Bait Crackers With A Honeypot

by Carla Schroder

Adding a honeypot to your arsenal can be a big boost to your network's security, both in distracting malicious users and learning how the garden variety script kiddy thinks.

Adding a honeypot to your arsenal can be a big boost to your network's security, both in distracting malicious users and learning how the garden variety script kiddy or cracker thinks.

First, a few terms:

Crackers are bad guys bent on criminal mischief. Hackers are computer nerds who create cool things. Crackers destroy. Hackers build. This may be end up being my epitaph, given how the word 'hacker' is so insistently misused.

What is a honeypot? I like Lance Spitzner's definition: "a resource whose value lies in being probed, attacked, or compromised." Some people view them like the piece of meat used at a picnic to lure wasps away from your food. Honeypots don't perform that function any better than the meat does, there's always more wasps, just like there's always more crackers. Most cracking tools are automated, our evil little chums simply fire them up and let them do the heavy lifting. Building a honeypot won't lure intruders away from your network, and it certainly is not a substitute for proper firewalls and system configuration. If you have to choose between improving your existing security or implementing a honeypot, forget the honeypot.

The great value of a honeypot lies in collecting useful data unmixed with legitimate traffic and system data. By definition, all traffic to or from a honeypot is suspect; anytime a connection is made, it is most likely an unauthorized intrusion. Much easier than wading through huge server logs, no matter how ace you are at parsing and analyzing. Capture keystrokes, which I don't do on a production server. Who needs megabytes of user's typos? But for analyzing an attack, keystrokes are gold.

Another great value of a honeypot is the ability to conduct a full forensic analysis of an attack, without taking a production machine out of service.

Homegrown Deception
That's right, the whole idea is to lie your head off and fool an intruder into believing they've accessed a production server full of tasty passwords, data files, and relays. The easiest way to build a honeypot is set up a box similar to your production servers- use the same OS, run the same services. Put it on the Internet and wait, oh 15-30 minutes, someone will find it. No special software is needed, simply employ the usual logs and network monitoring tools. Running it behind a firewall adds some useful options: additional logging, event alarms, and restrict outgoing traffic. Not a good idea to be a pawn in compromising other systems. Some services need to be left running, such as ftp, smtp, or http, or the intruder will smell a rat and split. By constructing it the same way as your production servers, you'll learn about weaknesses and flaws that apply to your specific setup. Another advantage to this approach is it won't be obvious it's a honeypot. The longer they stick around, the more useful data will be collected.

The system logs must be protected, as job one of any self-respecting cracker is to take over key system files and logs. Core Wisdom offers some nice secure logging tools for Unix and Windows. Remember, the idea is for an intruder to gain root access, but not let them erase their tracks. Under Linux, a competent geek can recompile syslogd to use a remote hidden configuration file, simply change the default /etc/syslog.conf in the source code to something sneaky. Leave a dummy configuration file at /etc/syslog.conf.

Two other indispensable tools are a packet sniffer, such as Ethereal or snort, and Tripwire. A packet sniffer gives realtime monitoring of everything, including keystrokes. Tripwire should be the very first system monitor configured and activated on a Linux system. Go ahead and install everything, configure users and networking- then before the machine ever connects to any network, including local, run Tripwire. It must be installed on a clean system, or it is worthless. It creates cryptographic ``fingerprints'' of system binaries, configuration files and other likely targets. Tripwire monitors data and file integrity, and emails an alert when it detects suspicious changes. There are commercial and free versions, no excuse for not having it! Use it on all machines, not just honeypots.

While we're on the subject, you are monitoring your outgoing traffic, aren't you? It's a good way to find out if an intruder is using your system to serve mp3s or launching attacks or some such activity you probably don't want to get blamed for.

Once an attacker has taken the bait, invaded your honeypot, and left a trail of highly useful data, simply reboot to kick them out. A real slick trick is to create an installation CD, with apps and configurations, for quick restoration.

There are quite a number of ready-made honeypots, free and commercial. A couple of freebies that I like, not only for their functionality, but because the source code is available to audit and modify:

The Deception Toolkit is completely fake, it depends on Perl scripts to create a simulated environment. It includes a lot of fancy sidestepping and double-talk, such as fake coredumps, fake ports, and fake error messages. It is designed to lure an intruder down the garden path and keep them going until they've created an extensive trace. It gives quite a bit of flexibility in creating realistic scenarios to fool intruders, depending how advanced your scripting skills are. The author states that it is not good enough to fool a truly skilled cracker, but will create enough confusion to foil most of them.

LaBrea creates a tarpit or, as some have called it, a "sticky honeypot". (I think of it as a roach motel for crackers.) It takes unused IP addresses on a network and creates virtual machines that answer connection attempts. Intruders get hung up, sometimes for a long time. It uses what it calls "persist mode trapping" to maintain a connection for the longest possible time, tying up the intruder's time and bandwidth. What is really cool is it also throttles your bandwidth- what a perfect world, wasting an attacker's time and bandwidth while preserving your own.

A poorly-contained honeypot puts the rest of your network at risk. There is also the temptation to retaliate. Be careful, stay within legal means. Returning tit for tat only gets you in trouble. Remember, the goal is to increase your own security, not go to war with the script kiddies.


» See All Articles by Columnist Carla Shroder

This article was originally published on Wednesday Jun 12th 2002