Managing a Honeypotby Peter Mikhalenko
It's no secret that many intruders choose their victims by scanning large chunks of addresses and searching for services vulnerable to existing tools and exploits. This can be an effective approach, although there are still some problems for intruders. People employed in IT security must trace bug trackers and the appearance of new exploits. Even open source code cannot guarantee that the good guys will find vulnerabilities before the bad guys do.
However, the good guys have another tool--a honeypot. This is a system designed in such a way that an unsophisticated hacker will want to crack it immediately--like fake diamonds in a glass case in a jewelry shop. First, a quick story. A famous and rich man bought a super safe made of ferro-alloy. He boasted to everyone about his safe and claimed that nobody could crack it. After about a week of this, burglars came in the night and spent two hours cracking the safe with strong acid and explosives. When they opened the safe, they found nothing; the valuables were elsewhere and the burglars were caught.
What Is a Honeypot For?
A honeypot emulates a server with serious security holes. The intent is to attract network intruders so that they will spend their time on a useless job. Honeypots are closely-monitored network decoys that serve several purposes: they can distract adversaries from more valuable machines on a network, provide early warning about new attacks and exploitation trends, and allow in-depth examination of adversaries during and after exploitation.
There are two general types of honeypots: production and research. Production honeypots are easy to use, capture only limited information, and are in use primarily by businesses. Research honeypots are complex to maintain, so their usefulness is primarily in security research, military, or government organizations. With such honeypots you can easily capture a private shellcode used to crack a previously invulnerable service, learn new methods of intrusion, and, most importantly, develop intrusion-resistance methods.
Principles Inside and Legal Issues
The main principle if a honeypot claims that any attempt to connect to a non-existing IP address is prohibited a priori. It's a reasonable assumption, if no law-abiding user will deliberately connect to a non-existing service. As long as users know of no such service, you can assume that any connection to the service is the start of an attack. A big advantage of a honeypot is that you can emulate any operating system on any hardware you want. If a service runs on FreeBSD, you can fool the attacker into thinking he is looking at a glitchy ancient Cisco or a modern enterprise Linux distribution. Such emulation is OS fingerprinting. However, sophisticated intruders can detect this, since any emulator may also have its own fingerprint. Even if the developers have hidden all unique features, theoretically, overlooked bugs may appear. With a honeypot, you also have a significantly smaller volume of logfiles, reducing the probability of false alarm to almost zero. When something strange occurs, it's generally easier to watch 200Kb of logs instead of 1Gb.
Questions that inevitably arise in most organizations include: are honeypots illegal? What do the laws say about such fraudulent services?
"There are some legal issues, and they are not necessarily trivial and easy," says Richard Saldago, senior counsel for the U.S. Department of Justice's computer crime unit, speaking at the RSA Conference in San Francisco. The main problem is that U.S. criminal law calls honeypot monitoring "interception of communications," which is prohibited and may lead to imprisonment for up to five years. Fortunately for honeypot operators, there are exemptions to the Federal Wiretap Act that could apply to some honeypot configurations, but they still leave many hacker traps in a legal danger zone. One exemption permits interception of a communication if one of the parties consents to the monitoring. Salgado suggested that honeypots display a banner message warning that about monitored use of the computer.
Yet most attack attempts don't penetrate a system through the front door -- telneting in or surfing to a web page -- and if they never see the banner, they haven't consented to monitoring. The consent exemption might apply without a banner if a court determines that the honeypot itself is one of the "parties" to the communication, Salgado said. Another relevant exemption was passed in the USA PATRIOT Act in October 2001, but only applies to cases where the government steps in to do the spying.
There is a third "provider exemption" that may be the most promising legal justification. This allows the operator of a system to eavesdrop for the purpose of protecting their property or services from attack. In this case, Salgado favors configurations that invisibly reroute an attacker to a honeypot after beginning an attack on a production machine. "The closer the honeypot is to the production server, the less likely that it's going to have some of the legal issues that we're talking about," he said, because the monitoring becomes part of the normal process of protecting the production machine. Despite the legal issues, Salgado praised honeypots as a valuable tool. He also cautioned attendees to consult with their company legal departments before deploying them.
How to setup a honeypot
There are many honeypot systems available, some commercial and others open source. A few good ones are Tiny Honeypot, Single-honeypot, KFSensor, APS, LaBrea. The last one refers a famous set of tar pits in Los Angeles that contain many bones of lost animals.
honeyd is a good honeypot implementation, because it is open source, cross-platform, and BSD-licensed. It is under active development and provides many exciting features.
honeyd under Unix, first download the source files:
# cd /usr/src # wget http://www.citi.umich.edu/u/provos/honeyd/honeyd-1.5a.tar.gz # tar xzf honeyd-1.5a.tar.gz # cd honeyd-1.5a
Before you can do the usual
make dance, you must install some additional packages, such as libevent, libdnet, and libpcap. In some cases (on FreeBSD especially) there may appear some problems even after installing appropriate libraries, and you may need to point the configuration script explicitly to installed libraries. For example, for
libevent, I used:
# ./configure --with-libevent=/usr/src/libevent-0.9/ --prefix=/path/to/honeyd
To get fully-featured
honeyd (to enable ARP-spoofing), you also need an
arpd daemon. It installs very easily:
# wget http://www.citi.umich.edu/u/provos/honeyd/arpd-0.2.tar.gz # tar xzf arpd-0.2.tar.gz # cd arpd # ./configure # make # make install