All About Honeypots and Honeynets

Honeypots and honeynets can take the sting out of hacker attacks

Data capture is another technical challenge in running a honeypot. By recording every packet in and out of the system, the honeypot watchers can get a good idea of what the bad guys are doing. The log files on the honeypot itself are also a good data source. The log files are easily deleted by the attacker, so it's common to have the honeypot send a copy of its log to a remote syslog server that's on the same network but is better defended. (Be sure to watch the log server as well. If it is penetrated by your attacker using a novel attack, then your honeypot will certainly have shown its worth.)

The task of data capture has been considerably complicated in recent years by the increased use of encryption in the blackhat community. Back in the 1990s, most bad guys logged in to their compromised systems using clear text-protocols such as telnet and rsh. Today they've followed the advice of numerous computer security professionals and have turned to cryptographic protocols like ssh to make their communications immune to network monitoring. Honeynet's response to encryption is to modify the target computer's operating system so that all keystrokes, transferred files and other information are logged to yet another monitoring system. Because the attacker might discover such logs, the project uses steganographic techniqueshiding keystrokes inside NetBIOS broadcast packets, for example. It's a clever idea. (Unfortunately, it's only a matter of time before the bad guys adapt those techniques to their own nefarious ends.)

One of the nice things about honeypot systems is that they do a great job at data reduction. With a typical website or mail server, attacks are usually drowned out by the legitimate traffic. Adding an intrusion detection system rarely helps because of the tendency of these systems to generate false alarms. Honeypots, on the other hand, have little or no legitimate traffic. Most of the data in or out is, by definition, an attack. As a result, it is much easier to look at the data and find out what the attacker actually did.

Since its formation in 1999, the Honeynet Project has gathered a tremendous amount of information that you can find at www.honeynet.org or in Spitzer's 2002 book, Honeypots: Tracking Hackers. Some of the findings: The incidence of attack has doubled in the past year; attackers are increasingly using automated point-and-shoot tools with pluggable exploits (making tools easy to update as new vulnerabilities are discovered); and, despite their bravado, few hackers use novel attacks.