Honeynet@home

 

Overview

The Honeynet@home project is derived from the ideas and success of other popular Honeynet studies (e.g. SFHN, honeynet.Org).  However, this project will take a new approach to attracting attacks, and will demonstrate that what you do on the Internet today, could influence the type of attacks, and the type of attackers that you attract.  Some of the areas of focus will be:

*      Type of attacks from using Peer to Peer programs such as Kazaa and Hotline.

*      A review of Personal Honeypot software and how effective they are in the wild.

*      What the attackers do once they compromise your system (not how, but why)

 

Whats in the Honeynet?

The Honeynet consists of the following:

*      Windows 2000 server with Exchange 2000 and Terminal Server.  This system is completely patched and completely open to the Internet.  This may be beyond the reach of most home users, but adds a layer of honey to the net.

*      Windows XP Professional with no patches.  This system will be monitored on a daily basis via a packet sniffer.

*      Windows 2000 Server with Exchange 2000 and Terminal Services on a separate ISP than the first.  This system will help determine attacks that aren’t specific to a specific IP address range.

 

Additional machines include:

*      Redhat 8 system.

*      Windows ME

 

The technologies used to monitor the Honeynet are as follows:

*      Checkpoint NG Firewall monitors all traffic in and out of the network.

*      Ethereal sniffer sniffs and logs all packets in and out

*      OS logging (e.g. IIS and syslog)

 

What will be available for analysis?

We will be posting logs on a regular basis from the OS level, firewall and sniffer.  For example, if a new attack is seen, all applicable logs will be offered for your review. 

 

Projects

Personal Honeypot Review

In this project, we will be reviewing many of the Honeypot software available today.  Some products to be tested include THP (Tiny Honeypot), Labrea (Tarpit) and TDK (Deception Toolkit).  The reviews will include screenshots, configuration notes, and actual implementation into our existing Honeynet.

 

Peer to Peer threats

Does using P2P clients increase the number of attacks on your system?  Yes. And we will be reviewing the P2P clients and the type of attacks that each draws.  Will Morpheus, Kazaa or Hotline be the most hostile?

 

Environment

The honeynet is comprised of multiple systems, from multiple vendors. The purpose is to be completely random and give multiple targets.  Below are some of the setups used and others may be applied:

*      Solaris Sparc 5 with Solaris 8

*      Windows XP

*      Linux Redhat 7.2, 7.3

*      Windows 2000 Server

 

This Honeynet will not emulate Services or Operating Systems.  Instead, the true OS, with specific applications, will be set on the Internet for the taking.  The philopsphy for this is that it offers attackers true systems and services in which they can use unrestricted.  Thus offering us the opportunity to learn from.

 

OS and Application patching

OS and Application patches will vary depending on the specific project.  Please see each project for the specific patching.