Know Your Enemy: Honeynets

bewmIES writes "The guys over at the Honeynet project have released the latest chapter in their "Know Your Enemy" series describing how to implement a honeynet. This is great reading even if you don't have any plans to implement one and does a very good job explaining the elementary concepts behind it all, along with the implications." Extremely interesting reading here.

I am building one.

[Mr.+Flibble]

I get hit with about 10-15 of these a day:

Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Connect from host: 211.205.178.64/211.205.178.64 to TCP port: 111
Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Host 211.205.178.64 has been blocked via dropped route using command: "/etc/portsentry/portsentry.bash 211.205.178.64 111"


I know what the port 111 exploit is, but I have never used it, yet I get many hits from this exploit a day on my servers. This is just one hit. I know how to stop it (portsentry/ipchains is a wonderful thing) and as you can see it is logged.

There are many more attacks coming in, this is just one example. Sure, I can read on how they are performed, but that only makes me book-smart. I need to be able to see in real-time (or playback) exactly what a black-hat is going to do with my systems.

Honeypots/nets also give crackers a chance to practice their skills -- which can then be used against real targets -- with little repercussion.

Perhaps you should read this. It shows you the "proper" way to setup a honeypot so that it cannot be used as a jump-point. I don't want to be just book-smart when it comes to my network. I want to know how they get in and what they do. Yes, I have secured my network (as best as you can that is) but that is not the point. Eventually *SOMEONE* is going to get in, somehow. I am going to be the one picking up the pieces when it happens. I would love to say that I am "good enough" that no one will crack my network, but I don't believe anyone is.

What I expect to learn from crackers hitting my honeypot is an overall "pattern". I expect to learn how to become a black hat, because it will make me a better white hat.

How much more can we really learn from the drooling 13-year-old script kiddies of the world?

Not all crackers fit that description I am guessing. Hopefully a honeypot will help me find this out for certain.

Re:I am building one.

[gleam]

I get hit with about 10-15 of these a day:

Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Connect from host: 211.205.178.64/211.205.178.64 to TCP port: 111
Apr 22 06:17:20 mayday portsentry[9235]: attackalert: Host 211.205.178.64 has been blocked via dropped route using command: "/etc/portsentry/portsentry.bash 211.205.178.64 111"

I know what the port 111 exploit is, but I have never used it, yet I get many hits from this exploit a day on my servers. This is just one hit. I know how to stop it (portsentry/ipchains is a wonderful thing) and as you can see it is logged.


Portsentry/ipchains is *not* a wonderful thing in that instance. It would be much wiser for you to at least implement a brief timeout on the drop.

Here's a scenario:

I know your box is up, because I can connect to you at port 80, or whatever. So I portscan you.

And your box isn't up. EH? Oh! You must have some sort of portscan detector that automatically drops packets! Let's see if I can get to port 80!

Nope! Hmmmmm.

So what do I do? I spoof a portscan from the last hop between you and me. Lo, you block that IP. Lo, you lose your entire upstream.

Lo, you're screwed. All because you let an imperfect program control your TCP/IP stack.

Sure, blocking port scanners is OK. Just don't let them use it as an opportunity to launch a denial of service attack.

Think it through.

-gleam

Re:Entrapment

[jonnythan]

The other poster is absolutely right. It is not entrapment if the party in question was merely given the opportunity the commit a crime. It IS entrapment if the idea of the committing the crime came from the entrapping party. So, if leave my car door unlocked and booby trap it so that if someone enters, it locks them in, that's not entrapment. However, if i walk past a guy there and go "hey look at that car..it's open..wanna steal it?" ad it's my car, that is entrapment.

Slightly OT but...

[Lostman]

How do you tell someone that they are running a "Honeypot" server unintentionally?

I used to have the habit of talking to people about security issues on networking around my high school. As people are, they scoffed at a kid explaining to them security issues... and when their network was compromised (not by me) my attempt at pointing out their security problems came to their mind... They remembered me speaking to them, of course, and since I knew about their security problems I "had to be" the person who compromised their system...

That was high school -- I learned to keep my mouth shut...

About a month ago, when I first started reading about the honeypot project I noticed that my Universities box was running a version of linux that had a few security issues.. as in the same security issues that allowed others to access and control the Honeypot for a little. (I am not mentioning my U's name!) -- I acted against reason and informed the administrator (who I had as a professor) about the problem... their answer was strange: "I know about the problem but I just don't have enough time to deal with it right now. I think I might take a look at patching it sometime this summer..."

Now I am worried the same thing will happen.. my precious U's network will be compromised and the admin will be thinking "Wait.. I remember someone who knew about this security problem.."

So how exactly do you tell someone that their server/network/etc has security problems without opening yourself up for nasty things?

You mean "forensic analysis"

[Spamalamadingdong]

It's not entrapment if you aren't trying to prosecute anyone. It's more like videotaping a burglar's activities at your door to find out how burglars break in, and analyzing the tool marks to see how to make the door secure against other burglars.
--
spam spam spam spam spam spam
No one expects the Spammish Repetition!

That's not the point.

[s20451]

These kind of people would love to be the subject of a honeypot study, if for no other reason then getting the chance to see that their childish actions have had an effect on somebody. Crackers want to be perceived as disruptive and a threat; they want to look "cool" and dangerous and mysterious. Why encourage these people by giving them the kind of attention they're looking for?

For one thing, the study results are expressed in generalities in terms of hacker tactics. How excited can a person become about being a statistic? I can't see someone seeking attention by publicly defacing web sites becoming overly enamored with the idea of being treated as an anonymous lab rat.

I understand the need to find out cracking techniques. But this kind of stuff is hardly secret by now; I don't see any reason to continue useless navel-gazing "studies" of cracker behavior.

How else do you propose to discover new cracking techniques, or examine cracking tactics? It seems to me that honeynets are an excellent opportunity to both conduct reconnaissance on crackers and validate security models in a practical environment. As the article states, black hat ingenuity should never be underestimated, and I can't see what is to be gained by being complacent about security. According to your argument, if we ignore the problem, it will go away. Attention is not the only thing these guys are seeking; some of them mean to do real harm, and we can't tell the difference a priori.