Honeypot

As a honey pot , honey pot or English honeypot a device is known, which is to distract an attacker or foe from the actual target or is to be drawn into an area which otherwise would not have interested him - z. B. in the form of a decoy target . The origin stems from the idea that bears could both be distracted and lured into a trap with a honey pot.

In a figurative sense, very different things are called "honeypots".

Computer networks and security

As a honeypot (or formerly Iron Box ) is in the computer security , a computer program or a server refers to the network services of a computer, an entire computer network simulated or the behavior of a user. Honeypots are used to obtain information about attack patterns and attacker behavior. If such a virtual service or user is accessed, all associated actions are logged and an alarm is triggered if necessary. The valuable real network is spared from attempted attacks, as it is better secured than the honeypot.

The idea behind honeypot services is to install one or more honeypots in a network that do not offer any services required by the user or his communication partners and are therefore never addressed in normal operation. An attacker who cannot distinguish between real servers or programs and honeypots and who routinely examines all network components for weak points will sooner or later use the services offered by a honeypot and be logged by the honeypot. Since it is an unused system, any access to it should be viewed as a possible attack attempt. It should be noted, however, that honeypots target hackers and thus harbor a certain risk, since hackers can cause further damage to the network if they break into the honeypot. This risk can be reduced by separating the honeypot as much as possible from the remaining productive systems.

Honeypots, which simulate users ("honeyclients"), use normal web browsers and visit websites to detect attacks on the browser or browser plug-ins .

Several "honeypots" can be connected to a networked honey pot (English "Honeynet"). Honeynets should provide extensive information about attack patterns and attacker behavior in order to be able to continuously improve security.

Criteria for differentiation

Type of implementation

A physical honeypot is a real computer in the network with its own network address. A virtual honeypot is a logically independent system that is simulated by another computer. With the client honeypot , a real server is addressed by a honeypot software. With the server honeypot , real clients are "served" by honeypot software.

Degree of interaction

Regardless of the type of implementation, a distinction is made between low interaction and high interaction honeypots.

Types

Low-Interaction Server Honeypots

A low-interaction server honeypot is usually a program that emulates one or more services . The information gain through a low interaction honeypot is therefore limited. It is used in particular to obtain statistical data. An accomplished attacker has little trouble spotting a low interaction honeypot. To log automated attacks, for example by computer worms, a low-interaction honeypot is completely sufficient. In this sense, it can be used to detect attempted break-ins (English: Intrusion Detection System ).

Some examples of low-interaction honeypots are:

honeyd , published under the GPL , can emulate entire network structures; one instance of the software can simulate many different virtual machines on a network, each offering different services.
mwcollectd is a free honeypot under the Lesser GPL for POSIX -compatible operating systems with the aim of not only recognizing and logging automated attacks by worms, but also using the worms' spreading mechanisms to obtain a copy of the worm. For this purpose, services known to be vulnerable are only emulated as far as required, based on available attack patterns.
Nepenthes , also published under the GPL, is, like mwcollect, a honeypot for POSIX -compatible operating systems with the aim of collecting worms.
Amun is a honeypot written in Python that can run on Linux as well as on other platforms. Amun is published under GPL . By simulating vulnerabilities, malicious programs that spread automatically are baited and captured.
honeytrap is an open source honeypot for collecting information on known and new network-based attacks. In order to be able to react to unknown attacks, honeytrap examines the network stream for incoming connection requests and dynamically starts listeners for the corresponding ports in order to process the connection requests. In "Mirror Mode" attacks can be reflected back to the attacker. Honeytrap can be expanded with additional functions via a plug-in interface.
multipot is a honeypot for Windows; like Nepenthes and mwcollect, it emulates vulnerabilities in Windows to collect worms.

Low-Interaction Client Honeypots

Low-Interaction Client Honeypots are standalone programs that visit websites without the use of normal web browsers and attempt to detect attacks on the emulated browser.

phoneyc is a client honeypot written in Python that visits websites to find attacks on known vulnerabilities in web browsers and their extensions ("browser plugins"). phoneyc uses the JavaScript engine SpiderMonkey , which is also used by Firefox, to detect attacks.

High-Interaction Server Honeypots

High-Interaction Honeypots are mostly complete servers that offer services. They are more difficult to set up and manage than low-interaction honeypots. The focus of a high interaction honeypot is not on automated attacks, but on monitoring and logging manually executed attacks in order to identify new methods of attackers in good time. To this end, it makes sense that a high interaction honeypot is what appears to be a particularly profitable target; H. a server that is said to have a high value by potential attackers (English: "high value target").

Sebek

To monitor a high-interaction honeypots special software is used, usually the freely available Sebek that the kernel monitors all of the programs userland and the resulting data from the kernel sends out to a logging server. Sebek tries to remain undetected, i. H. an attacker should, if possible, neither know nor be able to suspect that he is being monitored.

Argos

The Argos Honeypot , based on Quick Emulator (QEMU) , does not require any special monitoring software . In order to detect attacks via the network, memory contents containing data received via the network are marked as contaminated by the modified QEMU (English: "tainted" = "contaminated"). New memory contents that have been generated by already contaminated memory contents are also considered contaminated. As soon as contaminated memory content is to be executed by the CPU, Argos writes down the data stream and memory content for further forensic analysis and terminates.

Due to the additional work required for emulating and checking the memory, an Argos honeypot only achieves a fraction of the speed of a native system on the same hardware .

High-Interaction Client Honeypots

High-Interaction Client Honeypots run on regular operating systems and use regular web browsers to detect attacks on browsers.

Capture-HPC uses a client-server architecture in which the server maintains the websites to be visited, which are visited by the clients and to which the results are reported back.

mapWOC loads pages with vulnerable web browsers that are temporarily running in a virtual machine. Attacks such as " drive-by downloads " are detected by monitoring the data traffic to the virtual machine . MapWOC is Free Software ( Open Source ).

Honeypot-like approaches

Tarpits

Tarpits ( English for "tar pit") are used, for example, to reduce the speed at which worms spread . The process is also known under the name LaBrea (for naming see here ). Tar pits simulate large networks and thus slow down or hinder the spread of Internet worms or the implementation of network scans, for example . There are also tar pits that emulate open proxy servers and - if someone tries to send spam via this service - slow down the sender by slowing down the transmission of the data.

Honeylinks

Based on the honeypot concept, there are other approaches for exposing potential attackers on web applications. Special web application firewalls inject hidden links in HTML comments to non-existent pages or potentially interesting sections of a web application. These so-called honeylinks are not noticed by users, but they are by potential attackers as part of a code analysis of the HTML code. If such a honeylink is now called, the WAF (Web Application Firewall) can interpret this as an attempted attack and take further protective measures (e.g. ending the web session).

Database honeypots

With the help of so-called SQL injection attacks, an attempt is made to access the databases of a website directly. Since a normal firewall does not recognize this access (the attack comes via the website and therefore not from a system classified as a potential attacker), companies use so-called database firewalls. These can be configured to make attackers believe they have successfully gained access when they actually see a honeypot database.

Copyright infringement

The term “honeypot” is also sometimes used in connection with the prosecution of copyright infringements . In this case, copyrighted works are offered by organizations such as the Society for the Prosecution of Copyright Infringements (GVU) in order to catch careless buyers or providers via file sharing .

Prosecuting crimes

Law enforcement agencies, especially the US FBI , also use honeypots to investigate B. according to consumers of child pornography . For this purpose, servers are set up which pretend to offer child pornography for download. In fact, data irrelevant under criminal law is offered, the access is logged and then criminal proceedings are initiated against the accessing persons. In the course of these criminal proceedings, the identity of the persons is determined via the Internet service provider and search warrants are obtained. This procedure was declared admissible by a court after an objection by a person concerned. In 2010 , Bettina Winsemann drew attention to possible statistical falsification through these honeypot website strategies .

Since 2004, websites of the German Federal Criminal Police Office have also been used as a honeypot to identify members of the radical left-wing militant underground organization “ militante gruppe (mg) ”. After a camouflaged lure in the publication, interim IP addresses of the visitors were saved in order to assign these addresses to specific groups. The company was overall unsuccessful. In 2009, the Federal Ministry of the Interior prohibited the monitoring of connection data, as it considers this to be a serious "interference with the basic right to informational self-determination ".

The police in Heilbronn proceeded similarly, using their website as a honeypot during May 2007 and January 2008. The visitors were registered with the help of the Federal Criminal Police Office, in the hope of identifying the perpetrators of the previous police murder. In May 2012, the magazine Focus quoted from internal files that the campaign was legally “very shaky” and had therefore been kept from the public. This action was also unsuccessful.

Individual evidence

↑ Honeynets - DIGITAL DECOYS DETECTING HACKERS. In: <atFERCHAU # 16> - THE IT MAGAZINE FROM FERCHAU ENGINEERING. ferchau.com , p. 10f , accessed on February 5, 2018 .
↑ What is a honeypot? . ionos.de. February 21, 2019. Retrieved February 27, 2019.
↑ Fraunhofer FOKUS Competence Center Public IT: The ÖFIT trend sonar in IT security - Honeynet. April 2016, accessed on 19 May 2016 .
↑ About mapWOC . Retrieved January 12, 2013.
↑ mapWOC license . Retrieved January 12, 2013.
↑ Honey pot - Architectures using a database firewall ( Memento from April 23, 2012 in the Internet Archive )
↑ Heise online - FBI lures surfers into the trap
↑ Telepolis of May 8, 2010: Honey pots as falsifiers of statistics
↑ Heise online: BKA-Honeypot www.bka.de of March 27, 2009
^ Heise online: Ministry of the Interior stops monitoring the BKA website from March 21, 2009
^ Police murder in Heilbronn: Investigators had several serious mishaps. Focus , May 21, 2012, accessed May 21, 2012 .

literature

Classic case descriptions:

Clifford Stoll : The Cuckoo's Egg. Doubleday, New York, 1989.
- in German: "Kuckucksei", published by Fischer-Verlag.
WR Cheswick, SM Bellovin: An Evening with Berferd. In: Firewalls and Internet Security. Addison-Wesley, 1994.
Lance Spitzner: Honeypots - Tracking Hackers. Addison-Wesley, 2003, ISBN 0-321-10895-7 .
N. Provos, T. Holz: Virtual Honeypots. Pearson, 2008.
Honeynet Project: The Enemy I / Know Your Enemy I , The Enemy II / Know Your Enemy II , The Enemy III / Know Your Enemy III & GenII Honeynets

Web links

Honeypot Software, Honeypot Products, Deception Software - Collection of software links
Technical work on collecting malware in a non-native environment by Georg Wicherski (PDF; 731 kB) ( Memento from February 19, 2009 in the Internet Archive )

[1] Honeynets - DIGITAL DECOYS DETECTING HACKERS. In: <atFERCHAU # 16> - THE IT MAGAZINE FROM FERCHAU ENGINEERING. ferchau.com , p. 10f , accessed on February 5, 2018 .

[2] What is a honeypot? . ionos.de. February 21, 2019. Retrieved February 27, 2019.

[3] Fraunhofer FOKUS Competence Center Public IT: The ÖFIT trend sonar in IT security - Honeynet. April 2016, accessed on 19 May 2016 .

[mapWOC_Funktion-4] About mapWOC . Retrieved January 12, 2013.

[mapWOC_Lizenz-5] WOC license . Retrieved January 12, 2013.

[6] Honey pot - Architectures using a database firewall ( Memento from April 23, 2012 in the Internet Archive )

[7] Heise online - FBI lures surfers into the trap

[8] Telepolis of May 8, 2010: Honey pots as falsifiers of statistics

[9] Heise online: BKA-Honeypot www.bka.de of March 27, 2009

[10] Heise online: Ministry of the Interior stops monitoring the BKA website from March 21, 2009

[11] Police murder in Heilbronn: Investigators had several serious mishaps. Focus , May 21, 2012, accessed May 21, 2012 .