Anti-Honeypot Technology
By Ryan Resella
Anti-honeypot technology
lWhat is a Honeypot?
nDifferent types
nLegal Issues
lWhat is Anti-honeypot
technology?
nHow it affects honeypots
nTools used
What is a Honeypot?
l“A honey pot is a computer
system on the Internet that is expressly set up to attract and "trap"
people who attempt to penetrate other people's computer systems” –whatis.com
More Honeypot Definitions…
l“A honeypot is an
information system resource whose value lies in unauthorized or illicit use of
that resource.” -Lance Spitzner
lHoneypots are a highly
flexible security tool with different applications for security
lHave multiple uses, such as
prevention, detection, or information gathering.
Honeypots…
lHoneypots all share the same
concept: a security resource that should not have any production
or authorized activity.
lTheoretically, a honeypot
should see no traffic because it has no legitimate activity.
lThis means any interaction
with a honeypot is most likely unauthorized or malicious activity.
Honeypot Purposes
lDistract hackers from more
valuable systems on the network
lCan provide early warning
about new attack and exploitation trends
lThey allow in-depth
examination of adversaries during and after exploitation
lServes as an Intrusion
Detection System
Types of Honeypots
lThere are many different types
of Honeypots and can generally be broken down into two types:
nLow-interaction honeypot
nHigh-interaction honeypot
Low-interaction honeypots
lThey have limited interaction.
lThey normally work by
emulating services and operating systems (e.g. FTP, telnet, SMTP, UNIX, Linux)
lAttacker activity is limited
to the level of emulation by the honeypot
lExamples of low-interaction
honeypots: Spectr, Honeyd and KFSensor
High-interaction honeypots
lUsually complex solutions that
use real operating systems and applications
lNo emulation is used, the
attacker sees a real system
lExample: a real FTP server on
a Linux system with full interaction.
lAvailable tools: Symantec
Decoy Server and Honeynets.
Advantages of Low-interaction honeypots
lSimplicity
lEasier to maintain and deploy
lMinimal risk, as the emulated
services control what attackers can and cannot do.
Disadvantages of Low-interaction honeypots
lCan only log limited
information
lDesigned to capture known
activity
lEmulated services can only do
so much
lBecoming easier for skilled
attackers to identify
Advantages of High-interaction honeypots
lCan capture far more
information, including new tools, communications, or attacker keystrokes.
lLearn about the attackers
behavior and unexpected behaviors
lCan do everything a
low-interaction honeypot can do and more
Disadvantages of high-interaction honeypots
lComplex and difficult to
maintain
lCan use this system to attack
other non honeypot systems
lRequires more resources
Legal Issues of Honeypots
lLiability: You can
potentially be held liable if your honeypot is used to attack or harm other
systems or organizations. This risk is the greatest with high-interaction
honeypots.
lPrivacy: Honeypots can
capture extensive amounts of information about attackers, which can potentially
violate their privacy, such as IRC chats or emails. This could violate the
privacy of the attacker, or more likely people he is communicating with. Once
again, this risk is primarily with high-interaction honeypots.
lEntrapment: Entrapment
is a legal defense used to avoid a conviction, you cannot be charged with
entrapment. Most legal experts believe that entrapment is not an issue for
honeypots
Wireless Honeypot Experiment
lPurpose: to see how many
unauthorized users attempt to access the wireless access point
lGather any information about
the user
lUse low-interaction honeypot
lRan experiment for one week
Honeypot Experiment
Wireless Honeypot
lUsed wireless access point at
work
lWireless access point had no
encryption enabled, Netgear wireless router with DSL connection, and was easily
accessible from the street.
lThe potential attacker could
only access the internet and not connect to the LAN.
lLogged all DHCP connections
given from the server to client
DHCP Log
Results
lThe server assigns IP
addresses using DHCP protocol.
lThe DHCP server log recorded
all DHCP activity over a one week time period.
lOver the one week time period
no unauthorized DHCP connections were logged.
lConclusion: no unauthorized
attempt to access the wireless access point was logged
Anti Honeypot Technology
What is Anti-honeypot technology?
lTools that are used to
identify honeypots
lFor example “Honeypot Hunter”
Effects on honeypots
lIf a honeypot is detected,
users can attempt to bypass detection
lHoneypot can be attacked if
detected
lThe honeypot could be used to
attack other systems
More effects on honeypots
lPrevents honeypots from
collecting valuable information
lHoneypot itself loses
effectiveness of being a covert system once compromised
lGives attackers more
characteristics to identify honeypots
Characteristics of identifying honeypots
lFinding honeypots is a
difficult process
lAttackers look for differences
between a real system and a honeypot representation of a system
lHoneypot systems typically
limit outgoing bandwidth and the outgoing number of connections
lAlters outbound packets to
prevent attacks
Connection Limiting
lHoneypot will count the
outbound connections within a period of time.
lOnce the threshold is reached
the new outbound connections are denied
lOne of the most easiest
characteristics to detect
lSimply open up 10-20 websites
and see if the connection is blocked
Outbound packet alteration
lModifies packets that are
believed to be of an exploitive nature
lHoneypots compute a hash of
portions of the packet
lReturns a response based on
the hash
lAttacker expects to receive a
known response but instead receives a modified response from the honeypot
Send-Safe Proxy Scanner
lSend-Safe’s proxy scanner
searches for multiple open proxy servers for obscuring a spammers
identity.
Honey Pot Hunter
l“Send-Safe Honeypot Hunter is
a tool designed for checking lists of HTTPS and SOCKS proxies for so called
“honeypots”. “Honeypots” are fake proxies run by the people who are attempting
to frame bulkers by using those fake proxies for logging traffic through and
then send complaint’s to one’s ISPs”
Honeypot Hunter
Honeypot Hunter
lThe first commercially
available honeypot detection tool
lHoneypot hunter tests open
proxy connectivity
lIt classifies the proxy as:
nSafe(good)
nBad(failed)
nTrap(honeypot)
How Honeypot Hunter works
lOpens a false mail server on
the local system using port 25 to test the proxy connection
lHoneypot hunter attempts to
proxy back to its own false mail server
lThis approach identifies most
invalid proxies and honeypots.
Other tools
lVarious noncommercial code
used to identify honeypots
lSebek.c , sebek-find.c ,
unsebek.c, vmware_detect.s
lThese tools exploit
vulnerabilities in popular honeypot systems like Sebek, Honeyd and VMWare
Honeypot timeline
l1. Honeypot
l2. Honeypot Detection Tools
l3. Anti Honeypot Detection tools
l4. Anti Anti Honeypot Detection tools
lWill the cycle ever end?
Conclusions
lHoneypots are a great way to
observe, identify and capture potential attackers.
lThe effectiveness of honeypot technology only exists if it is
unknown to the attacker
lHoneypot administrators must
make every effort to avoid being detected (eg.
Changing default error messages)
Conclusions….
lEssentially, the honeypot
technologies must remain secret in order for them to be effective in the field.
lHoneypot program writers must
continually update and change their program to avoid being identified by
attackers.
References
lDefinition of a honeypot
-
l“Definitions and Values of
Honeypots” by Lance Spitzner,
l“Honeypots, Honeynets” ,
l“Honeypots: Are They Illegal?”
by Lance Spitzner,
l“Local Honeypot
Identification” by Joseph Corey,
l“Anti-Honeypot Technology” by
Neal Krawetz
lSend-Safe – Proxy Hunter and
Honeypot Hunter – www.send-safe.com