Wednesday, February 6, 2008


Honeypots are servers set to run in a DMZ with software and data that appears to be genuine company information. By tricking attackers into believing that this fake information is real, it deters them from further probing on the network. But they do more than just this. Some basic information on honey pots can be found at

So how much further can you go with honey pots? How cost effective and efficient are they?

This article goes into great detail about defeating honeypots and their purpose. This detail becomes extremely technical, so be warned. I will try to do a break down of it further along.

Honeypots are not just a tool used by independent companies to thwart hackers. A project has been created to categorize and record all malicious activity on honeypots world wide. You can find information on this project at the honeynet website. The SANS website also has an entire paper published that goes into detail about honeypots. This can be found on the SANS website.

Now lets look at the potential of a honeypot, past being a simple false positive for attackers. There are two things than a honeypot can be: proactive and reactive.

Proactive honeypots: These honeypots interact with the attackers, disconnecting and banning them from the network, or returning malicious code to their machines. The later is still illegal, and the distribution of damaging code cannot be suppressed once it is released. If the attacker is on a legitimate network, the entire network could be infected and compromised.

It also has the downside of advertising your security system as soon as the attack is reciprocated, allowing the attacker enough information to attempt to bypass that security function when they attempt a second attack.

Reactive honeypots: Despite the name, these are considered "passive" honeypots. Instead of actively fighting back against attackers, these honeypots gather information on their habits, how they react to certain types of information, even their reaction upon discovering that they are in a honeypot. Though these are mainly used to prevent hackers from penetrating further into the network, they can also be used to track the location of the attacker, and block entire ranges of IP addresses.

Both types of honeypots can also attract spam attacks, absorbing what would otherwise be a very annoying stream of unwanted messages.

No comments: