FORGE Course

Full Height |  Two columns |  Parts | 

Securing Critical Infrastructures with the use of Honeypots Theory

Securing Critical Infrastructures with the use of Honeypots Theory FORTH 20/10/2017

Honeypot Introduction


Honeypot – What is it?

  • A non production computer resource whose task is to be probed, attacked, compromised or accessed in any other unauthorized way.
  • It could be:
    •  A piece of information/data
    •  A service
    •  An application
    • An entire system
  • It has:
    • No ordinary users
    • No regular services
  • Like an “undercover” computer which is built to be an “easy” target for the attacker and waits to be compromised!
  • A trap for attackers


Honeypot – How it works.

  • Honeypots are deployed in the network
    • Mimic the behavior of a server
    • Listen to an unused IP range
  • A possible attacker probes the unused IPs for services
  • Honeypots reply and interact with the entity
    • Entities attempting to communicate with honeypots, are by default suspicious

  • Activity between entities and honeypots is monitored:
    • Commands executed
    • Files downloaded
    • Links visited

  • Attacker IP is blacklisted to prevent potential attacks
    • Firewalls can be updated to block traffic from this IP address


Honeypots’ classification

Type of Attacked Resources: Indicates whether the honeypot’s resources are exploited in server or client side.

  • Server Side Honeypots
    • Act like a real server
    • Mimic network services
    • Listen on their standard ports
    • Monitor any connections initiated by remote clients
    • Detect scanning worms or manual attack attempts
  • Client Side Honeypots
    • Employ a set of client applications (e.g. web browser)
    • Connect to remote services
    • Monitor the activity and the remote content
    • Detect malicious behavior and content online


Level of Interaction

Based on the level of interaction with the adversary honeypots are classified to low-Interaction and high-interaction.

  • Low Interaction Honeypots
    • Advantages:
      • Easier deployment and maintenance
      • Full control on the attack and the infection process
      • Low risk of compromising the real system
    • Disadvantages:

      • Limited functionality (accuracy of emulation)
      • Easier detection by the adversary
      • Early termination of the attack
      • No 0-day vulnerabilities are detected
  • High Interaction Honeypots
    • Advantages:
      • Provide full functionality in services and applications
      • Hard to detect from the adversary
      • Collect more information about the attack
      • Detect attacks on 0-day vulnerabilities
    • Disadvantages:

      • More effort on the deployment and maintenance
      • More hardware resources needed
      • High risk of compromising the real system and lose control


Honeypot VM Tool


Honeypot VM Tool Architecture - Components

The overall architecture and the different components of Honeypot tool are depicted in the following image:

Image 1: The architecture of the VM Honeypots system developed for a cloud based environment


  • Components
    The solution is currently based on Ubuntu 12.04 VMs with pre-installed software:
    • Low-Interaction Honeypots
      • Dionaea Honeypot
      • Kippo Honeypot
      • Custom REST API server for remote access
        • Communication with the control panel over SSL
    • Logs aggregator XMPP server

    • Central PostgreSQL database

      • Incidents stored in a unified format
    • Web based control panel
      • Remote administration of VMs
      • Visualization of attacks
      • Monitoring of honeypots’ VM performance
      • Extra features include:
        • LDAP authentication for users
        • Delivery of personalized alerts via email in PDF format

  • Dionaea Honeypot
    • Dionaea is a low interaction honeypot
    • Uses Python to emulate well known services
      • HTTP, HTTPs, FTP, TFTP, SMB, MSSQL, MySQL
    • Accurate implementation of the Server Message Block (SMB) protocol
      • Providing share access to printers and files (port 445)
      • Popular target for worms and bots to spread
    • Modular architecture
      • New protocols can be emulated and added
    • Supports IPv6
    • Good performance and stability
      • Can monitor many IP addresses simultaneously
  • Kippo Honeypot

    • Kippo emulates the SSH service
      • Provides high level accuracy
    • Implemented in Python
    • Emulates a Debian filesystem
      • Provides content for some files (e.g. /etc/password)
    • Stores all files that are downloaded

      • Simulates wget and curl commands
    • Stores all commands executed

      • Enables the analyst to replay the commands
    • Good performance and stability

      • Can monitor many IP addresses simultaneously
  • Tool Workflow

    • CI administrator loads the Honeypots VM on a server
    • Control panel initializes the Honeypots VM
      • Applies a unique ID to the sensor
      • Configures the monitoring IP Dark Space
      • Starts all services
    • Honeypots monitor the network for attacks 
    • Attackers discover services and try to compromise them
    • Honeypots track their activity
    • Honeypots logs are sent to the XMPP server
      • Stored in the central database in real time
    • Control panel visualizes the attacks
    • Control panel exports Access Control Lists (ACLs)
      • Imported to firewalls to prevent potential attacks

Graphical User Interface

A central management interface (control panel) has been implemented through which the administrator and system users can interact with it. The provided functionality is described in the following paragraphs.

  • System Users-Login Process
    • Analysts: Can access all the events and security logs generated by the collectors functioning within the network. The analyst can easily create new reports that are readily available through the screens of the Control Panel.
    • Administrators: Can access the full functionality provided by our system. The administrator has access to honeypots virtual machine operations, system services that collaborate to collect attacks and management of users’ accounts. More specifically, the administrator has the ability to install a new honeypot VM on the network, track the status of existing honeypots and other system services, create new users, and manage already registered users.

The user of the system has to provide his username and password in order to login into  the system: