Slashdot Mirror
Know Your Enemy: Honeynets
bewmIES writes "The guys over at the Honeynet project have released the latest chapter in their "Know Your Enemy" series describing how to implement a honeynet. This is great reading even if you don't have any plans to implement one and does a very good job explaining the elementary concepts behind it all, along with the implications." Extremely interesting reading here.
We are still getting restitution checks from the script kiddie we busted with our honeypot. Looks like the money will pay for the honeypot and our time invested in it, several times over.
Now you won't. You don't know what you're talking about. Yes, you're going to drop all packets FROM THAT SOURCE IP ADDRESS ONLY. Unfortunately, there are a few billion other IP addresses on the Internet that your firewall will be happy to accept packets from.
Feel free to ipchain-away your own first hop out, and see if it affects your ability to load, say, www.yahoo.com. Of course it won't.
You're not really as an 3I33T4 H4X0R as you think you are. Leave this kind stuff to the professionals, please.
---
I get hit with about 10-15 of these a day:
Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Connect from host: 211.205.178.64/211.205.178.64 to TCP port: 111
Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Host 211.205.178.64 has been blocked via dropped route using command: "/etc/portsentry/portsentry.bash 211.205.178.64 111"
I know what the port 111 exploit is, but I have never used it, yet I get many hits from this exploit a day on my servers. This is just one hit. I know how to stop it (portsentry/ipchains is a wonderful thing) and as you can see it is logged.
There are many more attacks coming in, this is just one example. Sure, I can read on how they are performed, but that only makes me book-smart. I need to be able to see in real-time (or playback) exactly what a black-hat is going to do with my systems.
Honeypots/nets also give crackers a chance to practice their skills -- which can then be used against real targets -- with little repercussion.
Perhaps you should read this. It shows you the "proper" way to setup a honeypot so that it cannot be used as a jump-point. I don't want to be just book-smart when it comes to my network. I want to know how they get in and what they do. Yes, I have secured my network (as best as you can that is) but that is not the point. Eventually *SOMEONE* is going to get in, somehow. I am going to be the one picking up the pieces when it happens. I would love to say that I am "good enough" that no one will crack my network, but I don't believe anyone is.
What I expect to learn from crackers hitting my honeypot is an overall "pattern". I expect to learn how to become a black hat, because it will make me a better white hat.
How much more can we really learn from the drooling 13-year-old script kiddies of the world?
Not all crackers fit that description I am guessing. Hopefully a honeypot will help me find this out for certain.
Try to hack my 31337 firewall!
I've been hearing about these for a while, but to be honest I don't see how a honeynet will really help your network.
Maybe someone can explain the attraction to me, but it seems that although honeynets may observe a new attack technique every once in a while, on the whole they're not the most effective prevention method. The time would be better spent auditing the security level of your machines, improving your patch application time, analyzing log files from your production machines, etc.
Your right to not believe: Americans United for Separation of Church and
That's exactly why honeypots suck. Network admins have too many other things to be doing/working on than setting up systems and trying to catch hackers/crackers. There's just not enough time.
BilldaCat
Last time I looked the slashdot submission bin was not everything2.. we dont need 3 different links to the story, what we do need is a single link to this "next chapter" you speak of. I dont see anything there that I havn't read before.
How we know is more important than what we know.
The other poster is absolutely right. It is not entrapment if the party in question was merely given the opportunity the commit a crime. It IS entrapment if the idea of the committing the crime came from the entrapping party. So, if leave my car door unlocked and booby trap it so that if someone enters, it locks them in, that's not entrapment. However, if i walk past a guy there and go "hey look at that car..it's open..wanna steal it?" ad it's my car, that is entrapment.
I do agree with you, honeypots are a great resources for studying crackers and their techniques, but they are not a means to securing a network no more than giving druggies a "Drug Park" to shot up in solves the drug problem.
If, on the other hand, he came to me, and said
Then it becomes much easier to prosecute -- especially if I hum and haw, and vaguely try and disuade him before leting him twist my rubber arm.FOr another analogy, the honeypot is rather like a nice house with a cheap lock. No matter how cheap the lock, it's still illegal to break in. You breaking in is not likely to be entrapment unless I go to you and actually suggest that you break in -- or otherwise goad you into committing a crime which you might not arguably otherwise commit.
IANAL I just like reading up on the law
--
Free Software: Like love, it grows best when given away.
Well, when I told my school about their security problems, not a great deal happens.
;)
The I wrote a security analysis paper, detailing how one would gather username and password pairs for virtually every student in the school.
Then they started to listen
Understand: I am not a lawyer (though I play one on the Net) and a lawyer clueful in netlaw would be your best advisor. My understanding of The Way Things Work is that if you put a rig online, and are paying the costs of connection (rig itself, net feed, etc.) you have the final say on what goes on there, subject to your internet connection provider and local and national laws. (For instance, trading bomb recipes is ok, spam and kiddie porn are not.) If your ISP (or whoever) is OK with the honeypot/honeynet, and you declare open season on going in, then it should be as kosher as an orange. Of course, the responcibility will fall on you to prevent relay attacking (going from one telnet site to another to [somewhat] hide the attacker's origins) and spamming etc. (Jail sucks, from what I've been told ;)
If you are good at what you're doing, and are 110% sure that no one can get out from your honey*, then go for it. The information gained from such a net are really useful.
However, be forewarned.
Windows.. Good for targeting rocks.
I used to be someone else. Now I'm someone better.
Real life is underrated.
Reminds me of the time the brilliant sysadmin (read hobbyist) at a company I used to work for upgraded the Netware server and put a paper in everyone mailbox (centrally located - mind you) telling everyone that their password would be changed to - you guessed it - "password" - over the weekend !
When I informed a VP who was leaving on vacation for a week that he should have a trusted person change his password temporarily so it wouldn't be "password" for a whole week, you know what he said, right?
"Oh
I now work with much more competant people, thankfully, but that sure is a supporting anecdote for the theory that idiots rise to the top of the management hierarchy!
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
The key word here, the courts have found, is "predisposition." If I remember the article correctly, in Randy Weaver vs. the FBI the FBI had caught him in a sting operation selling a sawed off shotgun. However, the judge ruled in his favor because he was not predisposed to that type of crime. (This is separate from the whole standoff incident, BTW.)
So even if a police or civilian group "entraps" you in a sting operation, you may still go to jail if you were criminally predisposed, and you may go free if you were not.
(I wish I had some relevant links, but time is short.)
--
Have fun: Join D.N.A. (National Dyslexics Association)
How do you tell someone that they are running a "Honeypot" server unintentionally?
I used to have the habit of talking to people about security issues on networking around my high school. As people are, they scoffed at a kid explaining to them security issues... and when their network was compromised (not by me) my attempt at pointing out their security problems came to their mind... They remembered me speaking to them, of course, and since I knew about their security problems I "had to be" the person who compromised their system...
That was high school -- I learned to keep my mouth shut...
About a month ago, when I first started reading about the honeypot project I noticed that my Universities box was running a version of linux that had a few security issues.. as in the same security issues that allowed others to access and control the Honeypot for a little. (I am not mentioning my U's name!) -- I acted against reason and informed the administrator (who I had as a professor) about the problem... their answer was strange: "I know about the problem but I just don't have enough time to deal with it right now. I think I might take a look at patching it sometime this summer..."
Now I am worried the same thing will happen.. my precious U's network will be compromised and the admin will be thinking "Wait.. I remember someone who knew about this security problem.."
So how exactly do you tell someone that their server/network/etc has security problems without opening yourself up for nasty things?
The problem with honeypots and honeynets is that, in the end, they end up simply encouraging crackers. When systems are put online for the specific purpose of being hacked, crackers are more than happy to ablige by comprosing them. And the more boxes they can crack, the more likely they are to get caught up in the whole "blackhat" mythos. Honeypots/nets also give crackers a chance to practice their skills -- which can then be used against real targets -- with little repercussion.
Furthermore, putting a honeypot or honeynet up is almost asking for people to become blackhats. Most crackers / blackhats have huge egos, hence their need to deface web pages with their 1337 group names. These kind of people would love to be the subject of a honeypot study, if for no other reason then getting the chance to see that their childish actions have had an effect on somebody. Crackers want to be perceived as disruptive and a threat; they want to look "cool" and dangerous and mysterious. Why encourage these people by giving them the kind of attention they're looking for?
And of course, there's also the fact that a honeypot is a waste of resources. It seems pretty silly to set up a system specifically to be cracked? There's plenty of better uses for a spare box; why not set up a distributed-processing unit or an open- source FTP server if you don't know what else to do with an old computer?
I understand the need to find out cracking techniques. But this kind of stuff is hardly secret by now; I don't see any reason to continue useless navel-gazing "studies" of cracker behavior. How much more can we really learn from the drooling 13-year-old script kiddies of the world?
So, a honeynet is just like any other firewall protected network, except for the fact that people are actually paying attention to network security?
While I don't think I agree with the effectiveness of a 'dedicated' honeynet over any other real network, this does bring to light the interesting effect this will have on network security in general. Right now, l33t k1dd3z have a 'you can't catch me' attitude. Witness the recent exploits of a Welsh hacker who thought that he was so far above the law that he could do what he wanted to any website he wanted in the name of his own little sense of morality.
Most of these kids *know*, not just think, that they are never going to be caught.
As more and more business and organizatons employ honeypots and 'honeynets', trying to catch crackers before they crack, more and more cases of idiots like these are going to get in trouble for breaking the law. Rooting a server is going to be seen less and less like fairly innocent grafitti and more and more like knocking over a convenience store and beating up the clerk, and then walking out with only a slushee. People will still do it, but attacks will be fewer and further between, and the people who get cracked will be those who've invited it by not putting up the equivalents of bullet-proof glass and panic alarms.
The next Slashdot story will be ready soon, but subscribers can beat the rush and slashdot the links early!
I've recently been involved in setting up a "honeynet" at a university who I do consultancy work for on their IT systems, including security. A major problem was the sheer number of times it was attacked by a large number of people at the university, often bouncing off external machines.
I had expected them to catch a few people who had been virtually running wild on the network over the last year. As it turned out, there were too many attacks to be able to narrow it down or to follow up on every event logged.
It made for a frightening reality as to the sheer volume of attacks that go on. A uni is obviously at more risk than most places due to the high volume of computer geeks with too much time to kill. Still, it's a real wakeup call to the scale of what goes on.
It's not entrapment if you aren't trying to prosecute anyone. It's more like videotaping a burglar's activities at your door to find out how burglars break in, and analyzing the tool marks to see how to make the door secure against other burglars.
--
spam spam spam spam spam spam
No one expects the Spammish Repetition!
Scientists restrict study to entire physical universe; creationist
These kind of people would love to be the subject of a honeypot study, if for no other reason then getting the chance to see that their childish actions have had an effect on somebody. Crackers want to be perceived as disruptive and a threat; they want to look "cool" and dangerous and mysterious. Why encourage these people by giving them the kind of attention they're looking for?
For one thing, the study results are expressed in generalities in terms of hacker tactics. How excited can a person become about being a statistic? I can't see someone seeking attention by publicly defacing web sites becoming overly enamored with the idea of being treated as an anonymous lab rat.
I understand the need to find out cracking techniques. But this kind of stuff is hardly secret by now; I don't see any reason to continue useless navel-gazing "studies" of cracker behavior.
How else do you propose to discover new cracking techniques, or examine cracking tactics? It seems to me that honeynets are an excellent opportunity to both conduct reconnaissance on crackers and validate security models in a practical environment. As the article states, black hat ingenuity should never be underestimated, and I can't see what is to be gained by being complacent about security. According to your argument, if we ignore the problem, it will go away. Attention is not the only thing these guys are seeking; some of them mean to do real harm, and we can't tell the difference a priori.
Toronto-area transit rider? Rate your ride.