Transcript What is Honeyd?

Security with Honeyd
By Ryan Olsen
What is Honeyd?
➲
➲
Open source program design to create
honeypot networks.
What is a honeypot?
●
Closely monitored network composed of
thousands of virtual decoy machines to protect
“real” machines on the network.
Why use a honeypot?
➲
Three main reasons.
●
●
●
➲
Can distract adversaries from vulnerable machine
on the network.
Gather information.
Can be used as an early warning system.
Main use today is to gather information not
available using a NIDS.
How it Works.
➲
➲
➲
It's a daemon program that creates virtual
machine for IP addresses within a
specified net.
Claims unused IP addresses on the
network.
Can create 65,000 virtual host from a
single machine.
How it works (2)
➲
➲
Simulates networking stack of OSI model.
Personality can be configured to mimic
different operating systems.
●
➲
Linux, Windows, Sun
System virtualization.
●
●
●
Allows virtual IP addresses controlled by honeyd
to run regular network applications.
Can bind ports, accept and initialize TCP and
UDP connections.
Can redirect connection requests.
➲
➲
➲
Can simulate asymmetric routing using
routing tables.
Can drop packets, add latency
Handles ARP requests automatically.
Pros and Cons
➲
➲
➲
➲
➲
➲
Can distract adversaries while gathering
information.
Can gain information not available using NIDS.
Can run almost any TCP or UDP service.
Simulates attributes of a real network accurately.
Can be difficult to deploy.
Adversaries can't gain access to virtual machine, so
not as much info is gained as possible.
Conclusion
➲
Honeyd is an excellent program the allows
it's users to learn and understand various
patters and movements of viruses/worms
or other malicious attacks that are not
currently understood. And can provide
information not available using NIDS
helping decrease the number of false
positives.