Open source honey

Pro

1 April 2005

Our networks are under attack. The year gone by has proved an alarming number of hackers at the keyboard in an attempt to steal, wreck or otherwise harm our valuable corporate assets and nothing, it seems, will make them go away.

Honeypots however, are one kind of technology that allows us to turn the tables on bad guys; they allow us to take the initiative. A honeypot is a security resource whose value lies in being probed, attacked, or compromised.

Traditional detection solutions can overwhelm organisations with alerts, yet only a small number of those alerts signal a valid attack. Also, many of today’s technologies are not designed to detect unknown attacks. Honeypots help resolve both of these problems.

Honeypots generate very few alerts, but when they do, you can almost be sure that something malicious has happened, because anyone that logs onto or enters a Honeypot is by default a user with malicious intent or a user who has entered accidentally.

Honeypots can also detect and capture unknown attacks as well as known attacks. Finally, honeypots can be used to respond to an attack. If an attacker breaks into your organisation and one of the systems they break into is a honeypot, then information gathered from that system can be used to respond to the break-in. Information is the key to a successful response and honeypots certainly provide an abundance of information. Honeypots can also be used to smoke out and identify an attacker, whether they are a trusted internal employee or an external hacker.

Honeypots are unique; they don’t solve a specific problem. Instead, they are a highly flexible tool with many different applications to security. It all depends on what you want to achieve. Some honeypots can be used to help prevent attacks, others can be used to detect attacks, while other honeypots can be used for information gathering and research.

Honeyd, authored by Niels Provos of the University of Michigan (www.honeyd.org), is a good example of the flexibility of honeypots. Honeyd, an open source tool that runs on BSD, Linux and Solaris, (although recently ported to Windows) allows you to construct networks of computers that don’t exist. It can fool even the most savvy of attackers into thinking they are interacting with a whole range of operating systems, applications and services. All you need is a single, low-end computer and a little bit of spare time. A veteran server (or desktop), retired from production, could be easily and quickly re-enlisted as a honeypot.

Honeyd hacker
The primary purpose of Honeyd is detection, specifically to detect unauthorised activity within your organisation. It does this by monitoring all the unused IP addresses in your network. Any attempted connection to an unused IP address is assumed to be unauthorised or malicious activity. After all, if there is no system using that IP, why is someone or something attempting to connect to it? For example, if your network has a class C address, it is unlikely that every one of those 254 IP addresses is being used. Any connection attempted to one of those unused IP addresses could be a misconfigured device or a genuine mistake, but it is most likely a probe, a scan, or a worm hitting your network. See the accompanying diagram, which shows a sample Honeyd log output from an unauthorised Telnet logon.

Honeyd can monitor all of these unused IP addressed at the same time. Whenever a connection is attempted to one of them, Honeyd automatically assumes the identity of the unused IP addresses and then interacts with the attacker. This approach to detection has many advantages over traditional methods. Any time Honeyd generates an alert, you know it is most likely a real attack, not a false alarm. Instead of hammering you with 10,000 alerts a day, Honeyd may only generate 5 or 10, as any connection attempted, could be a misconfigured device or a genuine mistake, but it is most likely a real attack. Furthermore, since Honeyd is not based on any advanced algorithms, it is easy to set up and maintain. Lastly, it not only detects known attacks, but unknown ones as well. Anything that comes its way is detected, not only that old IIS attack, but also that new zero-day exploit no one knew about.

Linux launch pad
The Honeyd tool has been used for a huge variety of purposes. Recent research from the Honeynet Research alliance, using Honeyd has indicated that 48 per cent of spam on the Internet originates from Linux based mail servers. Honeyd has also been used to actively immunise systems against the propagation of Internet borne worms. Its most obvious use is to detect, analyse and respond to attacks against organisations’ networked assets, regardless of where those threats originate.

The Irish Honeynet, set up by Espion, Deloitte and Data Electronics, operational since April 2002, is designed to mimic the Internet infrastructures commonly used by organisations, but it is ‘wired’ with detection sensors that capture all activity to and from the system. The Honeynet is not advertised in any way so any traffic to it from the Internet is suspicious by nature, as it arises from hackers and crackers who are deliberately attempting to identify and attack vulnerable systems.