Honeypots and Honeynets

Pravesh Gaonjur

University of Technology, Mauritius

School of Business Informatics and Software Engineering
La Tour Koenig, Pointes Aux Sables, Mauritius
Email : p.gaonjur@gmail.com

Abstract

A honeypot is an information system resource whose value lies in unauthorized or illicit use of
that resource. Honeynets are nothing more than a type of honeypot which is “a security resource
whose value lies in being probed, attacked or compromised”. Usually, honeypots and honeynets
are used to gather information about threats that organizations might face and therefore protect
them. They are often classified by the level of interactivity they allow attackers. Some
characteristics of both types of honeypots are well known among the research community. Low
interactivity honeypots are used for production purposes because they are easy to deploy and
maintain, involve few risks for the organizations using them but still gather valuable information.
High-interactivity honeypots are more difficult to deploy and maintain, gather extensive amount
of information but involve more risks for organizations. However, no work has been done so far
to validate these statements. This is what this work will focus on. Our main goal is to point out
the main differences between honeypots and honeynets. Describe and discuss the importance of
both these technologies. Introduce the concept of distributed honeypots. Determine how security
can be enhanced using honeypots, honeynets, distributed honeynets or a combination of them.

-1-
 TABLE OF CONTENT

List of Figures ...................................................................................................................... 3

1.0 INTRODUCTION............................................................................................................................. 4
2.0 HONEYPOTS ................................................................................................................................. 4
2.1 Type of Honeypots .................................................................................................................. 5
2.1.1 Production/Research.......................................................................................................................... 5
2.1.2 Low/High Interactivity ...................................................................................................................... 5
2.2 Value of honeypots.................................................................................................................. 6
2.2.1 Prevention ......................................................................................................................................... 6
2.2.2 Detection ........................................................................................................................................... 7
2.2.3 Response ........................................................................................................................................... 7
2.3 Advantages of Honeypots ....................................................................................................... 7
2.4 Disadvantages of Honeypots .................................................................................................. 8
2.5 Risks with Honeypots.............................................................................................................. 8
3.0 HONEYNETS ................................................................................................................................. 9
3.1 Requirements of Honeynets .................................................................................................. 10
3.2 Types of Honeynets............................................................................................................... 11
3.3 How honeynet works............................................................................................................. 11
3.4 Risks with Honeynets ............................................................................................................ 12
4.0 IMPORTANCE OF USING HONEYPOTS AND HONEYNETS ............................................................... 12
4.1 Possible Information gain on attacks by honeynets.............................................................. 12
4.2 Possible increased security by using Honeynets as a decoy................................................. 14
4.3 Possible increased security by using aggressive Honeynets for redirection ........................ 14
5.0 RAISING SECURITY AWARENESS ................................................................................................. 15
6.0 CONCLUSION .............................................................................................................................. 15

References.......................................................................................................................... 16

-2-
List of Figures

Figure 1 – Honeynet Architecture....................................................................................... 9

-3-
1.0 Introduction

Many organizations today use firewalls and intrusion detection systems (IDSs) as part of their
network security defenses. Apart from these two technologies which are now commonly used, a
honeypot has received much attention in recent years. A honeypot can be thought of as a decoy
computer system that uses deception to lure intruders so that we can learn their behaviors. The
honeypot is usually a system that is deliberately made vulnerable with fake services to make it
look and act like a real system. Intruders who discover the honeypot may choose to compromise
it since it is a relatively easy task. As a result, system administrators can investigate the traces left
by intruders to learn about their tools and techniques in detail.

In this regard, we are going to analyze honeypots, honeynets and distributed honeynets in order to
determine how we can recommend measures to enhance security using these technologies.

2.0 Honeypots

Honeypots are a highly flexible tool that comes in many forms and contribute to the overall
security of a given network. They can be used for anything from detecting new attack methods to
capturing the latest techniques and tools of attackers. This flexibility, while giving the honeypots
their true power, leads to a big confusion and misunderstanding about what honeypots really are.
Lance Spitzner defines the term Honeypot as follow:

“A Honeypot is an information system resource whose value lies in unauthorized

or illicit use of that resource.”

Conceptually, all the honeypots work the same. No connection should be expected since they are
not supposed to provide any valuable service. That means that any interaction with the Honeypot
is most likely unauthorized or anomalous activity.

-4-
2.1 Type of Honeypots

There are basically 2 ways to classify honeypots. The first classification is based on what the
purposes of the honeypots are: production or research purpose. The other way is based on one of
the main characteristics of the honeypots: low- or high-interactivity honeypots.

2.1.1 Production / Research

Production honeypots are usually used by commercial organizations to help mitigate risks. This
kind of honeypots adds value to the security measures of an organization. They tend to be easy to
deploy and maintain and their simplicity keeps the related risks low. Due to their nature and on-
purpose lack of flexibility, these honeypots offer very little opportunities for attackers to exploit
them in order to perform actual attacks.

Research honeypots are designed to gather information about the attackers. They do not provide
any direct value to a specific organization but are used to collect information about what threats
organizations may face and therefore better protection methods can be developed and deployed
against these threats. They are more complex and involve more risks than the production
Honeypots simply because they are real machines rather than emulated OSes and services. They
also tend to be more difficult to administer.

2.1.2 Low / High Interactivity

Interaction defines the level of activity a honeypot allows an attacker.

Low-interactivity honeypots do not implement actual functional services, but provide an

emulated environment that can masquerade as a real OS running services to connecting clients.
These limited functionalities are often scripts that emulate simple services making the assumption
of some predefined behaviour of the attacker. His possibilities to interact with these emulated
services are limited, which make the low-interactivity honeypots less risky than the high-
interactivity honeypot. Indeed, there is no real OS or service for the attacker to log on to and
therefore the honeypot cannot be used to attack or harm other systems. The primary value of low-
interactivity honeypots is detection of scans or unauthorized connection attempts but tend to be

-5-
not good for finding unknown attacks and unexpected behaviour. Low-interactivity honeypots are
often used as production honeypots.

High-interactivity honeypots, on the other hand, do not emulate anything and gives the attacker a
real system to interact with where almost nothing is restricted which makes them more risky than
the low-interactivity honeypots. These types of honeypots should be placed behind a firewall to
limit the risks. They tend to be difficult to deploy and maintain but it is believed that they provide
a vast amount of information about attackers allowing the research community to learn more
about the blackhat community behaviour and motives. They are usually used as research
honeypots.

2.2 Value of honeypots

The value of honeypots depends closely on what kind of honeypot we are dealing with.
Production honeypots are used to help organizations protecting themselves against attackers,
which include preventing, detecting and responding to attacks. Research honeypots are used to
collect information that will be analysed to develop better protection methods.

2.2.1 Prevention

Prevention means keeping the threat out of the productions systems. This can be done by several
means such as firewalls, authentication and encryption. However, honeypots add a little value to
prevention. While honeypots can prevent the spreading of a worm across the network (sticky
honeypots), they also prevent from human attackers. Two concepts are involved in human
prevention: deception and deterrence. Deception is making the attacker waste his time and
resources attacking honeypots. The deterrence concept is when the attacker doesn’t want to attack
some network because he knows that there are honeypots in that network fearing to be logged and
caught.

-6-
2.2.2 Detection

Detection is to identify a failure or a breakdown in the prevention. This can be also done by
several means such as Intrusion Detection Systems (IDS) but honeypots address effectively
some weaknesses of such prevention systems: false positives, false negatives and value of
data gathered. Because honeypots have no productions purposes, they generate very few false
positives. Because all the traffic to and from the honeypots is suspicious, they also address
the false negative issue. Because of their simplicity and design, honeypots gather little
amount of data with very high value.

2.2.3 Response

The challenge that organizations face when they want to react to an attack is evidence collection.
This is an important issue when the organization wants to prosecute the attacker as well as when
they want to defend themselves against this threat. Honeypots address these problems in 2 ways.
First, the only traffic on the honeypot is the attacker traffic and it makes it easier to analyse the
attacker behaviour in honeypots than in production systems since the only data retrieved from the
honeypot is malicious data. Second, it is much simpler to pull offline the honeypot for further
analysis without affecting other business activities of the organizations.

2.3 Advantages of Honeypots

Fidelity – Small data sets of high value

Reduced false positives
Reduced false negatives
New tools and tactics
Not resource intensive
Simplicity

-7-
2.4 Disadvantages of Honeypots

Labor/skill intensive
Limited view
Does not directly protect vulnerable systems
Risks

2.5 Risks with Honeypots

Identifying Honeypots
Black-hats know which systems to avoid.
Feed honeypot false or bogus information.
Eliminate fingerprinting.
Chess problem!

Exploiting Honeypots
It is expected for attackers to gain privileged control of the honeypots.
Step stone to harm other systems.
Several layers of data control.
Human intervention.

-8-
3.0 Honeynets

Before we can know what a honeynet is we need to know what a honeypot is. A honeypot is an
isolated network that has been designed with the intent of capturing intruders and logging
intruder’s movements within the attacked isolated network. All traffic entering and leaving the
honeypot is logged. A Honeynet is an actual network of computers left in their default (and
insecure) configuration. This network sits behind a firewall where all inbound and outbound data
is contained, captured and controlled. This captured information is then analyzed to learn the
tools, tactics, and motives of the hacker community.

The concept of the honeynet first began in 1999 when Mr. Lance Spitzner, founder of the
Honeynet Project published the paper “To Build a Honeypot”. In this paper, Mr. Spitzner
proposed that instead of developing technology that emulated systems to be attacked, why not
deploy real systems behind firewalls waiting to be hacked.

In the most basic sense, a honeynet is a type of honeypot, more specifically, a type of high
interaction honeypot. And thus being a high interaction honeypot, nothing is emulated; all
services, applications and operating systems are as real as in any production environment. An
important characteristic that separates a high interaction honeypot from a honeynet is that a
honeynet contains one or more honeypots. It is a network of multiple systems creating an illusion
of a production network. It is through this network, specifically through the network access
device, is where hacker activity is monitored, recorded and controlled. Based on all of this, we
can construct the basic definition of a honeynet:

A honeynet is a network of high interaction honeypots that simulates a production network and
configured such that all activity is monitored, recorded and in a degree, discretely regulated.

Figure 1 – Honeynet Architecture

-9-
3.1 Requirements of Honeynets

Data Control
Reduce risk – cannot be used to harm others
Data Capture
Detect and capture all the blackhat’s activities
Data Analyze
Analyze what the blackhat has done

Data Control is the containment of activity. The primary purpose of this requirement is the risk
mitigation. Risk mitigation entails that all attacker activities be confined within the honeynet.
Since honeynets are high interaction honeypots, attackers are interacting with real systems, they
have more freedom to do their activities and subsequently, it also provides us more opportunity to
learn from the attackers activities. This provides an unusual dilemma of whether allowing the
attackers to do their activities and learn more or curb their activities and prevent them from
possibly damaging non-honeypot systems. This thin line is what you have to thread each time you
implement a honeynet. Each answer would be different depending on your goals but one must
remember that data control takes precedence over all requirements. The attacker should not be
able to attack or cause damage to any systems outside the honeynet. Once it does harm to other
systems, your honeynet implementation would not only have failed but is already a danger to
your networks and the networks of others.

The second requirement of honeynets is Data Capture. Data Capture is the monitoring and
logging of attacker activities within the honeynet. These activities are what form the basis of our
data and the core of our research and analysis. For a more complete data capture and to better
piece together activities of the attacker, it is necessary to have multiple mechanisms for capturing
these activities. These could be in form of tcpdump logs, IDS logs, Sebek data and firewall logs
among others. This is also important so that a failure in one of these mechanisms would still
allow you to collect one form of data or another to prevent a total blackout of activity data.

There is actually a third honeynet requirement called Data Collection, which only applies to
distributed honeynet implementations such as the Honeynet Research Alliance, which the
Philippine Honeynet Project is a part of. Among the aspects included here are naming
conventions, secure transfer of data and anonymization techniques are a part of this requirement.

- 10 -
These requirements are important in any honeynet implementation of which there are a number of
types based on how they implement the said requirements.

3.2 Types of honeynets

1. Gen I Honeynets
2. Gen II Honeynets
3. Gen III Honeynets
4. Distributed Honeynets
5. Virtual Honeynets

Gen I honeynets were the first attempts of the Honeynet Project in deploying honeynet
technologies. They are generally obsolete already but are good case studies for the actual
principles and requirements involved. Gen II honeynets are honeynets with more advanced data
control and data capture mechanisms. Gen III honeynets are the latest in honeynet technologies.
They are very easy to deploy and generally use the same principles as with the older versions but
using more advanced tools. Distributed honeynets are multiple honeynets deployed across large
networks across the Internet. Virtual honeynets are self-contained honeynets deployed on the
single system.

3.3 How Honeynet works

A honeynet, just like honeypots, works by creating a highly controlled environment. Honeynets
as opposed to honeypots though takes the concept one step further. Instead of just one computer
or a number of unconnected computers, a network is set up in such a way that everything in the
honeynet appears like a normal network. All applications and services are real though all systems
running within the honeynet are considered honeypots. No modifications are done to the system
such as placing monitoring tools or creating jailed environments like chroot within the host. This
kind of setup makes the honeynet the most interactive and authentic of all honeypots.

- 11 -
3.4 Risks with honeynets

• Honeynets introduce additional risk to an environment by attracting attention to their

seemingly insecure configuration.
• Require constant maintenance and administration.
• Data Analysis is very time consuming. A single compromise on average requires 30-40
hours of analysis.

Finally, as with honeypots, any honeynet implementation has its corresponding risk. In fact, the
basic risks and disadvantages of honeypots are the same risks as with honeynets. The only
difference is the complexity of it all. Since honeynets are much more complex and extensive,
there is much greater risk involved. There is also a great deal of work involved not only in
maintaining the honeynet but in making sure that risk is mitigated. To better avert risks involved
in honeynets, human monitoring and customization is a required.

4.0 Importance of using Honeypots and honeynets

Deployment of Honeynets results in information gathered and possibly an increased security for
the operator of the Honeynet.

4.1 Possible Information Gain on Attacks by Honeynets

Honeynets can gain information on the attacks against them. We assume that a Honeynet can
basically gather two different qualities of Information: After starting his attack at ta the attacker is
unaware of the fact that he is attacking a Honeynet the data gathered shows the attacker’s typical
actions against the class of system the Honeynet is emulating. At a certain point in time the
attacker realizes that he is confronted with a Honeynet. At this point labeled td the attacker’s
motivation shifts which should also result in a change of behavior. td can be even before ta if an
attacker is able to gather information about the Honeynet out of band and attacks with the
knowledge that he is attacking a Honeynet. td also can be in infinitive future if the attacker isn’t
willing or able to find out that he is attacking an Honeynet.

- 12 -
It is safe to assume that after td the attacker will be more reluctant to act in a way which will
allow the observer to gather further information. The attacker usually will completely stop the
attack and vanish. But we also know of one instance where attackers using the Honeynet as an
IRC proxy just ignored the fact that they where observed.

While attacking the attacker will try to escalate his privileges. He will increase his privileges in
zero or more steps. The higher he was able to escalate his privileges the more likely he is to find
out the true nature of the host he is attacking which results in td moving into future. It is therefore
safe to assume that sophisticated attackers td is relatively early. A sophisticated attacker will be
able to escalate his privileges relatively fast increasing his chances of detection. For attackers
with full local privileges detecting a Honeynet is trivial.

Honeynets can not collect informations on all kind of attackers equally. Honeynets are able to
gather representative data on attackers which choose their targets more or less randomly like
autonomous malware and very unsophisticated attackers do. Gathering data more on focused
attackers can be only done for attackers actively choosing to attack the operators systems.

An attacker not penetrating systems in a random fashion must be tricked into attacking a
honeynet by making it look like a worthwhile target. It can be assumed that the more
sophisticated the attacker is the less likely he will fouled by such deceptions.

So while Honeynets might be able to gather relatively much Information about unsophisticated
attackers or autonomous malware like worms, with the same investment much less Information
can be gathered about sophisticated attackers.

- 13 -
4.2 Possible increased security by using Honeynets as an decoy

It is claimed that Honeynets can increase the search space for finding valuable systems in a
network and thus increasing security by luring attackers into spending effort attacking the
Honeynets instead of the real thing. This claim has to be evaluated against different adversary
scenarios.

Attackers attacking random hosts in your network have a bigger search space. But only extremely
unsophisticated attackers like autonomous malware can be assumed to attack completely random
hosts. Also these attackers can only be significantly slowed down when a significant percentage
of a network are Honeynets which is unlikely.

More sophisticated attackers will choose their target based on their objectives and on a systems
perceived value to complete this objectives. Simply by their existence Honeynets will slow down
the attackers target selection process. To foul the attacker in attacking the Honeynet the Honeynet
has to look more attractive than the target the attacker is aiming for or the “real” system has to be
hidden in a way that the attacker will not be able to detect it.

4.3 Possible increased security by using aggressive Honeynets for redirection

There are also attempts to deploy honeypots as part of active network security. It is tried to
reroute attackers from a production server to a Honeynet distracting the attacker and allowing
further gathering of data.

The detection of the attack triggering the rerouting is a non trivial problem. Also the Honeynet
must mirror very closely the production host to make rerouting seamless and less detectable.

- 14 -
5.0 Raising security awareness

Many people are not aware of the security risks their computer system faces. Further, they
jeopardize their personal or company data. In fact, many people do not even notice that their
system has been compromised. An attacker has an interest in concealing his or her activities to be
able to keep access to a compromised system. Today’s operating systems are insecure when they
come freshly out-of-the-box and need to be patched. This is mainly due to the pace that security
vulnerabilities are discovered. If an unprotected system is connected to the Internet simply to
download the needed security fixes, it might get comprised in that short period of time—possibly
unnoticed by the user of the system.

Honeynets can serve to make such threats visible. By its nature, a honeynet is closely monitored
so that researchers can see what is going on under the hood. It can make people aware that a
system running a standard out-of-the-box operating system and just connected to the Internet with
an Internet address advertised nowhere will get scanned and eventually compromised after a short
period of time. People get tricked by the assumption that just because a system is not known to
anybody else on the Internet it will not be found soon.

6.0 Conclusion

This white paper serves as a reference and purposely highlights the definitions of Honeynets and
Honeypots with the intention enabling the reader to make a choice in securing their networks with
these technologies. Many organizations allude to the fact that it may not be necessary to know
what your typical intruders are doing. Using this approach is equivalent to pushing a blind person
into a shark tank. It is of paramount importance to know the different types of honeynets and
honeypots and to understand the best method to deploy them customized to the respective
organizations needs. Knowing the difference between distributed Honeynets and traditional
honeynets allows a swift decision to be made about using honeynet as it becomes apparent that
the capital and resource require to build a state of the art Virtual honeynet is very affordable to
most organizations.

- 15 -
References:

The Honeynet Project, “Know Your Enemy: Statistics,” available online:

http://honeynet.org/papers/stats/.

The Honeynet Project, “Know Your Enemy: Sebek,” available online:

http://honeynet.org/papers/sebek.pdf.

The Honeynet Project, “Know Your Enemy: GenII Honeynets,” available online:
http://honeynet.org/papers/gen2/.

L. Spitzner, Honeypots: Tracking Hackers, Addison-Wesley, 2002; www.tracking-

hackers.com/book.

“Honeyd—Network Rhapsody for You,” available online:

http://www.citi.umich.edu/u/provos/honeyd/.

“Virtual Honeynets” available online:

http://www.windowsecurity.com/articles/Understanding_Virtual_Honeynets.html

“Honeynets definition”, available online:

http://www.philippinehoneynet.org/docs/Honeynets_definition.pdf

“Intro to honeypot and honeynet”, available online:

http://www.icst.pku.edu.cn/honeynetweb/reports/Introduction to Honeypot &
Honeynet.ppt

- 16 -