[ale] Honeypots

Michael H. Warfield mhw at wittsend.com
Sun Apr 27 21:56:36 EDT 2003 

On Fri, Apr 25, 2003 at 11:26:42PM -0700, Stephen Turner wrote:
> ok so what are you guys using for honey pots? you've done peaked my

	I'm using a mix of VMware for Windows and BSD and Vserver for
various Linux distribtions along with open share Samba honeypots with
imitation Windows directories on port 139 and 445 for catching worms.
Mixed in with that is Neil Provost's Honeyd.  I use Vserver and VMware
for containment and for isolation as well as the multi-function multiplex
cababilities.  I also use IPv6 only containment networks with an array
of "dead man switches" and "scram triggers" to contain any intrusion
that gets out of hand.  Having a designated "clean room" autopsy system
to pick apart file systems is also good.

> interest ;) i may set up my pos laptop p1 just to be a honey pot if this
> proves to be as fun as you guys mention! anyways what are you doing? if im
> not badly mistaken theres a vmware one and such? is there a way to set up
> a honey pot with all free software and still be "resetable" like you guys
> have mentioned using vmware? spill the beans :) ya got me hooked

	Ok...  Time out...  You've got me worried now.  There are good
reasons and bad reasons for getting involved with these things and they
come with some non-negligable legal risk and liability.

	Honeypots (and by extension, honeynets) are manpower intensive
time sinks and fraught with peril.  Think about it...  You're setting up
a system intending on letting someone break into it and hoping you are
better than they are.  Chances are you will be, most of the time.  Chances
are even BETTER that you won't be at least some of the time.  What happens
with someone uses your honeypot to break into some corporate site.  What
happens if they figure out what you have there and turn it against you?  Can
you watch it intensively enough?  Are your safety mechanisms going to be
secure enough?  Don't count on it...

	Before ANYONE sets up a honeypot, they should have a clear vision
of why they want to do this, what they expect to get out of this, and what
they intend to do with the data.

	BAD reasons to get started with a Honeypot.

	* "... if this proves to be as much fun as you guys mention..."

	This is serious.  Yes, we tell fun stories but lots of time this
is boring and tedious and when it gets exciting is not when you are having
fun.  Telling stories about it afterwards may be fun.  But you don't do
this "for the fun of it".

	* Because it's cool...

	There's lots of talk about these things now days and everybody
remarks on how cool it is.  Well it is and it isn't.  It requires serious
commitment and consideration of the risks involved.  You'll spend weeks
with nothing happening and then things get insanely busy.  If you are only
working with a single IP address, you could go for a month without someone
hitting your pot with something you have it vulnerable to.  You'll get
bored THEN you'll get kicked and THEN you'll get blamed.

	* Because I want to catch bad guys...

	Think again.  I've help bust DDoS nets into oblivion but it requires
coordinated effort between a number of security people PLUS law enforcement.
And, in NONE of those cases was "the bad guys caught".  We broke up their
botnets and that was about it.  And law enforcement doesn't always care
for the vigilante help.  I seem to recall someone setting up a kiddy porn
honeypot and then getting busted before he had a chance to approach the
police.  He got in deep trouble that he will NEVER be rid of.  You have
to cover your ass really good.  If you are like me and work for a company
that does security work, or you are an internationally recognized security
researcher, that helps.  If you don't qualify under either of those two
provisos, you could find yourself answering some really sensitive questions.

	* Because I want to protect my network.

	Nope...  Wrong answer.  Not this way.  Attracting bad guys to
honeypots does NOT distract them from your production network.  If anything,
it brings you to their attention.  Attention you do NOT want.


	Sooo...

	What do you want to do with this honeypot?  Is it a "research
honeypot" (which is really what everyone is talking about when they are
talking about honeypots) or a "production honeypot" (sometimes called
a canary or what one of my co-researchers calls a "barfly", because it's
just there to be hit on.  :-) ).

	Assuming that this is a research honeypot, what are you going to
do with the results?  You don't do this just for giggles.  Are you in
contact with other researchers doing similar work and can coordinate what
you are doing?  What kind of IDSes are you going to use?  What kind
of safeties and triggers and firewalls?  What kind of data collection
will you do?  I capture every byte of data that hits my honeynet.  It
now goes back almost two years and occupies several DVD's bzip2 compressed.

	We have a least one government official in law enforcement who
has raised the issue that, at least in some states, honeypots (or more
specifically the data collection associated with the honeypots) may even
violate some state wiretap laws (some states forbid you recording even
your own phone converstations unless both parties are aware and notified
of it).

	Think long and careful and do a lot of research before you go
down this road.  Make sure you fully understand WHY you want to do this,
WHAT you expect to get out of it, and WHAT you expect to do with it.
Don't take it lightly...

	Regards,

	Mike
-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw at WittsEnd.com
  /\/\|=mhw=|\/\/       |  (678) 463-0932   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

 PGP signature

More information about the Ale mailing list