An overview of several honeypots and their respective applications, their level of involvement, and demonstrated value to date are provided in Table 1 below.
Types of honeypots by level of involvement.
BOF (as it is commonly called) is a very simple but highly useful honeypot developed by Marcus Ranum et al. At NFR. It is an excellent example of a low involvement honeypot. BOF is a program that runs on most window-based operating systems. All it can do is emulate some basic services, such as http, ftp, telnet, mail, or Back Orifice. Whenever someone attempts to connect to one of these ports, BOF is listening and will then log the attempt. BOF also has the option of "faking replies," which gives the attacker something to connect to.
Specter is a commercial product and what I would call another 'low involvement' production honeypot. It is similar to BOF in that it emulates services, but it can emulate a far greater range of services and functionality. In addition, not only can it emulate services, but emulate a variety of operating systems. Similar to BOF, it is easy to implement and is low risk. Specter works by installing on a Windows system. The risk is reduced, as there is no real operating system for the attacker to interact with. For example, Specter can emulate a Web server or telnet server of the operating system of your choice. When an attacker connects, he or she is then prompted with a http header or log-in banner. The attacker can then attempt to gather Web pages or log in to the system. This activity is captured and recorded by Specter; however, there is little else the attacker can do. There is no real application for the attacker to interact with, instead just some limited, emulated functionality. Specter's value lies in detection. It can quickly and easily determine who is looking for what. As a honeypot, it reduces both false positives and false negatives, simplifying the detection process. Specter also support a variety of alerting and logging mechanisms.
These honeypots tend to be low involvement, as their purpose is usually to capture specific activity, such as Worms or scanning activity. These can be used as production or research honeypots, depending on their purpose. Once again, there is not much for the attacker to interact with; however, the risk is reduced because the attacker can inflict less damage. One common example of a homemade honeypot is to create a service that listens on port 80 (http), capturing all traffic to and from the port. This is commonly done to capture Worm attacks. One such implementation would be using netcat, as follows: netcat -l -p 80 > c:honeypotworm
In the above command, a Worm could connect to netcat listening on port 80. The attacking Worm would make a successful TCP connection and potentially transfer its payload. This payload would then be saved locally on the honeypot, which can be further analyzed by the administrator, who can assess the threat of the Worm. Organizations such as SANS and SecurityFocus.com have had success using homemade honeypots to capture and analyze Worms and automated activity.
Deception Toolkit (DTK)
This is one of the original honeypots and was created by Fred Cohen. Spitzner characterizes the DTK as a low-to-mid involvement honeypot. It can do more then Specter and give us more information, but takes more work to install and has additional risk; however, this is still not a high involvement honeypot, as there is no true OS for the attacker to interact with. DTK is a collection of PERL scripts designed for Unix systems that emulate a variety of known vulnerabilities. The big advantage of DTK is that the toolkit is free and the user has the source. The disadvantage is that these scripts can potentially be exploited to give an attacker access to the system.
Produced by Recourse, Mantrap is a commercial honeypot. Instead of emulating services, Mantrap creates up to four sub-systems, often called "jails." These jails are logically separated operating systems that are separated from a master operating system. Security administrators can modify these jails just as they normally would any operating system, to include installing applications of their choice, such as an Oracle database or Apache Web server. This makes the honeypot far more flexible, as the attacker has a full operating system to interact with, and a variety of applications to attack. All of this activity is then captured and recorded. Not only can we detect port scans and telnet logins, we can also capture rootkits, application level attacks, IRC chat sessions, and a variety of other threats.
Source: Spitzner at p. 2.
One of the constraints to using a virtual honeypot is the complexity of the application required to implement and support it. In this regard, Andress advises that software-emulation honeypots represent a fundamental challenge for many smaller enterprises because they may lack the in-house expertise needed to operate these effectively. In this regard, Andress emphasizes that the above-described Mantrap is especially useful: "Creating a virtual system that can fool an attacker is beyond the skills of most enterprise security administrators. Mantrap, from Recourse Technologies (now part of Symantec), provides all the software necessary to build your own device. It runs on real hardware, looks real to attackers, and is subsequently very attractive to them" (p. 477). On a final note, Andress recommends that companies avoid using honeypots as bait instead of viable protections against attacks on their legitimate corporate services: "As fun as it sounds to watch the attackers, you should consider using honeypots only after you have all the basic security measures implemented. A honeypot does not provide any advantages if hackers are attacking your Web server at the same time. Even if you install honeypots, hackers can still attack a real server instead of this fake one, so relying on the honeypot bait too much might be just asking for trouble" (emphasis added) (Andress, p. 477).
Based on his empirical observations and review of the Honeynet Project (http://project.honeynet.org) over the course of a year, Andress confirmed an increase in attacks as well as the use of honeynets as countermeasures in response. The Honeynet Project employs so-called "honeynets" which are networks comprised of fully operational production systems, to likewise monitor, analyze, and better understand emerging threats on the Internet. Traditionally, honeypots have been used in a single-system approach that was designed to entice attackers from their valuable production systems into these clearly vulnerable targets for their attacks. The logic - and efficacy - of these countermeasures is clear: "Why spend hours on one system when you can basically walk through the front door of the next? Honeynets take a different approach. They are not designed to lure attackers from production systems. Honeynets themselves are production networks designed for research to help security experts better understand the Black Hat community" (Andress, p. 477).
Indeed, learning more about the unseen enemy is a common theme that runs throughout the recent literature concerning computer security and better ways to protect computer systems. In this regard, Krasser, Grizzard, Owen and Levine (2005) report, "An important element of security is understanding the attackers. To learn more about their techniques, tactics, intentions, and motivations, researchers have deployed honeynets. The basic idea is to give attackers vulnerable systems to attack. These systems are monitored closely, and the behavior of the attackers is studied" (p. 3).
One of the more valuable aspects of honeynets is their flexibility and ability to present information in any configuration desired to facilitate analysis and improve the enticement qualities of the Web sites being presented. For instance, Krasser and his associates emphasize that, "Any type of system can be placed within the honeynet. Standard production systems can be used on the honeynet, in order to give the hacker the look and feel of a real system. Moreover, virtual systems can be used to emulate or simulate a number of computer systems inside one physical system, e.g. utilizing software like VMware or honeyd" (p. 3). A typical honeynet configuration is illustrated in Figure 1 below.
Figure 1. Typical honeynet configuration.
Source: Krasser et al. At p. 5.
According to Krasser and his colleagues, "As the most important part, a computer, known as the honeywall, is placed in front of the vulnerable honeypots and is used to limit outgoing attack traffic from the honeypots. The honeywall acts as a gateway to the Internet for the honeypots and has the ability to limit malicious traffic" (pp. 5-6). While these techniques continue to be refined and improved in response to recent and current trends in computer attacks, their applications to date have provided a significant return on the investment of it resources in terms of learning more about what types of attacks are typically employed and what security measures are needed to foil them.