Copyright 2002. Published in the Proceedings of the IEEE International Symposium on Technology and Society (ISTAS), Raleigh NC.

USA, June 2002. Personal use of this material is permitted. However, permission to reprint/republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works, must be obtained from the IEEE. Contact: Manager, Copyrights and Permissions / IEEE Service Center / 445 Hoes Lane / P.O. Box 1331 / Piscataway, NJ 08855-1331, USA. Telephone: +Intl. 732-562-3966.

Internet Honeypots: Protection or Entrapment?

Brian Scottberg* William Yurcik** David Doss*

*Illinois State University {bpscott,dldoss}@ilstu.edu **University of Illinois at Urbana-Champaign yurcik@uiuc.edu Abstract

A honeypot is a decoy computer system designed to look like a legitimate system an intruder will want to break into while, unbeknownst to the intruder, they are being covertly observed. Honeypots are effective precisely because attackers do not know if they are there and where they will be. However, honeypots are also a controversial technique; they essential bait and capture intruders skirting the fine line between keeping attackers out of a network versus inviting them in. Little legal precedent has been established. Some see them as unfair entrapment tools while others see them as an effective data gathering and deterrence mechanism. This paper attempts to flush out the issues on both sides of a technique that may become ubiquitous in the future. times a day. The average WinTel PC directly out-of-thebox will be broken into within 24 hours of connecting to the Internet. The life expectancy of a default installation of Red Hat 6.2 server is less than 72 hours. The fastest recorded time for a server to be hacked is 15 minutes after being plugged into the network [10]. A honeypot is a program that takes the appearance of an attractive service, set of services, an entire operating system, or even an entire network, but is in reality a tightly sealed compartment built to lure and contain an attacker (a sandbox where intruders cannot harm production systems or data) effectively shunting an intruder safely from production systems for covert analysis. Like a hidden surveillance camera, a honeypot monitors and logs every action an attacker makes including access attempts, keystrokes, files accessed and modified, and processes executed. The ability to covertly monitor a computer, group of computers, or entire network under attack is essential to the analysis and diagnosis process. Prior to honeypots, there is the seminal narrative by Clifford Stoll of monitoring and tracking an intruder [14] that was later released as a best-selling book [13]. Stoll describes how he created a complete (but nonexistent) government project with realistic (but false) files which intruders spent an extended period of time downloading and analyzing - providing an opportunity for him to monitor and trace their activities. The original Honeypot computer systems are documented in [1,3]. Lance Spitzer describes how to build, implement and monitor a honeypot in a more recent paper [12]. During an attack, a honeypot provides two basic things: (1) the information needed about an attack to develop an appropriate response in real-time and (2) the time needed to implement that response. When analyzing an attack after it has occurred, a honeypot can be useful in analyzing an intruders activity (profile information) in order to develop long-term strategic courses of action, including cataloging which countermeasures/patches should be implemented. For non-incident response operations, honeypots can be useful for detecting insider misuse where it is known exactly what to do to tempt the intruder.

1. Introduction
For the following reasons, good data is needed about Internet attacks:
Real threat data is needed to design good security products. Trend data may help predict what Internet attacks will come next so protections can be prepared now.

Unfortunately, there is little if any good data about Internet attacks most is anecdotal. Good data is hard to find because of the low detection rate of Internet attacks and the quality of data disclosed by organizations of detected Internet attacks is poor. This lack of information makes it difficult to design good security products and processes [10]. The Computer Security Institute (CSI) has conducted annual computer crime surveys coordinated with the FBI. In 2001, 64% of IT security executives at large corporations and government agencies acknowledged financial losses attributable to security breaches [9]. The CSI/FBI survey is not statistically generalizeable, however, due to the small sample size (538 respondents), self-selected survey pool, and lack of response validation. The Honeynet Project measures actual computer attacks on the Internet [5,6]. According to their most recent results, a random computer is scanned dozens of

The rest of this paper is organized as follows: Section 2 describes the two primary ways honeypots are used and Section 3 presents different honeypot deployment strategies that have developed. Section 4 categorizes available honeypot systems. Section 5 discusses the larger societal ramifications of using honeypots to provide security. We close with a summary and conclusions in Section 6.

There are polarized views on the effectiveness of different Honeypot deployments. Table 1 shows a variety of established deployments of honeypots. Table 1. Honeypot Deployment Strategies Strategy Sacrificial Lamb
Deception Ports on Production Systems

Description
an isolated system that has no entry point to any production systems simulated honeypot services substituted for well-known services (www, smpt/pop, dns, ftp) deploy honeypot decoys in close proximity to production hosts (same logical subnet) by using port redirection on an upstream router or firewall, you can make it appear that honeypot services are on a production system Honeypots (in quantity) placed in forefront to serve as first attack targets to any scans. an entire subnet of honeypots with varied platforms, services, vulnerabilities, and configurations; called a zoo because attackers are in cages resembling their natural habitat.

2. Deceive, Intimidate, or Reconnaissance

Honeypots can be immediately effective if used in any of the three ways to deceive, to intimidate, or to provide reconnaissance. To deceive, a honeypot must provide realistic responses to requests so that an attacker does not suspect it is a trap. Details such as password files, service banners, and file permissions should be configured and dynamic activity should be realistic. To intimidate, a honeypot might advertise on one unauthorized deception port a default banner such as Honeypot in Use which will increase an intruders level of risk from uncertainty in a manner similar to posting a security alarm sign in the physical world. For reconnaissance, honeypots can provide vital attack signature information to other security tools, especially intrusion detection systems and firewalls, for tuning purposes such as decreasing the number of false alarms.

Proximity Decoys Redirection Shield [8] Minefield[8] Hacker [8] Zoo

3. Deployment Strategies
The core characteristics of a honeypot are: [7] superficial facade (platform, OS) appears real service behavior (responses, traffic, files) appears real partially disabled to prevent use at an attack launch pad if compromised does not have any channels to production computers or networks trips various levels of alarms when any activity is encountered [11] maintains detailed log information of all activity.

Honeypots can be deployed in two broad categories: production or research. The purpose of a production honeypot is risk mitigation. In this deployment, honeypots are often used as reconnaissance or deterrence tools within a specific organization. The deployment of honeypots for research does not add direct value to a specific organization but does gather intelligence for entire communities and indirect benefits include improved attack prevention, detection, and reaction.

Advocates argue that a honeypot can be an effective deterrent. Honeypots are also used as early warning systems that log and alert about hostile activity before production systems are targeted. Honeypots can sidetrack attackers efforts, causing them to devote attention to activities that cause neither harm nor loss. Most importantly, tracking an intruder in a honeypot reveals invaluable insights into attacker techniques and ultimately motives so that production systems can be better protected. You may learn of vulnerabilities before they are exploited. Ultimately, honeypot observation may provide a predictive capability of what production targets are vulnerable, when they may be attacked, and what techniques will be used. Detractors argue that honeypots placate attackers by giving them what they want a system to break into, place Trojan horses, destroy file systems. Intruders may come to know honeypots for what they are such that they become ineffective tools for finding and controlling the devoted outside attacker. The strongest negative of honeypots is the level of effort to deploy, maintain, and actively monitor. Detractors say this level of effort may be better spent protecting the production systems. Lastly, detractors emphasize that blocking outbound traffic is essential or a honeypot could become a platform for other attacks. Logging information from a honeypot is problematic. Logging directly on the honeypot itself is vulnerable if it is compromised (logs can be altered or erased). For this

reason, it is recommended a bogus log configuration file be kept on the honeypot while actual logging should be sent to a dedicated server using encryption to mask the activity although there is the potential for detection. There is a fundamental limitation of honeypots that is similar to signature-based network intrusion detection systems the honeypot must know of a vulnerability in advance to properly simulate it. If an attack is new or unknown, the honeypot will be revealed by its inappropriate responses. This is why honeypot advocates recommend using the sacrificial lamb strategy of real dedicated machines if at all possible. Honeypots can be very useful as part of a comprehensive security program. The level of effort to deploy and manage is secondary to the time and resources not only to monitor but also to act quickly on events. For organizations with limited resources, the next section describes available honeypot systems that are easily configurable.

Table 2. Representative Honeypot Systems Product BackOfficer Friendly

(Windows)

Vendor NFR Security

Description
simulates a BackOrifice Server, listens for BackOrifice (Windows Trojan Program) and responds appropriately while logging various services. simulates an entire network segment of routers/hosts on a single system, can mimic multiple OSs, responds appropriately to attacker requests for specific services & logs activity listens to service requests on ports normally blocked & provides responses to attacker requests while logging activity simulates CiscoIOS, Unix, & Windows (with different versions of the same service) services to mimic the real services, can simulate an entire Class C network of hosts running network services runs a real complete Unix-Solaris OS in a jail configuration with no emulation, provides deception hosts with unique/revisable data dedicated PC simulates multiple OSs and multiple services, variable levels of security honeypot OS executing virtually within a HostOS

CyberCop Sting
(Windows)

Network Assoc./PGP

Deception Toolkit (DTK)

(Unix)

Fred Cohen & Assoc. GTE Federal Network Systems

NetFacade

4. Honeypot Systems
Although the concept of a honeypot system is not new, the availability of commercial honeypot systems is new. Table 2 shows a representative sample of currently available honeypot systems. Commercial-grade honeypots are relatively new. Freeware honeypots have been used for some time but in a business situation commercial products dominate. Although commercial honeypots are simpler than building a specialized honeypot from scratch using open source freeware, they do not eliminate the need for expertise in monitoring. For example, commercial honeypots send alerts to an operator that an event has occurred, however, a skilled analyst with attack knowledge is needed to correlate supporting data (packet traces, firewall/intrusion detection logs) to analyze, identify, and contain the attack. Table 2 shows two primary types of honeypots: (1) hardware-based servers, switches, or routers that have been partially disabled and made attractive with commonly known misconfigurations and (2) software simulation honeypots which are deception programs that emulate system software (OS) and services.

(Unix-Solaris)

Mantrap
(Unix-Solaris)

Recourse Technologies

Spectre
(Windows)

VMware
(multiple OSs)

Network Security Software VMware, Inc.

5. Societal Issues
There is no legal precedent yet established in regard to honeypots. The issue of entrapment is relevant if an attacker is intentionally lured to a honeypot, there must be no tacit permission to access the system banners should be carefully stated and identical on both the production and honeypot systems. Even with careful honeypot deployments, luring intruders to a network is dangerous because they may instead attack the production servers while avoiding the honeypots. An entrapment legal defense may nullify the prosecution of attackers by law enforcement agencies. If you are not a law enforcement officer you cannot entrap. The primary rationale for the concept of entrapment is to

mitigate the possibility that an otherwise law-abiding citizen could be encouraged to engage in illegal conduct. Entrapment is the conception and planning of an offense by an officer, and his procurement of its commission by one who would not have perpetrated it except for the trickery, persuasion, or fraud of the officers. [The accepted standard legal definition of entrapment as stated by Justice Roberts in 1932 in Sorrells vs. United States] In law enforcement sting operations, police engage in encouragement activity. The key to establishing entrapment is predisposition would the attacker have committed the crime without encouragement activity (beyond a reasonable doubt). Affording the means for somebody to commit a crime is not the same thing as encouraging the crime [2]. The legal definition of entrapment does not apply to non-law enforcement organizations so honeypot operators cannot be prosecuted. There is even a question of encouragement activity for law enforcement agencies since attackers scan, target, and intrude upon honeypots on their own initiative. Viewing files and intercepting communication (chat or Email) on a honeypot is relevant to privacy laws. The intruder files are not protected since there is no legitimate account or privileges. While there is case law about the loss of the right of privacy in storing files on a stolen computer or files on a compromised computer without owners authorization, there is little or no case law on interception of communications relayed through a compromised computer [5]. Honeypots do not provide public accounts for communications and they are not service providers, thus they are not bound by common carrier legislation. In the US, the two main laws are the Electronic Communication Privacy Act (18 USC 270111) and the Wiretap Statute (Title III, 18 USC 2510-22). When implementing honeypots in other countries, privacy laws will be different so it would be prudent to review all legal issues with legal counsel before proceeding [5]. If the honeypot is compromised in such a way that it allows outbound traffic, it may be used as a platform to attack other systems. In this case, the owner of the honeypot may be liable for lacking in due diligence of corporate assets. In a worse case scenario such a situation may even be considered gross negligence because of a hazard that was deliberately set up and not properly supervised. To lure activity, the honeypot must be made attractive to potential attackers and this has motivated the creation of false data for honeypots. Consider the ramifications of

planting false data on honeypots. An intruder may make the false data publicly available typically this may be done at cracker websites or chat rooms but could be a news media outlet. The false data planted on the honeypot could have unintended consequences such as affecting an organizations stock price or reputation (or both).

6. Conclusions
Honeypots are an interesting sociological and technical experiment. Honeypots have already confirmed what we already suspected systems connected to the Internet are under constant attack. The use of honeypots will continue to grow in the near term and as future attacks use more advanced spoofing techniques to make them difficult to trace, the role of honeypots is likely to become more important. With all national critical infrastructures dependent upon underlying computer systems, honeypots appear to be an attractive homeland defense tool - attacks can be detected early at strategically deployed honeypots and then analyzed quickly for warning and protective action. As the Chinese warrior and philosopher, Sun Tzu, stated 2000 years ago All warfare is based on deception. The current poor state of security on the Internet, the increasing level of Internet attacks, and the threat of terrorist action has created an environment we would characterize as a unconventional information war where the role of deception is very relevant [4]. This war is asymmetric with the attacker at a distinct advantage a defender of computer systems must secure all vulnerabilities within their multiple interconnected systems or a single vulnerability may compromise all systems while an attacker must only find a single exposed vulnerability to exploit in any of multiple interconnected systems. Alone, Honeypots are vulnerable themselves but as an important part a comprehensive strategy that can confuse, deter, and trap attackers. The sociological and legal issues behind the use of honeypots in cyberspace presents new challenges that do not have direct precedents in the physical world.

7. References
[1] S. Bellovin, There Be Dragons, Third Usenix Security Symposium, Baltimore MD, Sept. 1992. [2] N. Brovet, Entrapment in Cyberspace: Are Traditional Entrapment Doctrines Sufficient to Protect Internet Users From Unreasonable Police Conduct? Michigan Telecommunications and Technology Law Review, Vol 5, October 15, 1998.

[3] B. Cheswick, An Evening with Berford in Which a Cracker is Lured, Endured, and Studied, Chapter 10 within Firewalls and Internet Security, by B. Cheswick and S. Bellovin, Addison-Wesley, 1994. [4] F. Cohen, A Note on the Role of Deception in Information Protection, Computers & Security, Vol 17, 1998, pp. 483-506. [5] The Honeynet Project, Know Your Enemy: Revealing the Security Tools, Tactic, and Motives of the Blackhat Community, Addison-Wesley, 2002. [6] The Honeynet Project, Know Your Enemy: Honeynets, April 2001. [7] D. Klug, Honey Pots and Intrusion Detection, SANS Institute, September 13 2001. [8] D.B. Moran, Trapping and Tracking Hackers: Collective Security for Survival in the Internet Age, Third Information Survivability Workshop, IEEE Computer Society Press, Oct. 2000.

[9] R. Power, Computer Security Issues and Trends: 2001 CSI/FBI Computer Crime and Security Survey, Computer Security Institute, Vol VII No 1, Spring 2001. [10] B. Schneier, Honeypots and the Honeynet Project, Cryptogram Newsletter, June 15 2001, pp. 1-2. [11] B. Schneier, Secrets & Lies, Wiley, 2000. [12] L. Spitzer, To Build a Honeypot, Cryptogram Newsletter, June 15 2001, pp. 1-2. [13] C. Stoll, The Cuckoos Egg: Tracking a Spy Through the Maze of Computer Espionage, Pocket Books, 2000. [14] C. Stoll, Stalking the Wiley Hacker, Communications of the ACM, Vol 31 No 5, May 1988, pp. 484-497.