Honey pots are used as additional levels of security, decoys which simulate networked computer systems designed to attract a hacker’s attention so they perform a malicious attack, honeypots can be either virtual or physical machines. Forensic information which is gathered from the compromised machine/s is often required to aid in the prosecution of intruders. It also gains an insight into the mind of an intruder, logs and other records on the machine which explain how the intruders probes and, if they were successful in entering the system, how they gained access. This information is very valuable and can be used as a learning tool for network administrators when designing creating or updating the computer system as are able to better protect the real neighbouring network systems because they are aware of exactly how common attacks occur. This report will discuss how honeypots are used and the types of malicious attacks that they can prevent. Honeypots place virtual machines at the unallocated addresses of a network from a single machine. The unallocated addresses appear as machines which have been placed on internet protocol (IP) addresses. Honeypots have the ability to place any operating system an IP address. Honeypots simulate the network stack behaviour (how the packets are encapsulated) of a given operating system, through the personality engine. Changes in the protocol headers of every outgoing packet match the characteristics of the operating system. This makes the machines appear genuine and is therefore desirable to attackers. because the network appears genuine the network could potentially confuse and be deterred by the virtual honeypots, as it could appear to large and to complex, furthermore any traffic on a honeypot machine gives early warning of attacks on other physical machines.
Honeypots also have the ability to redirect traffic or connections. This gives powerful control over the network and also makes the virtual network appear genuine. Redirection allows a request for a service on a virtual honeypot to be forwarded onto a service running on a real server. For example connections can be reflected back, this gives the potentially means a hacker could attack there own machine.
Honeypots are excellent tools when attempting to intercept traffic from computer users that randomly scan the network. Because of this honeypots are excellent at detecting malicious internet worms that use random scanning for new targets examples of these include Blaster, Code Red and Slammer. Once a worm has been found counter measures can be carried out against infected machines. Once the honeypot recognises a worm, virtual gateways block the worm from entering any further into the network.
Through the use of honeypots spam sending methods can be learnt and therefore spam can be reduced. Spammers use open mail relay and proxy servers to send spam to disguise the sender of the spam message. Honeypots can be used to understand how spammers operate and to automate the identification of incoming spam which can then be submitted to shared spam filters.
Honeypots are decoy servers that can be setup inside or outside of the demilitarised zone (DMZ) of a network firewall. If the honeypot computer is infected with a virus or Trojan, damaged can be created on other machines in the network and the virus could spread onto the ‘real’ system. As discussed, honeypots can help analyse current spamming methods. Honeypots also have the potential to add to the amount of spam email sent. Machines could become zombie machines or botnets which send out spam email automatically without user’s knowledge. Due to these issues it is important that honeypots are setup inside of the firewall for control purposes or are closely monitored. Otherwise the negatives may outweigh the positives.
Honeypots can be used as a tool when creating new methods of securing systems from malicious attacks. For example the program called BackTracker enables system administrators to analysis intrusions on their system. Honeypots were used to test how effective BackTracker was at analysis. The aid of effective and accurate testing is essential in creating any new system. Through the use of honeypots, programs such as BackTracker can be tested in a simulated scenario and then improved to ensure the system can efficiently and effectively work in the appropriate manner.
Watson, D. (2007, Jan) Honeynets: a tool for counterintelligence in online security
Network Security. Kidlington: (2007)1; 4
Nikolaidis, Ioanis (2003, June). Honeypots, Tracking Hackers. IEEE network (0890-8044), 17 (4); 5
King (2005). Backtracking intrusions. ACM transactions on computer systems (0734-2071), 23 (1); 51.