|
|
3.1 Advantages and Disadvantages
3.2 Deception Toolkit
3.3 LaBrea
3.4 Tiny Honeypot
3.5 GHH — Google Hack Honeypot
3.6 PHP.HoP — A Web-Based Deception Framework
3.7 Securing Your Low-Interaction Honeypots
3.8 Summary
Low-interaction honeypots are fascinating for many different reasons. Many noncommercial solutions exist, and low-interaction honeypots are easy to set up. Even without much experience, you can set up a network of hundreds of low-interaction virtual honeypots in a short time. This chapter provides a detailed overview of how low-interaction honeypots work and presents a few open source solutions like LaBrea and Tiny Honeypot. This chapter will not discuss Honeyd, another well-known open source honeypot, or Nepenthes, a low-interaction honeypot to collect malware. Because Honeyd offers many different deployment options and is feature rich, we will discuss it in more detail in Chapters 4 and 5. Nepenthes is discussed in Chapter 6.
Before starting to deploy a low-interaction honeypot on your network, it is important to understand their inherent strengths and which tasks they cannot be used for. To help you make this decision, we outline their advantages and disadvantages.
When an adversary exploits a high-interaction honeypot, she gains capabilities to install new software and modify the operating system. This is not the case with a low-interaction honeypot. A low-interaction honeypot provides only limited access to the operating system. By design, it is not meant to represent a fully featured operating system and usually cannot be completely exploited. As a result, a low-interaction honeypot is not well suited for capturing zero-day exploits.[1] Instead, it can be used to detect known exploits and measure how often your network gets attacked. The term low-interaction implies that an adversary interacts with a simulated environment that tries to deceive him to some degree but does not constitute a fully fledged system. A low-interaction honeypot often simulates a limited number of network services and implements just enough of the Internet protocols, usually TCP and IP, to allow interaction with the adversary and make him believe he is connecting to a real system.
[1] Capturing zero-day exploits requires complicated emulation of services and is not straightforward to do. Argos, discussed in Chapter 2, is a good example of how to analyze unknown exploits.
Here is a real-world example that motivates some of the benefits of a low-interaction honeypot. When Code Red, a web worm, first appeared in July 2001, we had no mechanisms in place to capture it. However, we expected that it would reawaken on August 1 and made bets about whose web server would be infected first. We knew that Code Red would randomly scan for web servers, and we expected to see the infection attempts by sniffing our network. As it turned out, we mostly saw ARP requests that could have been due to the worm, but because they did not get answered, we did not know. A low-interaction honeypot like LaBrea or Honeyd would have intercepted the ARP requests and answered them. This would have allowed the router to forward the connection request to the network, at which point the honeypot could establish a TCP connection and observe the payload, Code Red or not.
The advantages of low-interaction honeypots are manifold. They are easy to set up and maintain. They do not require significant computing resources, and they cannot be compromised by adversaries. The risk of running low-interaction honeypots is much smaller than running honeypots that adversaries can break into and control. On the other hand, that is also one of the main disadvantages of the low-interaction honeypots. They only present the illusion of a machine, which may be pretty sophisticated, but it still does not provide an attacker with a real root shell.
In the remainder of this chapter, we give an overview of different open source low-interaction honeypots and how they can be installed and deployed. Where possible, we relate our experience with these solutions and the appropriate environment for their use. Table 3.1 provides a quick overview of the different solutions and their features. One feature common to all these solutions is that they are detectable by a determined adversary.
| Solution | Focus | Detectability | Performance | Ease of Use |
|---|---|---|---|---|
| Deception Toolkit | Single-Host Services | Easy to Medium | Low | Easy |
| LaBrea | Tarpitting | Easy | High | Medium |
| Tiny Honeypot | Automatic Compromise | Easy | Low | Medium |
| GHH | Web Services | Medium to Difficult | High | Easy |
| Php.Hop | Web Services | Medium to Difficult | High | Easy |
|
|