What is a honeypot?

Just as bears are always on the lookout for sweet treats like honey, so too do hackers find themselves drooling over the thought of an inadequately protected server. While a hacker and its mammalian cousin, the bear, may not appear to have much in common, both are often equated with the image of a honeypot. In the IT world, honeypots are security mechanisms that administrators use in order to bait hackers, making them run their attacks on predetermined decoy sites or servers, hopefully identifying the culprits in the process. Honeypots simulate network services or application programs in order to attract hackers and protect from system damage. Generally, both client-side and server-based technologies can be used to set up honeypots.

• Server-side honeypotting: the basic idea behind server-side honeypots is to isolate attackers in isolated areas of an IT system and, in the process, keep them away from critical network components. Furthermore, honeypots offer the possibility to track hackers’ actions. To this end, honeypots are able to simulate sever applications that host one or multiple services (e.g. a web server) within the targeted network. If the hacker is fooled by the distraction and attempts breaking into your system, the activity will draw attention to the honeypot and set off an alarm or counter measures. In the most ideal case, server honeypots deliver information as to how automated or manual attacks proceed, so that administrators receive data enabling them to defend their systems against future attacks.

• Client-side honeypotting: A client-side honeypot imitates application software that uses server services. A prime example of this technology is the simulation of a browser that seeks out and visits dubious websites in order to collect information on security risks. Should an attack on the browser or browser plugin result from this page, then the process is noted. An evaluation of the detected data helps improve the simulated software.

Research institutes, public authorities, and the military use so-called research honeypots in order to find out information regarding new attack patterns and then make this information publically available online for the benefit of the internet community. In companies, this type of security mechanism is used first and foremost to protect the company network. To this end, administrators install so-called production honeypots in network areas usually not addressed during normal operations, available to neither employees nor customers. The goal here is steer attackers into more harmless areas by attracting them to simulated security gaps. Every attack on these normally-inactive systems is then registered, monitored, and analyzed.

If multiple honeypots are combined in order to simulate an entire network, offering hackers a particularly attractive target, then this tactic refers to what is known as a ‘honeynet’.

There are generally two different possibilities at administrators’ disposal for setting up honeypots: honeypots are either realized as physical systems or implemented on the basis of realization software:

• Physical honeypot: physical honeypots involve independent computers that are connected to a network with their own addresses

• Virtual honeypot: a virtual honeypot is a logical system that is assigned the physical resources of a computer through virtualization software

In both cases, the honeypot is isolated, meaning that attackers cannot attack the productive system from the decoy system.

The goal of honeypots is to remain undetected. The longer an attacker can be deceived, the more information the system is able to accumulate on their strategy and methods. An important criterion used for classifying honeypots is assessing the extent of interactivity with the attacker. In this context, one differentiates between server-side and client-side ,as well as low-interaction and high-interaction honeypots.

• Low-interaction honeypots: honeypots with lower levels of interaction are based on imitations of real systems or applications. Here, services and functions are only simulated to the extent that an attack can be carried out on them

• High-interaction honeypots: honeypots with a high level of interactivity generally involve real systems that offer server services that must be well guarded and secured. If a high-interaction honeypot is not properly protected by the production system, then the system you are aiming to protect may be infiltrated. Another potentially hazardous possibility involves attacks being launched from the protected server onto other online servers.

The simplest version of server honeypots involves a single application that emulates (i.e. replicates) network services, including the connection set-up. Given that those attacking this type of honeypot are only able to interact with the simulated system in a limited way, the type of information that can be found out about the attackers through low-interaction honeypots is relatively limited. As such, hackers are generally able to expose these server honeypots relatively quickly. For this reason, this type of security mechanism is favored for the rooting-out of malware-based automated attacks. A known open-source solution with which low-interaction server honeypots can be set up is Honeyd.

• Honeyd: published under the GPL software, Honeyd allows administrators to create different virtual hosts in a computer network. This can be configured in such a way that allows different types of server types to be replicated, making it possible for an entire system, including the TCP/IP protocol stack, to be replicated. However, the software is still among the low-interaction honeypots, given that Honeyd doesn’t simulate all system parameters, meaning that hackers are able to quickly look through the system. The software appears to not have been developed since 2008.

Low-interaction client honeypots (also known as honeyclients) are programs that enable users to emulate different browser types. Users have the possibility to visit websites and record attacks to these simulated browsers. Known open-source honeyclients with limited interactivity include HoneyC, Monkey Spider and PhoneyC.

• HoneyC: the low-interacton Honeyclient HoneyC enables users to identify malicious servers found online. Instead of a fully-operational operating system and a corresponding client software, HoneyC uses an emulated client that inspects server responses for malicious content. The software’s fundamental structure is made up of three components: the visitor engine is responsible for the interaction with the server and emulates different web browsers through modules. The queue engine creates a list of servers that is processed by the visitor engine. An evaluation of the interaction with a web-server is carried out through the analysis engine, which checks whether the software’s safety rule was damaged after every visit.

• Monkey Spider: Monkey Spider is a web crawler that can be used as a low-interaction honeyclient. To this end, the software crawls the software websites and searches for malicious code that could pose a threat to the web browser.

• PhoneyC: Written in Python, PhoneyC is a honeyclient with which various web browsers can be imitated in order to inspect websites for malicious content. The software is able to process script languages like JavaScript or VB script, and supports de-obfuscation functions, which allow the malicious code to be unraveled. What’s more, PhoneyC supports many different methods for analyzing websites, e.g. the open source antivirus engine ClamAV.

Administrators looking to make use of serverside honeypots with lots of possibilities for interactions generally use a fully-functioning server set up as a decoy system. This can either be set-up on real hardware or in virtual environments. While low-interaction honeypots are first and foremost sued for identifying and analyzing automatic attacks, high-interaction honeypots aim to tackle manually-executed attacks.

Server-side honeypotting is especially promising when the goal is to bait hackers with an especially attractive target with a high degree of interactivity. However, this set-up is much more time consuming than simple software solutions, which merely imitate server functions. When a real server is used as a honeypot, there is always the danger that an attacker could use the infiltrated system as a starting point for further online attacks. This could result in further consequences, given that server operators are often liable for any of the activities carried out with their devices.

Special monitoring tools are needed in order to survey servers set up as honeypots. Such tools include the freely-available Sebek. A high-interaction honeypot environment can be realized with the software, Argos.

• Sebek: the data collection tool, Sebek, is used for highly-interactive honeypots to monitor hackers and collect data on security-related activities. Fundamentally, the software is composed of two different components: the client runs on the honeypot and collects all the hacker activities, such as entries, data uploads, and passwords, and transfers these to a protocol server that is able to run on an independent system.

• Argos: the high-interaction honeypot environment, Argos, is based on a modified QEMU hardware emulator. The software supports various guest operating systems that are executed in a virtual machine and represent the honeypot. In order to recognize and record attacks, Argus operates without additional monitoring software. Incoming data traffic that reaches the honeypot via the network card is automatically ‘tainted’ and monitored. The same applies to data that has been generated from tainted data. The additional computing effort required for emulating the operating system, and the data analysis, means that Argos is significantly slower than productive systems running on comparable hardware.

High-interaction client honeypots are software solutions that run on real operating systems and use standard web browsers in order to record attacks that originated from online servers. Common tools here include Capture-HPC and mapWOC.

• Capture HPC: the high-interaction honeyclient Capture-HPC uses a client server architecture. Here, a server determines which websites are to be visited and checks various clients. These then call up predetermined sites and send the result data back to the server. Possible clients include various web browsers, office applications, PDF readers, or media players.

• mapWOC: Also free of charge, mapWOC (short for massive automated passive Web Observation Center) loads websites with real browsers. These run on virtual machines whose data traffic with clients is permanently monitored. This is done in order to record and analyze attacks such as drive-by-downloads. mapWOC’s basic components use the host system Debian Squeeze, KVM for virtualization, and ClamAV for examining malware.

Honeypots are generally used to supplement other IT security components, like the intrusion detection system (IDS) and firewalls. One aspect that makes honeypots particularly valuable assets is their ability to collect highly-relevant data that can help administrators find out valuable information. Given that honeypots don’t actually take on any actual network functions, any activity taking place in this control system poses a potential threat. All data collected by honeypots is relevant to your system’s security. If, on the other hand, productive systems are monitored, then this type of data analysis requires an additional process step in which data relevant to the attack has to be filtered out of the system’s entire dataset.

One thing to take into consideration, however, is that not every honeypot is able to deliver valuable information. If the offered bait is too unattractive or difficult to find, then it could also be the case that no attacks happen. This means that any investments made into the security systems were a waste of money.

Honeypots can help reveal crucial data to companies, but they also present additional risks. Given that the decoy system seeks to actively bait hackers, there’s always the risk that a break-in into the honeypot might lead to further damage in the network. This risk can be reduced by maximizing the separation between honeypots and productive systems, and by permanently monitoring all activities within the bait systems. What’s more, it’s also important to take into account that a compromised system could lead to hackers using this in order to launch external attacks. In order to prevent honeypots from being used as starting points for attacks, it’s crucial to keep outbound connections to an absolute minimum.

If a high-interaction server honeypot is equipped with the same security systems as the productive system, then this can be used for implementing quality control measures. In this case, the collected data is able to deliver direct feedback on how effective the security system is. If an infiltration is registered in the honeypot, then it’s also important to check whether or not the productive system has been infiltrated. What’s more, both systems have to be adjusted in order to defend against future attacks of similar patterns.

In the past, prosecutors have used honeypotting to catch criminals on the lookout for illegal content. Additionally, it’s often discussed whether copyright owners are able to use honeypots in order to try and surpass the dissemination of copyright-protected content.

According to a report published by CNet, in 2006 the FBI reportedly placed a link in forums that eluded to leading to content containing child pornography. American citizens that then proceeded to visit these links were later visiting by the authorities.

Honeypots are also used to investigate illegal file sharing platforms. Given that some of these were taken offline and some were able to stay online, it was assumed that both copyright owners and persecutors were able to use them as honeypots. However, depending on which country you live in, this tactic may have no legal basis.