Honeypots and Honeynets - PowerPoint PPT Presentation

Honeypots and honeynets
1 / 14

  • Uploaded on
  • Presentation posted in: General

Honeypots and Honeynets. Alex Dietz. Purpose. To discover methods used to breach a system To discover new root kits To learn what changes are made to a system and their effects To not be discovered To discourage an attack. Production honeypot vs Research honeypot.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

Download Presentation

Honeypots and Honeynets

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Honeypots and honeynets

Honeypots and Honeynets

Alex Dietz



  • To discover methods used to breach a system

  • To discover new root kits

  • To learn what changes are made to a system and their effects

  • To not be discovered

  • To discourage an attack

Production honeypot vs research honeypot

Production honeypot vs Research honeypot

  • Production honey pots are easy to use and capture only limited amount of information

  • Research honeypots are complex and expensive to maintain

Honeypots vs honeynets

Honeypots vs Honeynets

  • Honeypots are usually a complete system or virtual machine and are low-interaction.

  • Honeynets are second generation honeypots and are very high-interaction

Both must provide

Both must provide

  • Data capture

  • Data control

  • Data analysis

Data capture and staying undetected

Data capture and Staying undetected

  • Log information to a remote server

  • Use software to detect changes to files

  • Use a rootkit to hide all logging services

    • Implements its own TCP/IP stack to prevent logging traffic from being detected

Data control

Data control

  • Try to prevent outgoing malicious traffic

    • Use a honey wall

      Traditionally a layer 2 bridging device that

      has no IP stack, meaning the device

      should be invisible to anyone interacting

      with the honeypots or honeynets.

img: http://honeynet.org/papers/honeynet/

Data analysis

Data analysis

  • Typically done by people viewing logs

    • Realtime

    • Logs

Img: Kent State University

Legality and liability

Legality and Liability

• The operator can be held accountable if the honeypot is compromised and used to launch additional attacks.

-Varies state by state

• Can violate the Federal Wiretap Act

-Under most situations they are exempt

Ex. Attacker sets up an IRC server and users connect without knowing the system has been compromised

Honeypots and honeynets are flexible

Honeypots and honeynets are flexible

  • Using virtual machines honeypots and honeynets can be set up with many different configurations

    • Using a virtual machine lowers its security

Honeypots and honeynets

  • Can also connect to webservers to determine their malicious nature

    • Most search engines do this as they crawl webpages

img: google.com/support



  • Honeypots are a great detection mechanism

  • Honeynets are an excellent research tool

  • Can be configured to fit any need or cost

  • Poorly controlled honeypots and honeynets can get you in trouble



Honeypots and honeynets

? ?


  • Login