Digital Tar Pit

A program launched by an attacker has invaded your network and is starting to port scan the environment; the next step will be to attack any systems it finds. LaBrea [7] – a "Sticky Honeypot" – is a good choice because it spoofs a whole army of non-existent computers.

The program, which was coded as a response to the Code Red [8] epidemic, is installed on your Raspberry Pi using apt-get. To launch, type

sudo labrea -z -s -o -b -p 10000 -d -i eth0

The -z option is a safety switch that you need to pass in whenever you call the program. The -s option tells a program that a switch exists, and -o redirects logout ports to the command line. The -b and -p parameters manage the bandwidth, and -i defines the interface. From this point on, LaBrea will field incoming ICMP requests and port scan requests. Figure 2 shows how the program responds to IP addresses that do not exist on the test network.

Figure 2: LaBrea responding to pings targeting unknown IP addresses.

The important thing to remember is that LaBrea can cause problems for DHCP servers and Solaris systems because of the way it works. Solaris has the unfortunate property of responding to certain ARP packets by deactivating its own IP stack [9].

Honeypots at the Application Level

Forensic investigations reveal that most attacks are launched from the inside: Disgruntled staff all too often use their knowledge to exact their revenge. Honeypots can provide a remedy for internal attacks. The simplest form of the honeypot is a "honeyfile," which is not normally needed to run the computer system.

The honeyfile, equipped with an enticing name, contains a macro that sends a message to the control server when opened. Because attackers today will tend to prevent macros executing on their systems, the recommended workaround is an HTML file with the mandatory external dependency required for display elements to work.

Advanced installations rely on a dedicated file server. Scripts running in the background evaluate any changes. Access to files tagged as prohibited trigger an immediate alert. Intrinsec [10] introduced a system in 2014 that sidetracks ransomware with a combination of honeyfiles and kernel drivers. Processes that access honeyfiles are automatically terminated, thus mitigating any potential damage.

Unfortunately, no prebuilt implementations offer a ready-made honey file configuration: Honey files and related applications within the honeypot category are not currently a subject of research. If you want to use them to secure your network, you have little choice but to program them yourself.

Conclusions

Honeypots simulate vulnerable systems. They motivate attackers invading an unknown network to spend time playing. This time in the pot offers administrators a considerable advantage. First, the attacker wastes time and resources experimenting with the honeypot that they would otherwise use for targeting production systems. Second, warning systems on the honeypot alert the administrator as soon as an attacker moves in.

Virtualization and the availability of low-budget, single-board computers means technology that was previously only possible on large networks is now part of the public domain. A honeypot can help you trap intruders and buy you valuable time to respond to an attack.