Hackers use many programs for scanning networks and profiling the routers, appliances, servers, and other systems that they find. These programs are automatic, or can easily be integrated into scripts or called by other programs to automate the process. When an opportune target or promising discovery is found, the script may run a more in-depth series of automated tests to determine if the target is vulnerable. Once all the IP addresses in a range or subnet have been scanned and tested by the programs, a hacker can review the results and determine if a target is worth further investigation. Due to the large number of possible addresses, the large number of possible applications running on various ports, and the large number of potential application-layer vulnerabilities, the scans take considerable time.
We know this is the means by which our network is scanned. If we set up a “fake” system that appears to be vulnerable we can attract and focus the attention on it. Such a system should not have regular user accounts, not be connected to databases or other application servers, and have no information of value on it. It should appear to have applications that are configured insecurely or ones that are likely to be hackable. These are the first steps. Next we want to keep the attention there, and away from the rest of our systems.
How Does It Work?
Responses from these scanning programs are measured in milliseconds. Altering the response times of the target can slow down the scanning progress by orders of magnitude, or even essentially stop them. Scans may become hundreds or thousands of times slower. This decrease in speed means that scans simply won’t complete in a reasonable amount of time. So, if a scanning script gets “stuck” on one IP address that slows it down this much, the other addresses don’t get scanned. The hacker may give up because the script takes too long, or may be distracted by the fake vulnerability information presented by the honeypot.
Would I Need One?
A well designed and configured honeypot is a great asset on a larger network. In conjunction with intrusion detection and prevention systems the honeypot can provide greater security and help isolate and identify attackers much more easily. Honeypot software can record the traffic and connection attempts to it. Since the honeypot isn’t used for any “real” applications or services, any traffic to it is suspect. More advanced honeypots appear to be exploitable and actually accept connections or traffic but do not accomplish what the hacker hopes. For example, a honeypot e-mail server might accept inbound messages and appear to be able to relay them, when in fact it does not.
We must take care that our honeypot is secure; a hacked honeypot could cause a lot of trouble, even if not as serious a problem as a hacked production server. Whether a honeypot makes sense for you and your network depends on the time and effort you have available to set up, monitor, and maintain it.