The Internet is growing fast and doubling its number of websites
every 53 days and the number of people using the internet is also
growing. Hence, global communication is getting more important
every day. At the same time, computer crimes are also increasing.
Countermeasures are developed to detect or prevent attacks - most
of these measures are based on known facts, known attack patterns.
Countermeasures such as firewalls and network intrusion detection
systems are based on prevention, detection and reaction mechanism;
but is there enough information about the enemy?
As in the
military, it is important to know, who the enemy is, what kind
of strategy he uses, what tools he utilizes and what he is aiming
for. Gathering this kind of information is not easy but important.
By knowing attack strategies, countermeasure scan be improved
and vulnerabilities can be fixed. To gather as much information
as possible is one main goal of a honeypot. Generally, such information
gathering should be done silently, without alarming an attacker.
All the gathered information leads to an advantage on the defending
side and can therefore be used on productive systems to prevent
attacks.
A honeypot
is primarily an instrument for information gathering and learning.
Its primary purpose is not to be an ambush for the blackhat community
to catch them in action and to press charges against them. The
focus lies on a silent collection of as much information as possible
about their attack patterns, used programs, purpose of attack
and the blackhat community itself. All this information is used
to learn more about the blackhat proceedings and motives, as well
as their technical knowledge and abilities. This is just a primary
purpose of a honeypot. There are a lot of other possibilities
for a honeypot - divert hackers from productive systems or catch
a hacker while conducting an attack are just two possible examples.
They are not the perfect solution for solving or preventing computer
crimes.
Honeypots
are hard to maintain and they need operators with good knowledge
about operating systems and network security. In the right hands,
a honeypot can be an effective tool for information gathering.
In the wrong, unexperienced hands, a honeypot can become another
infiltrated machine and an instrument for the blackhat community.
This paper
will present the basic concepts behind honeypots and also the
legal aspects of honeypots.
HONEYPOT BASICS
Honeypots
are an exciting new technology with enormous potential for the
security community. The concepts were first introduced by several
icons in computer security, specifically Cliff Stoll in the book
"The Cuckoo's Egg" , and Bill Cheswick's paper "An
Evening with Berferd". Since then, honeypots have continued
to evolve, developing into the powerful security tools they are
today.
Honeypots
are neither like Firewalls that are used to limit or control the
traffic coming into the network and to deter attacks neither is
it like IDS (Intrusion Detection Systems) which is used to detect
attacks. However it can be used along with these. Honeypots does
not solve a specific problem as such, it can be used to deter
attacks, to detect attacks, to gather information, to act as an
early warning or indication systems etc. They can do everything
from detecting encrypted attacks in IPv6 networks to capturing
the latest in on-line credit card fraud. It is this flexibility
that gives honeypots their true power. It is also this flexibility
that can make them challenging to define and understand. The basic
definition of honeypots is:
