Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Security Books Media Book Reviews IT

Virtual Honeypots 50

rsiles writes "Honeynet solutions were seen just as a research technology a couple of years ago. It is not the case anymore. Due to the inherent constraints and limitations of the current and widely deployed intrusion detection solutions, like IDS/IPS and antivirus, it is time to extended our detection arsenal and capabilities with new tools: virtual honeypots. Do not get confused about the book title, specially about the "virtual" term. The main reason to mention virtual honeypots, although the book covers all kind of honeynet/honeypot technologies, is because during the last few years virtualization has been a key element in the deployment of honeynets. It has offered us a significant cost reduction, more flexibility, reusability and multiple benefits. The main drawback of this solution is the detection of virtual environments by some malware specimens." Read below for the rest of Raul's review.
Virtual Honeypots: From Botnet Tracking to Intrusion Detection
author Niels Provos and Thorsten Holz
pages 440
publisher Addison-Wesley Professional
rating THE current reference about honeynet technologies and solutions.
reviewer Raul Siles
ISBN 0321336321
summary improve your capabilities with easy to deploy virtual honeypot solutions
The detection of honeypots has always been one of the main concerns in the honeynet community, because if the attacker can identify them, they are useless. For this reason, one of the chapters is just focused on providing some light tips and tricks about what an adversary can really accomplish. In fact, we have not seen lots of real-world incidents where the attacker actively checks the existence of honeynet setups.

The first chapter is a very brief introduction to honeynet technologies and basic tools. You can jump through it if you are not new to this field. Then, the book covers the main two honeypot types: high and low interaction. The high interaction section provides details about the tools to virtualize your honeypots: VMware, UML, or more specific solutions, such as Argos. The low interaction section provides details about some the most relevant honeypot types to cover lots of detection scenarios: worms, traditional server attacks, Google Hacking, Web-based attacks, etc. It is a wide overview that will give you lot of ideas for new deployments.

The whole book has been cooked with a how-to mentality , and it explains in detail how to install and configure the different tools and software elements covered. Additionally, it provides guidelines, best practices, and analysis recommendations for each tool based on the authors experience. However, the how to portions take into account that most of the solutions are Linux-based, and the installation and setup process will vary based on the tool version and the Linux distribution you are using (library dependencies, etc). In any case, the step by step guides are very useful as a general setup reference.

From my perspective, the most valuable part of the book is chapters 4 to 6. The authors, Niels Provos and Throsten Holz, are the lead developers/architects for honeyd (chapter 4 and 5) and nephentes (chapter 6), respectively. These two are the most famous and advanced low-interaction server-based honeypot and malware honeypot. They know what they are talking about, and you cannot find a better reference out there for these two tools. The book is an excellent guide, covering the design principles and innovative deployment ideas, to all kinds of configuration options and possibilities, including limitations on real-world scenarios. Chapter 6 is complemented with other less popular malware-based honeypots (except for Honeytrap).

The book includes some extra material covering academic and research hybrid solutions still in their early stages, which can give you and idea of where these technologies are evolving to and the major challenges we are facing now. This pretty much theoretical content is well balanced with the case studies chapter, where real incidents involving different honeypot types are presented. These are always a fun read and a way of getting experience and learn how to deal with intrusions.

Finally, one of the main expansion areas we are involved today is the creation of new client-based honeypot technologies. This book section (highly recommended) does a great job introducing multiple high and low interaction honeyclients currently available, their benefits and drawbacks (chapter 7). This information is perfectly complemented by the last two chapters, focused on tracking botnets and analyzing malware with sandbox environments. Once a client is compromised, it typically becomes a member of a botnet, and for easy and quick categorization, we start by performing a malware analysis of the specimens. I recommend you to add all this knowledge to your incident handling and response capabilities.

Something I would have liked to see in the book is a section about a fully virtualized honeynet environment, showing how using VMware, you can build up a virtual Honeywall (just slightly mentioned on chapter 2) and different honeypots, creating a complete, cheap, mobile and multi-purpose virtual honeynet infrastructure. Also, we receive multiple questions related to this kind of setup in the Honeynet Project mailing lists, because all the previous whitepapers are obsoleted now. I've been deploying these type of solutions for fun and professionally during the last few years and I strongly recommend you to start using them. You won't be disappointed about how much you can learn of what is going on in your networks and systems, and this book is the best starting point.

If you have any relationship with the intrusion detection, incident handling and forensics, threat analysis, or SOC and CERT security side of things, definitely this book is for you. Go through it and improve your capabilities with easy to deploy virtual honeypot solutions. You just need a (not so new) computer, virtualization software, and some time.

I have been working with honeynets during the last 5 years. We founded the Spanish Honeynet Project on 2004, and almost at the same time we became part of The Honeynet Project and released the Scan of the Month 32. The main honeynet/pot book reference till last year was the book published by the Honeynet Project. As this is a rapidly evolving field, definitely it has been replaced by this book, written by two project members.

You can purchase Virtual Honeypots: From Botnet Tracking to Intrusion Detection from amazon.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.
This discussion has been archived. No new comments can be posted.

Virtual Honeypots

Comments Filter:
  • It is said that the generals of today are fighting yesterday's war. In the war of Mal AI's vs. defending AI's, it seems that this book's purpose is simply the defense against already existing technologies which will be very quickly outmoded, and while it is more than beneficial to be prepared for malicious bots, is there a way that this can project the future and give proactive techniques?
    • Not really. (Score:5, Insightful)

      by khasim ( 1285 ) <brandioch.conner@gmail.com> on Wednesday July 30, 2008 @02:42PM (#24406311)

      ... is there a way that this can project the future and give proactive techniques?

      Not really. We already know how machines are cracked.

      All this research does is find out what tools are being used today.

      And as you can see with the need to constantly download updated "virus signatures", that approach is useless in defending your systems.

      To really defend your system, you need to be able to lock down all the executables on your system. And you need a way to verify that those executables stay locked down. And that there is no other way to get an executable to run on your system.

  • by Anonymous Coward on Wednesday July 30, 2008 @02:34PM (#24406171)

    Sure, the idea has been around for a long while. But, real security is based on misinformation. If you want to protect some data, you create multiple copies of the data all of which appear to be about the same thing, but all reaching different conclusions.It is not so much a honeypot to attract, but a honeypot to create doubt.

    It also buys you time; if you have multiple honeypots then the chance of your main systems being compromised is lessened. If it can be done quickly and inexpensively then it is probably worth it for some large companies.

    If you think a honeypot should just be unpatched and ready for the taking, then you have the wrong approach, most should be patched at least to the level of your other systems. I suppose the term honeypot is wrong, decoys would be better. But, the same technology is being used.

    • Re: (Score:2, Insightful)

      by Nos. ( 179609 )

      Sure, the idea has been around for a long while. But, real security is based on misinformation. If you want to protect some data, you create multiple copies of the data all of which appear to be about the same thing, but all reaching different conclusions.It is not so much a honeypot to attract, but a honeypot to create doubt.

      That sounds a lot like security through obscurity to me.

      As far as I'm concerned, a honeypot is not a security tool, its a security research tool, and there's a vast difference between the two

    • Right, a "free warez" folder isn't what the hardcore data criminal is looking for, whereas two very similar oracle databases, each with encrypted cc numbers but one bogus might be confusing enough to cause a slowdown that allows an attack to either be detected, thwarted, or tracked for evidence used in a prosecution.

  • by Anonymous Coward


  • This book came out over a year ago. It's actually a good read although a bit dated.
  • Seems a lot of what this book talks about, is done by neuralip's devices.

    Plug in 3 2 1 ... http://www.neuraliq.com/

  • by Anonymous Coward on Wednesday July 30, 2008 @03:13PM (#24406833)

    Useful honeypots are patched to the level of the rest of your computers/servers on your network. Then you simply watch traffic running to (and from) them, because by default, they should have no traffic. (minus the broadcasts and regular auto discovery packets) You know that any traffic to and from this box is suspicious on the grounds that it is not actually used for anything.

    Honeypots are NOT unpatched boxes completely exposed to the internet for all to attack. Unless you are into malware/virus research. Even then, patching allows you to keep up with the latest threats. If your patched box got owned, you need to look at it =)

  • Oblig XKCD (Score:4, Funny)

    by HoneyBeeSpace ( 724189 ) on Wednesday July 30, 2008 @03:35PM (#24407143) Homepage
  • From the headline, I thought this was something for Winnie the Pooh.
  • When I was at Recourse (which got borged by Symantec) we had a virtual honeypot called Mantrap. It was on the market when I started there in 2001.

  • Wouldn't mind setting up a honeytrap to filter out those chinese crawlers...

"Atomic batteries to power, turbines to speed." -- Robin, The Boy Wonder