1 / 19

HONEYPOT

CLEMSON UNIVERSITY. HONEYPOT. By SIDDARTHA ELETI. I ntroduction. Introduced in 1990/1991 by Clifford Stoll’™ s in his book “The Cuckoo’s Egg” and by Bill Cheswick’€™s in his paper “€œ An Evening With Berferd .”

PamelaLan
Download Presentation

HONEYPOT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CLEMSON UNIVERSITY HONEYPOT By SIDDARTHA ELETI

  2. Introduction • Introduced in 1990/1991 by Clifford Stoll’™sin his book “The Cuckoo’s Egg” and by Bill Cheswick’€™s in his paper “€œAn Evening With Berferd.” • A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource. • Acts as a Decoy or a Bait to lure attackers . • They are designed to be attacked. • Its about spying the spy i.e. attacker.

  3. Working • Uses the concept of deception. • Honeypots work on the idea that all traffic to a honey pot should be deemed suspicious. • Designed to audit the activity of an intruder, save log files, and record events • Processes started • Adding, deleting, changing of files • even key strokes

  4. Location

  5. Honeypots are usually placed somewhere in the DMZ. This ensures that the internal network is not exposed to the hacker. • Most honeypots are installed inside firewalls so that they can be better controlled. • But a firewall that is placed in a honeypot works exactly the opposite to how a normal firewall works.

  6. Types of Honeypots • Based on level of Deployment: • Production Honeypots • Research Honeypots • Based on Design: • Pure • High Interaction • Low Interaction

  7. Levels of Deployment • Production : • Its easy and captures only limited info. • Adds value to the security measures of an organization. • Used by companies and large corporations • Research : • Collects a lot of info i.e. attackers tools, intent, identity etc. • Does not directly add value to an organization • Researches the threats and tries to come up with better measures • Used by military, government organizations and research

  8. Interaction • What is Interaction? • Level of Interaction determines amount of functionality a honeypot provides. • The greater the interaction, the more you can learn. • The greater the interaction, greater the complexity. • The greater the interaction, greater the risk.

  9. High Interaction: • Imitates the services and actions of a real system. • Gives vast amount of information. • Involves an operating system. • This involves risk • Multiple honeypots can be hosted with the use of VM’s • Difficult to detect • Expensive to maintain • Example : Honeynet

  10. Low Interaction Honeypots: • It simulates the services of a system. • Predetermined set of responses • Not good for interacting with unexpected attacks • Gives less information. Usually • Time of attack • IP and port of attacker • Destination IP and Port of attack • Does not involve an operating system • Easy to Detect • Cheaper to maintain

  11. Commercial Honeypot Systems • There are a variety of commercial Honey Pot systems available. • Deception ToolKit (DTK) • Specter • Supported OS’s • Microsoft NT • Unix.

  12. Deception Toolkit • First free Honeypot by Fred Cohen in 1997 • Suite of applications that listen to inbound traffic. • FTP, • Telnet, • HTTP • Uses scripted responses. • Experienced attackers can quickly realize that they are in a Honeypot.

  13. SPECTER • SPECTER is a smart honeypot-based intrusion detection system. • A Production Honeypot and easy to configure. • Provides Real-time counterintelligence against hackers. • It simulates a vulnerable computer with various operating systems like Windows, Mac, Linux, Solaris etc. • Offers common Internet services such as SMTP, FTP, POP3, HTTP and TELNET. • These services appear perfectly normal to the attackers but in fact are traps for them to mess around and leave traces. • Offers Intelligent systems like TRACER, TRACE ROUTE, DNS, FTP Banner etc.

  14. Advantages • The administrator can learn about vulnerabilities in his system • Intent of the attackers • Simple design and implementation • Less resources • Cheaper to analyze collected information

  15. Disadvantages • Has to be attacked directly. • Can be avoided. • Honeypots can be detected as they have expected characteristics or behavior. • They can introduce risk to the environment. • They don’t prevent or stop an attack.

  16. Conclusion • It’s a tool to learn and understand the how the attack is being executed and motives of the attackers. • Not a solution. • Provide important information about • The attacker • The tools being used by attacker • What the attacker is after

  17. References • http://www.techrepublic.com/article/which-honeypot-should-i-use/1042527 • http://www.specter.com/default50.htm • http://en.wikipedia.org/wiki/Honeypot_(computing) • http://www.tracking-hackers.com/papers/honeypots.html • http://www.sans.org/security-resources/idfaq/honeypot3.php • Honeypots: Tracking Hackers By Lance Spitzner

  18. THANK YOU

More Related