Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

All About Honeypots and Honeynets

Honeypots and honeynets can take the sting out of hacker attacks

By

May 01, 2003CSO — Tired of defending against bad guys? Instead, go on the offensive. At least that's the idea behind so-called honeypots—computer systems that are designed to lure evildoers and then record their every move.

Think of honeypots as intelligence collection systems. Many hackers engage in routine scans of the Internet's address space, looking for poorly defended computers. A honeypot is a deliberately vulnerable target that invites penetration while fully instrumented. So after a hacker penetrates it, you can learn how it was done, keeping you current with the latest attacks and exploits against your company's servers. You can also collect the types of hacker tools they use and, by eavesdropping on their communications, map out their social networks.

Setting up a honeypot isn't hard; all you need is a computer running an unpatched copy of Microsoft Windows or Red Hat Linux on your external Internet. Since hackers are likely to booby-trap the computer's logging and auditing capabilities, you'll want to station a network-monitoring system between the box and your Internet connection so that all the traffic in or out of the box is silently recorded. Then just sit back and wait for the inevitable attack.

Running a honeypot is not without its risks, however. That's because the overwhelming number of compromised systems are used for attacking other systems. If you ignore a vulnerable system, you may be liable if hackers use your system to break into others. It's called downstream liability, and it brings us to the topic of honeynets.

A honeynet is a honeypot with added technology that properly records the hacker's actions while simultaneously minimizing or eliminating the risks to others on the Internet. An example is a honeypot that's set up behind a backward firewall; instead of preventing incoming connections, the firewall prevents the honeypot from initiating outbound connections. Still, while that approach makes the honeypot incapable of damaging other systems, it also makes it pretty easy for bad guys to spot. Realizing they've broken into a presumably booby-trapped system, the typical hacker is likely to wipe the disk clean and never return (which is not tremendously informative for the honeypot watchers).

For the past four years, Lance Spitzer and the others at the Honeynet Project have been working to create, deploy, manage and analyze the results of honeynets. Their technology is clever, but their results incredibly disturbing. To solve the problem of downstream liability, Spitzer and his team developed a range of data control techniquesfor example, an adaptive firewall rule that allows five or 10 outgoing connections every hour: That's high enough to prevent an attacker from getting suspicious, but low enough to prevent serious damage to third-party systems. These rules can be implemented on commercial firewall systems like those from Check Point Software Technologies or on firewalls built from Linux and OpenBSD systems. Of course, no data control technique is perfect. "The more you allow a blackhat to do outbound, the more you can learn, but the greater the risk," according to the project's website.

RESOURCE CENTER