Create your own awesome maps

Even on the go

with our free apps for iPhone, iPad and Android

Get Started

Already have an account?
Log In

Honeypots by Mind Map: Honeypots
0.0 stars - reviews range from 0 to 5


Virtual Honeypot

advisable to run HP on linux

most exploits and malware are targeted on windows

can be restored to previous state fast and easily

as a technique to disinfect the system restore base image

attacker may detect being in a virtual machine

Client Honeypot

allows detection of malware in client applications

end user is becoming weakest link in security architecture

instead of passively waiting simulating human behaviour

other possible client applications to build a client honeypot upon besides web browser

IRC client



instant messaging

2 kinds

passive, waiting for an event to happen, e.g. e-mail clients

active, connect to server, send commands, get back results, e.g. web browser, finding web servers trying to compromise browsers, attackers phases, 1. setting up web site with one or more exploits, usually several to have more possible targets, 2. (optional) setting up network of malicious web servers, malicious server redirect or embed other malicious servers, 3. exploitation of user, typically malware is installed to gain complete control over system, 2 step approach, 1. find suspicious sites, using search engine with special keywords, blacklists provided by third parties, using links from spam or phishing messages, using typosquatted domains, domains similar to popular domains, but with typographical errors, links found in newsgroups, monitoring instant messaging or other chat tools, 2. identify whether really malicious, interactivity, low interaction, analyse downloaded page or content with, AV, some AV scans for web site exploit signatures, provided documents containing malware, IDS, other static analysis, problem with revisiting policy, how often to check suspicious pages for new content, attacker may seed new exploits or malware, exploit/malware previously not detected by AV/IDS, but now updated, problem with crawling, active/dynamic pages can't be executed or displayed by crawler, high interaction, instead of relying on crawler and AV etc. telecommanding client applications, possibly detect 0dayz, rather slow and expensive because entire (virtualized) system is needed, prone to detection evasion, time bombs, delaying the exploit from immediately triggering, keep list of recently accessed pages, verify them separately after triggered, trigger upon user action, dialog boxes, simulate user interaction, redo with every possible choice, HTML Forms, heuristics from machine learning and pattern recognition, oppose to classical server HPs can't be passive, can't predefine all traffic as suspicious/malicious, detection mechanisms, monitor file system activity, some file creations are legit like cookies (whitelist), monitor registry entries, monitor processes, monitor network connections, monitor memory, 2 ways of integrity checks, periodical, after each successful accessed page, it's slow to check whole system, can be unreliable if rootkit has been installed in the meantime, real-time, achieved by API hooking, malicious server checks browser and os version prior exploitation, different setup may lead to different results

High Interaction

convential computer systems

equipped with additional software to constantly monitor system and collect information about system activity

Attacker gains full Control over System

Security Measures, Honeywall, Principles, Data Capture, Network, All traffic going to and from the device need to go through the Honeywall, IDS, Snort, Passive Fingerprinting, p0f, Monitoring Tools, Argus, System, Rootkit, Sebek, Logging Keystrokes, Programs Executed, Files Read/Written, Being Stealthy to not raise Suspicion, ..., Data Control, Limit number of connections / time period, Prohibit particularly malicious traffic (Extrusion Prevention), Use snort_inline to stop spreading known vulnerabilities, Allow enough to not hinder the analysis of maleware (like connect to IRC etc.), Data Analysis, (Pre-/Post-)Processing of the Captured Data, Acts as Transparent Bridge, Seperate Management NIC

Complete Analysis of Attack possible

dynamic taint analysis

implemented in argos

all data received via network is marked

detects if marked data is used to influence execution flow, e.g. via a JMP instruction, execution is stopped, memory footprint is generated, detections happens on execution not on overwrite of memory

advantages, automated detection and possible analysis of exploit, attacker never gets control of the system, can be utilized to automatically create attack signatures

disadvantages, doesn't execute anything from the attacker, no malware samples are caught, no analysis of attacker behaviour possible, only effective against buffer overflow attacks

Physical Honeypot

Low Interaction

emulates services

reacts on input with defined output, without usually implementing large parts of the protocol logic


Advantages, Easy to Set Up, Easy to Maintain, Low Computing Resources needed, Provides only limited Access to the Operating System for Adversary, Attacker shouldn't be able to compromise the LI HP itself, Measure Attack Frequency, Collecting Maleware for Analysis

Disadvantages, Detectable, Not designed for 0dayz, Not designed for unknown/unimplemented



Slow Down Spammers (and Sequential Worms)

Two Ways, Throttling, Very Small Window Size, Connection still progresses, but slows Down Attacker, Persistent Capture, Advertise Receiver Window Size 0, Attacker keeps Connection Alive and sends periodically "Window Probe" Packets, Can Persist Indefinitely

Hybrid approach

Use lo interaction HP for known attacks

if unknown attack forward traffic to hi interaction HP, replay against hi interaction HP what happened so far, bring hi interaction HP into state reached so far

Shadow Honeypots

Hybrid System, Honeypot, Anomaly Detection

Request is handled by either a normal productive host or an high interaction honeypot if an anomaly is detected, Both systems share the state, so that if the honeypot doesn't find anything, the changes go live, otherwise changes are discarded