A honeypot is a closely monitored network decoy serving several purposes: it can distract adversaries from more valuable machines on a network, provide early warning about new attack and exploitation trends, or allow in-depth examination of adversaries during and after exploitation of a honeypot.

Deploying a physical honeypot is often time intensive and expensive as different operating systems require specialized hardware and every honeypot requires its own physical system. This paper presents Honeyd, a framework for virtual honeypots that simulates virtual computer systems at the network level.

The simulated computer systems appear to run on unallocated network addresses. To deceive network-fingerprinting tools, Honeyd simulates the networking stack of different operating systems and can provide arbitrary routing topologies and services for an arbitrary number of virtual systems.

Honeypot simulates network services by open servers at user specified ports on a network computer. The port/service appeares to be existing and open to an attacker or trojan. Once an attacker connects to the service, his IP address is logged and he could even be denied any access to the computer if the system uses a firewall that supports dynamic blacklisting. Honeypot has been developed to work with Shorewall, but should work with any firewall that has the ability to blacklist an IP address using a shell command or adding entries to text files. All attacks against Honeypot are logged with time for the attack, attacker IP and attacker hostname.

presented by:
TRUPTHI MISHRA

---

[attachment=9251]
HONEYPOT FOR NETWORK SECURITY
Introduction to honeypots
 A Honeypot is a resource which is intended to gain information about the attacker and their tools.
 It can also be deployed to attract and divert an attacker from their real targets.
 Honeypots do not fix anything. They provide us additional, valuable information about the attack patterns, used programs, purpose of attack and about the blackhat community.
 Gathering information about the attackers is very important. By knowing their attack strategies, counter measures can be improved and vulnerabilites can be fixed.
 There are a lot of possibilities for a honeypot – to divert hackers from the productive systems or catch a hacker while conducting an attack are two possible examples.
 The 2 main reasons why honeypots are deployed are:
1) To learn how intruders attempt to gain access to the system and gain insight into attack methodologies to better protect the real production systems.
2) To gather forensic information required to aid in the apprehension or prosecution of intruders.
CONCEPTS OF HONEYPOTS
I. LOW-INVOLVEMENT HONEY:
 A low-level involvement honey provides certain fake services so that all the incoming traffic can easily be recognized and stored.
 But with this simple solution it is not possible to catch communication of complex protocols.
 On a low-level honeypot there is no real Operating System that an attacker can operate on. This minimizes the risk because the complexity of an operating system is eliminated.
 It is like a one-way connection.
II. MID-INVOLVEMENT HONEYPOT:
 A mid-level involvement honeypot provides more to interact with but still does not provide a real underlaying Operating system.
 The fake daemons are more sophisticated and hav deeper knowledge about specific services they provide.
 Through higher level of interaction more complexity, attacks are possible and the attackers get a better illusion of a real operating system. He has more possibilities to interact and probe the system.
 Developing a mid-involvement honeypot is complex and time consuming. So special care has to be taken for security checks.
III. HIGH-INVOLVEMENT HONEYPOT:
 A high-level involvement honeypot has a real underlaying Operating System. This leads to much higher risk as the complexity increases.
 At the same time, the possibilities to gather the information, the possible attacks as well as the attractiveness increases a lot.
 A high-involvement honeypot is very time consuming. So it is should always be under control and the behavior should be monitored.
 By providing a full operating system to attacker, he has the possibilities to upload and install new files. This is where the honeypot can show its strength as all its actions can be recorded and analyzed.
TYPES OF HONEYPOTS
Honeypots are classified mainly into two categories. The two types of honeypots are:
1. PRODUCTION HONEYPOTS
2. RESEARCH HONEYPOTS