What is a Honeypot/Honeynet
A Honeypot is a specially prepared computer that serves no purpose in a productive sense. This means that there is no interaction between this computer and other computers or users in the network. If there is interaction or data exchange with this computer after all, the network traffic will be classified as suspicious. This suggests that the Honeypot has been the target of an assault or is already under the control of an attacker.
In consequence, a Honeynet is the combination of multiple Honeypots into a larger network. This makes it possible to completely recreate productive networks and to observe the effects of a successful assault.
Incoming connections to the Honeypot are often Port-Scans or Brute-Force assaults on password protected services. Outgoing connections are a sure sign that the computer has been compromised.
As a general rule, a distinction is made between two types of Honeypots:
- Low-Interaction Honeypots
- High-Interaction Honeypots
The distinction is made on the basis of the interaction possibilities of the assaulter with the Honeypot.
A Low-Interaction Honeypot simulates certain services (e.g. Telnet, e-mail server, etc.) and mostly only up to the point where a vulnerability exists. This means that the attacker can exploit the service, but won't be able to gain control over the computer. Therefore, this type of Honeypot is deployed for finding out if assaults are taking place rather than finding out how an attacker proceeds after a successful invasion and which software they are using. Examples for Low-Interaction Honeypots are Honeyd, Nepenthes, Omnivora or Amun.
In contrast to a Low-Interaction Honeypot, a High-Interaction Honeypot is a real system. This means, that an attacker can assault any running service on this computer and, when successful, gain full control over the system. As a basic system, any desired system (Windows, Linux, etc.) can be deployed. You also have free choice of the offered services.
In order to protect the rest of the network, an upstream entity, called a Honeywall, is additionally required for a High-Interaction Honeynet. The honeywall performs the function of a firewall, but also serves as a central collection point of all data transmitted via the network and the attacker's operations conducted on the Honeypot. This protects the network from a compromised High-Interaction Honeypot and all steps that have been executed on the Honeypot can be reconstructed by analyzing the collected data.
The Honeynet of the IT Center
The IT Center runs its own Honeynet for the analysis of current threats and the collection of automatically spread malicious software (malware). To this effect, a complete /18 network for Honeypot systems is presently reserved.
Distributed on multiple virtual machines, primarily Low-Interaction Honeypots such as e.g. Nepenthes, Omnivora and Amun are being operated here. In the framework of a degree dissertation in 2006, a larger High-Interaction Honeynet was active. In this network, both Windows and Linux computers were operated und valuable information on attackers, their tools and motives were collected.
In addition, Low-Interaction Honeypots are also used for the identification of infected computers in the network of the RWTH Aachen and form a part of the Intrusion Detection System (IDS), called Blast-o-Mat, developed at the IT Center.