
Rating honeypots seminar report Options
Share honeypots seminar report To Your Friends :- Seminar Topics Bookmark
Post Reply 

Marked Categories : yhse 001, honeypots seminar topic, honeypots technical seminar free download, honey pot technology detail report, honey pots detail seminar report and pdf, honeypot seminar, weakness and strength of forensic computing, seminar report on honeypot, difference between honeypots and firewalls, reports on honeypots, seminar on honeypot, honeypot seminar report free download, honeypots future scope and challenges, honeypots seminor, honeypots ppt abstract, seminar report on honypot, seminar on honey pots, presentation on topic honeypots, honeypot scope, honeypots seminar report, honeypots, honeypots seminar, seminar topics about honeypots, seminar report about honeypots,

[-]
Quick Reply
Message
Type your reply to this message here.


Image Verification
Image Verification
(case insensitive)
Please enter the text within the image on the left in to the text box below. This process is used to prevent automated posts.

Possibly Related Threads...
Thread: Author Replies: Views: Last Post
  Seminar report on Android mkaasees 0 0 09-11-2016 04:31 PM
Last Post: mkaasees
  A Seminar On Cloud Computing mkaasees 0 0 07-11-2016 04:16 PM
Last Post: mkaasees
  SEMINAR ON OSI MODEL mkaasees 0 0 03-11-2016 10:34 AM
Last Post: mkaasees
  Seminar Report On QR Code mkaasees 0 0 27-10-2016 09:54 AM
Last Post: mkaasees
  A SEMINAR ON ATM SECURITY mkaasees 0 0 26-10-2016 11:49 AM
Last Post: mkaasees
  Cellonics Seminar Report mkaasees 0 0 25-10-2016 11:15 AM
Last Post: mkaasees
  Seminar On Steganography mkaasees 0 0 14-10-2016 03:56 PM
Last Post: mkaasees
  mobile computing full report seminar topics 28 35,597 14-10-2016 02:33 PM
Last Post: jaseela123
  Seminar On DNS mkaasees 0 0 07-10-2016 03:13 PM
Last Post: mkaasees
  A SEMINAR ON 4G mkaasees 0 0 27-09-2016 03:02 PM
Last Post: mkaasees
This Page May Contain What is honeypots seminar report And Latest Information/News About honeypots seminar report,If Not ...Use Search to get more info about honeypots seminar report Or Ask Here

Options: