Honeypot (computing)

Honeypot (computing)

In computer terminology, a honeypot is a trap set to detect, deflect, or in some manner counteract attempts at unauthorized use of information systems. Generally it consists of a computer, data, or a network site that appears to be part of a network but which is actually isolated, (un)protected, and monitored, and which seems to contain information or a resource that would be of value to attackers.


A honeypot is valuable as a surveillance and early-warning tool. While it is often a computer, a honeypot can take on other forms, such as files or data records, or even unused IP address space. A honeypot that masquerades as an open proxy in order to monitor and record the activities of those using the system is called a sugarcane. Honeypots should have no production value and hence should not see any legitimate traffic or activity. Whatever they capture can then be surmised as malicious or unauthorized. One very practical implication of this is that honeypots designed to thwart spam by masquerading as systems of the types abused by spammers to send spam can categorize the material they trap 100% accurately: it is all illicit.

Honeypots can carry risks to a network, and must be handled with care. If they are not properly walled off, an attacker can use them to break into a system.

"Victim hosts" are an active network counter-intrusion tool. These computers run special software, designed to appear to an intruder as being important and worth looking into. In reality, these programs are dummies, and their patterns are constructed specifically to foster interest in attackers. The software installed on, and run by, victim hosts is dual purpose. First, these dummy programs keep a network intruder occupied looking for valuable information where none exists, effectively convincing him or her to isolate themselves in what is truly an unimportant part of the network. This decoy strategy is designed to keep an intruder from getting bored and heading into truly security-critical systems. The second part of the victim host strategy is intelligence gathering. Once an intruder has broken into the victim host, the machine or a network administrator can examine the intrusion methods used by the intruder. This intelligence can be used to build specific countermeasures to intrusion techniques, making truly important systems on the network less vulnerable to intrusion.


Honeypots can be classified based on their deployment and based on their level of involvement.Based on the deployment, honeypots may be classified as
#Production Honeypots
#Research Honeypots

Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations; Production honeypots are placed inside the production network with other production servers by organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots which are easier to deploy. They give less information about the attacks or attackers than research honeypots do. The purpose of a production honeypot is to help mitigate risk in an organization. The honeypot adds value to the security measures of an organization.

Research honeypots are run by a volunteer, non-profit research organization or an educational institution to gather information about the motives and tactics of the Blackhat community targeting different networks. These honeypots do not add direct value to a specific organization. Instead they are used to research the threats organizations face, and to learn how to better protect against those threats. This information is then used to protect against those threats. Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations.

Some variations of honeypots include the following:

honeyd (low-interaction)

honeyd is a GPL licensed agent able to simulate big network structures on a single host. With one single instance of the agent, many different hosts running different services can be simulated.Niels Provos. [http://www.citi.umich.edu/u/provos/papers/honeyd.pdf A Virtual Honeypot Framework] . In Proceedings of the 13th USENIX Security Symposium, August 2004.] Services are customizable with userland scripts. Honeyd works by emulating computers on the unused IP address of a network. It provides simple functionality by allowing scripts to simulate arbitrary services. This gives an attacker a facade to attack, but usually does not allow full system compromise.

Fake AP

Fake AP is another program to create a honeypot. [ [http://www.blackalchemy.to/project/fakeap/ Black Alchemy Fake AP] ]

KF Sensor

KF Sensor is a commercial program for creating fake AP's.

mwcollect, nepenthes, honeytrap

mwcollect and nepenthes are both released under the GPL license and can be used to collect autonomously spreading malware. Automated attacks are not only logged, the daemons extract information how to obtain the malware binaries from the exploit payload using known patterns and then actively download a sample. However, the whole exploitation process is simulated in a virtualized environment, so the honeypot can never be really infected with the Malware.

honeytrap, also released under the GPL, dynamically creates port listeners based on TCP connection attempts extracted from a network interface stream. This approach allows handling of some unknown attacks. Similar to nepenthes, malware downloads are performed by the software automatically. Incoming attacks can be mirrored back to the initiator.

Honeynet (high-interaction)

The Honeynet is a network of real systems. This network is reachable via the Honeywall gateway, a stealth inline network bridge that closely monitors and controls the network data flow to and from the honeypots in the network. Data capture includes network traffic captured on the honeywall gateway, system event data captured in logs, and keylog data gathered by a stealth keylogger on the honeypot systems.

Distributed systems

From the types of honeypots mentioned above, the information provided by high-interaction honeypots has the highest fidelity. However, deploying a honeynet is not trivial. Deployment must be done in a closely monitored environment. As a result, honeynets remain concentrated in specific spots of the Internet and are susceptible to blacklistingby the attack tools. Another side effect of the honeynets being deployed as dispersed clusters is that the data gathered by different honeynets cannot be easily correlated.

Distributed honeypot systems aim to counter the above inefficiencies. The most common approach is deploying a cluster of high-interaction honeypots in a central location and dispersing lightweight traffic redirectors to sites across the Internet. With this technique, originally proposed by the Collapsar [http://www.cs.purdue.edu/homes/jiangx/collapsar/] project, the deployment costs are keptlow, while blacklisting is made more difficult and the correlation of gathered data easier. The same technique is also employed by the Honey@HomeHoney@Home [http://www.honeyathome.org website] ] tool which was developed in the context of the [http://www.fp6-noah.org/ NoAH project] . Honey@Home aims to capitalize on the rapid increase of residential broadband subscribers and create a community-based network of distributed honeypot sensors.

pam versions

Spammers are known to abuse vulnerable resources such as open mail relays and open proxies. Some system administrators have created honeypot programs which masquerade as these abusable resources in order to discover the activities of spammers. There are several capabilities such honeypots provide to these administrators and the existence of such fake abusable systems makes abuse more difficult or risky. Honeypots can be a powerful countermeasure to the abuse from those who rely on very high volume abuse (e.g. spammers).

The capabilities of value to the honeypot operator include determination of the apparent source (that is, IP address) of the abuse and bulk capture of spam (which makes possible determination of URLs and response mechanisms used by the spammers.) For open relay honeypots it is possible to determine the e-mail addresses ("dropboxes") spammers use as targets for their test messages, which are the tool they use to detect open relays. It is then simple to deceive the spammer: transmit any illicit relay e-mail received addressed to that dropbox e-mail address. That would indicate to the spammer that the honeypot was a real abusable open relay and he would often respond by sending large quantities of relay spam to that honeypot, where it is stopped. This was a capability of greatest value to the (unknown and unpredictable) intended recipients of the spam. The apparent source may be another abused system: spammers and other abusers may use a chain of abused systems in order to make detection of the original starting point of the abuse traffic difficult. This in itself is indicative of the power of honeypots as anti-spam tools: in the early days of anti-spam honeypot usage spammers showed little concern for hiding their location and would test for vulnerabilities and send spam directly from their own systems. It was easy, it was safe. Honeypots made the abuse less easy, less safe.

Open relays are still used by spammers but the volume of spam sent through such open relays appears to be much smaller than it was in 2001 to 2002. While most spam originates from within US [http://www.net-security.org/secworld.php?id=4085 Spams by country] , spammers do hop through open relays across political boundaries to mask their origin. Honeypot operators may use intercepted relay tests to recognize and thwart attempts to relay spam through their honeypots. "Thwart" may mean "accept the relay spam but decline to deliver it." Honeypot operators may discover other details concerning the spam and the spammer by examining the captured spam messages. (However, open relay spam has declined significantly.Fact|date=October 2008)

Open relay honeypots include Jackpot, [http://jackpot.uk.net/] written in Java, smtpot.py, [http://llama.whoi.edu/smtpot.py] written in Python, and spamhole (honeypot), [ [http://sourceforge.net/projects/spamhole/ SourceForge.net: spamhole - The Fake Open SMTP Relay ] ] written in C. The Bubblegum Proxypot [http://www.proxypot.org/] is an open proxy honeypot (or proxypot).

E-mail trap

An e-mail address that is not used for any other purpose than to receive spam can also be considered a spam honeypot. A better term might be spamtrap, with the term "honeypot" reserved for systems and techniques used to detect or counter attacks and probes. Spam arrives at its destination "legitimately"—exactly as non-spam e-mail would arrive.

An amalgam of these techniques is Project Honey Pot. The distributed, open-source Project uses honeypot pages installed on websites around the world. These honeypot pages hand out uniquely tagged spamtrap e-mail addresses. E-mail address harvesting and Spammers can then be tracked as they gather and subsequently send to these spamtrap e-mail addresses.


Just as honeypots are a weapon against spammers, honeypot detection systems are a spammer-employed counter-weapon. As detection systems would likely use unique characteristics of specific honeypots to identify them; a plethora of honeypots in use makes the set of unique characteristics larger and more daunting to those seeking to detect and thereby identify them. This is an unusual circumstance in software: a situation in which "versionitis" (a large number of versions of the same software, all differing slightly from each other) can be beneficial. There's also an advantage in having some easy-to-detect honeypots deployed. Fred Cohen, the inventor of the Deception Toolkit, even argues that every system running his honeypot should have a deception port that adversaries can use to detect the honeypot.Fred Cohen. [http://all.net/dtk/index.html Deception ToolKit] . Viewed April 8th, 2006.] Cohen believes that this might deter adversaries.


Two or more honeypots on a network form a "honeynet". Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network intrusion-detection systems. A honeyfarm is a centralized collection of honeypots and analysis tools. [Weaver, Nicholas C.: Wormholes and a Honeyfarm: Automatically Detecting Novel Worms.]

See also

* Network telescope
* Honeytoken
* HoneyMonkey
* Client honeypot

References & notes

External links

* [http://www.webappsec.org/projects/honeypots/ Distributed Open Proxy Honeypots Project: WASC]
* [http://www.honeynet.org/ The Honeynet Project]
* [http://www.newsforge.com/article.pl?sid=04/09/24/1734245 Know Your Enemy: Everything you need to know about honeypots]
* [http://www.sans.org/resources/idfaq/honeypot3.php SANS Institute: What is a Honey Pot?]
* [http://www.mwcollect.org/ mwcollect Project]
* [http://www.nepenthes.it/ nepenthes Project]
* [http://honeytrap.sf.net/ honeytrap Project]
* [http://www.honeyd.org/ Developments of the Honeyd Virtual Honeypot]
* [http://www.honeyclient.org/ Open source client honeypot]
* [http://honeyc.sf.net/ Open source low interaction client honeypot]
* [http://honeynet.ca/ Canadian Honeynet Project | Canadian Honeypot Security Research]
* [http://www.michaelanuzis.com/research/manuzis-7-5-2002-1.html Incident Analysis of OpenBSD Honeypot]
* [http://www.fp6-noah.org/ European Network of Affined Honeypots]
* [http://www.honeynet.org.mx/ Mexican Honeynet Project]
* [http://www.shadowserver.org/wiki/pmwiki.php?n=Information.Honeypots Honeypots Information (Shadowserver Foundation)]

;Products and services
* [http://microsolved.com/?page_id=69 HoneyPoint]

Wikimedia Foundation. 2010.

Игры ⚽ Поможем решить контрольную работу

Look at other dictionaries:

  • Honeypot — or honeytrap may refer to: A pot used to store honey Espionage recruitment involving sexual seduction in reality fiction A type of sting operation such as a Bait car Honeypot (computing), a trap to help fight unauthorized computer access Honeypot …   Wikipedia

  • Honeypot (информационная безопасность) — Honeypot («Ловушка») (англ. горшочек с мёдом)  ресурс, представляющий собой приманку для злоумышленников. Задача Honeypot  подвергнуться атаке или несанкционированному исследованию, что впоследствии позволит изучить стратегию… …   Википедия

  • Client honeypot — Honeypots are security devices whose value lie in being probed and compromised. Traditional honeypots are servers (or devices that expose server services) that wait passively to be attacked. Client Honeypots are active security devices in search… …   Wikipedia

  • Defensive computing — is a form of practice for computer users to help reduce the risk of computing problems, by avoiding dangerous computing practices. The primary goal of this method of computing is to be able to anticipate and prepare for potentially problematic… …   Wikipedia

  • Trojan horse (computing) — Beast, a Windows based backdoor Trojan horse A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but (perhaps in addition to the expected function) steals information or harms… …   Wikipedia

  • Firewall (computing) — This article is about the network security device. For other uses, see Firewall. An illustration of where a firewall would be located in a network …   Wikipedia

  • Сетевая система обнаружения вторжений — (англ. network intrusion detection system, NIDS)  система обнаружения вторжений, которая отслеживает такие виды вредоносной деятельности, как DoS атаки, сканирование портов или даже попытки проникновения в сеть. Сетевая СОВ… …   Википедия

  • Anti-spam techniques — To prevent e mail spam (aka unsolicited bulk email), both end users and administrators of e mail systems use various anti spam techniques. Some of these techniques have been embedded in products, services and software to ease the burden on users… …   Wikipedia

  • Wardriving — is the act of searching for Wi Fi wireless networks by a person in a moving vehicle, using a portable computer or PDA.Software for wardriving is freely available on the Internet, notably NetStumbler for Windows, Kismet or SWScanner for Linux,… …   Wikipedia

  • Fictitious entry — Fictitious entries, also known as fake entries, Mountweazels, ghost word[1] and nihil articles, are deliberately incorrect entries or articles in reference works such as dictionaries, encyclopedias, maps, and directories. Entries in reference… …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”