Seminar Report

On

HONEYPOTS
(A tool to fight against the hackers)
By Bijay Kumar
( Y2M007)
S4MCA

Department of computer science and engineering

National Institute of Technology
Calicut-673601

February 2004
 1

Seminar Report
On

HONEYPOTS
(A tool to fight against the hackers)
By Bijay Kumar
(Y2M007)
S4MCA

Department of computer science and engineering

National Institute of Technology
Calicut-673601

February 2004

1
 2

Certificate
This is to certify that this seminar report titled Honeypot is a
bonafide record of the Seminar presented by Bijay Kumar (Y2M007)
fourth semester MCA student, National Institute of Technology
Calicut

Coordinator Professor and head

Place
Date

2
 3

Acknowledgement

I would like to put on records my sincere thanks to:

Dr.V.K.Govindan, H.O.D., Computer science and engineering department.
Mrs. Priya Chandran and Miss. Nisha, who helped me in preparing this
seminar and given a useful guidance.
I would also like to thank all of my friends and well wishers who helped me
alot in the successful presentation of my seminar.

3
 4

CONTENTS

1. Abstract -------------------------------------------- 05
2. Definition of honeypots -------------------------------------------- 06
3. Types of honeypots -------------------------------------------- 07
a. High interaction honeypots -------------------------------------------- 07
b.Low interaction honeypots -------------------------------------------- 08
4. Values of honeypots -------------------------------------------- 11
a.Spector -------------------------------------------- 12
b.Hoemade honeypots -------------------------------------------- 13
c.Mantrap -------------------------------------------- 13
5. How honeypots work -------------------------------------------- 14
a.Prevention -------------------------------------------- 14
b.Detection --------------------------------------------- 15
c.Reaction ---------------------------------------------- 16
d.Research --------------------------------------------- 17
6.Advantages of honeypots --------------------------------------------- 17
7. Disadvantages of honeypots--------------------------------------------- 18
8. Diffrences --------------------------------------------- 19
9. Conclusion ------------------------------------------------ 21
10. References ---------------------------------------- 22

4
 5

HONEYPOTS

Abstract

Honeypot is an Internet-attached server that acts as a decoy, luring in

potential hackers in order to study their activities and monitor how
they are able to break into a system. Honeypots are designed to
mimic systems that an intruder would like to break into but limit the
intruder from having access to an entire network. If a honeypot is
successful, the intruder will have no idea that he is being tricked and
monitored. Most honeypots are installed inside firewalls so that they
can better be controlled, though it is possible to install them outside of
firewalls. A firewall in a honeypot works in the opposite way that a
normal firewall works: instead of restricting what comes into a system
from the Internet, the honeypot firewall allows all traffic to come in
from the Internet and restricts what the system sends back out. By
luring a hacker into a system, a honeypot serves several purposes:

• The administrator can watch the hacker exploit the vulnerabilities

of the system, thereby learning where the system has weaknesses
that need to be redesigned.
• The hacker can be caught and stopped while trying to obtain root
access to the system.
• By studying the activities of hackers, designers can better create
more secure systems that are potentially invulnerable to future
hackers.

Over the last years, network-based intrusions have increased exponentially,

due to the popularity of scripted or automated attack tools. This increase in
intrusions has rekindled interest in honeypot systems, which can be used to
trap and decode the attack methods used by the black hat community.

5
 6

Definition of Honeypots

Honeypots are an exciting new technology with enormous potential

for the security community. The first step to understanding honeypots
is defining what a honeypot is unlike firewalls or Intrusion Detection
Systems, honeypots do not solve a specific problem. Instead, they
are a highly flexible tool that comes in many shapes and sizes... It is
also this flexibility that can make them challenging to define and
understand. Honey pots can be defined as

A honeypot is an information system resource whose value lies in

unauthorized or illicit use of that resource.

This is a general defintion covering all the different forms of

honeypots. We will be discussing in this report different examples of
honeypots and their value to security. All will fall under the definition
we use above; their value lies in the bad guys interacting with them.
Conceptually almost all honeypots work they same. They are a
resource that has no authorized activity; they do not have any
production value. Theoreticlly, a honeypot should see no traffic
because it has no legitimate activity. This means any interaction with
a honeypot is most likely unauthorized or malicious activity. Any
connection attempts to a honeypot are most likely a probe, attack, or
compromise.

6
 7

Honeypots are a highly flexible security tool with different applications

for security. They don't fix a single problem. Instead they have
multiple uses, such as prevention, detection, or information gathering.
Honeypots all share the same concept: a security resource that
should not have any production or authorized activity. In other words,
deployment of honeypots in a network should not affect critical
network services and applications. A honeypot is a security resource
whose value lies in being probed, attacked, or compromised.

There are two general types of

honeypots: production and research. Production honeypots are easy
to use, capture only limited information, and are used primarily by
companies or corporations. Research honeypots are complex to
deploy and maintain, capture extensive information, and are used
primarily by research, military, or government organizations.

One example of a honeypot is a system used to simulate

one or more network services that you designate on your
computer's ports. An attacker assumes you're running
vulnerable services that can be used to break into the
machine. This kind of honeypot can be used to log access
attempts to those ports including the attacker's keystrokes.
This could give you advanced warning of a more concerted
attack.

Types of honeypots

Honeypots comes in many shapes

and sizes. To help us better understand honeypots and all the
different types, we break them down into two general categories,

1. Low-interaction honeypots
2. High-interaction honeypots

7
 8

Low-interaction honeypots

These categories help us

understand what type of honeypot we are dealing with, its strengths,
and weaknesses. Interaction defines the level of activity a honeypot
allows an attacker. Low-interaction honeypots have limited
interaction; they normally work by emulating services and operating
systems. Attacker activity is limited to the level of emulation by the
honeypot. These honeypots tend to be easier to deploy and maintain,
with minimal risk. Usually they involve installing software, selecting
the operating systems and services we want to emulate and monitor,
and letting the honeypot go from there. This plug and play approach
makes deploying them very easy for most organizations. Also, the
emulated services mitigate risk by containing the attacker's activity,
the attacker never has access to an operating system to attack or
harm others. The main disadvantages with low interaction honeypots
is that they log only limited information and are designed to capture
known activity. The emulated services can only do so much. Also, it’s
easier for an attacker to detect a low-interaction honeypot, no matter
how good the emulation is, skilled attacker can eventually detect their
presence. Examples of low-interaction honeypots include
Specter,Honeyd, and KF sensor

Honeyd: Low-interaction honeypot

Honeyd is a low-interaction
honeypot. Developed by Niels Provos, Honeyd is Open Source and
designed to run primarily on UNIX systems (though it has been
ported to Windows). Honeyd works on the concept of monitoring
unused IP space. Anytime it sees a connection attempt to an unused
IP, it intercepts the connection and then interacts with the attacker,
pretending to be the victim. By default, Honeyd detects and logs any
connection to any UDP or TCP port. In addition, you can configure
emulated services to monitor specific ports, such as an emulated FTP
server monitoring TCP port 21. When an attacker connects to the
emulated service, not only does the honeypot detect and log the
activity, but it captures all of the attacker's interaction with the
emulated service. In the case of the emulated FTP server, we can
potentially capture the attacker's login and password, the commands

8
 9

they issue, and perhaps even learn what they are looking for or their
identity. It all depends on the level of emulation by the honeypot.
Most emulated services work the same way. They expect a specific
type of behavior, and then are programmed to react in a
predetermined way. If attack A does this, then react this way. If attack
B does this, then respond this way. The limitation is if the attacker
does something that the emulation does not expect, then it does not
know how to respond. Most low-interaction honeypots, including
Honeyd, simply generate an error message.

High-interaction honeypots

High-interaction honeypots are

different; they are usually complex solutions as they involve real
operating systems and applications. Nothing is emulated; we give
attackers the real thing. If you want a Linux honeypot running an FTP
server, you build a real Linux system running a real FTP server. The
advantages with such a solution are two fold. First, you can capture
extensive amounts of information... The second advantage is high-
interaction honeypots make no assumptions on how an attacker will
behave. Instead, they provide an open environment that captures all
activity. This allows high-interaction solutions to learn behavior we
would not expect. An excellent example of this is how a Honeynet).
However, this also increases the risk of the honeypot as attackers
can use this real operating system to attack non-honeypot systems.
As result, additional technologies have to be implement that prevent
the attacker from harming other non-honeypot systems. In general,
high-interaction honeypots can do everything low-interaction
honeypots can do and much more. However, they can be more
complex to deploy and maintain. Examples of high-interaction
honeypots include honeynets.

Honeynets: High-interaction honeypot

Honeynets are a prime example of

high-interaction honeypot. Honeynets are not a product, they are not
a software solution that you install on a computer. Instead, Honeyents
are an architecture, an entire network of computers designed to
attacked. The idea is to have an architecture that creates a highly

9
 10

controlled network, one where all activity is controlled and captured.

Within this network we place our intended victims, real computers
running real applications. The bad guys find, attack, and break into
these systems on their own initiative. When they do, they do not
realize they are within a Honeynet. All of their activity, from encrypted
SSH sessions to emails and files uploads, are captured without them
knowing it. This is done by inserting kernel modules on the victim
systems that capture all of the attacker's actions. At the same time,
the Honeynet controls the attacker's activity. Honeynets do this using
a Honeywall gateway. This gateway allows inbound traffic to the
victim systems, but controls the outbound traffic using intrusion
prevention technologies. This gives the attacker the flexibility to
interact with the victim systems, but prevents the attacker from
harming other non-Honeynet computers. An example of such a
deployment can be seen in Figure 1.

How honeynets are connected to main server

10
 11

Figure 1

Value of Honeypots
Now that we have understanding
of two general categories of honepyots, we can focus on their value.
Specifically, how we can use honeypots. Once again, we have two
general categories, honeypots can be used for production purposes
or research. When used for production purposes, honeypots are
protecting an organization. This would include preventing, detecting,
or helping organizations respond to an attack. When used for
research purposes, honeypots are being used to collect information.
This information has different value to different organizations. Some
may want to be studying trends in attacker activity, while others are
interested in early warning and prediction, or law enforcement. In
general, low-interaction honeypots are often used for production
purposes, while high-interaction honeypots are used for research
purposes. However, either type of honeypot can be used for either
purpose. When used for production purposes, honeypots can protect
organizations in one of three ways; prevention, detection, and
response. We will take a more in-depth look at how a honeypot can
work in all three.

Now that we discuss different types of honeypots and and their value,
lets discuss some examples. The more a honeypot can do and the
more an attacker can do to a honeypot, the more information can be
derived from it. However, by the same token, the more an attacker
can do to the honeypot, the more potential damage an attacker can
do. For example, a low interaction honeypot would be one that is
easy to install and simply emulates a few services. Attackers can merely
scan, and potentially connect to several ports. Here the information is
limited (mainly who connected to what ports when) however there is little
that the attacker can exploit. On the other extreme would be high interaction
honeypots. These would be actual systems. We can learn far much more, as
there is an actual operating system for the attacker to compromise and
interact with, however there is also a far greater level of risk, as the attacker
has an actual operating system to work with. Neither solution is a better
honeypot. It all depends on what you are attempting to achieve. Remember,

11
 12

honeypots are not a solution. Instead, they are a tool. Their value depends on
what your goal is, from early warning and detection to research. Based on
'level of interaction', lets compare some possible honeypot solutions.

For this report we will discuss three more honeypots. There are a variety of
other possible honeypots, however this selection covers a range of options.
We will cover Specter, Honeyd, homemade honeypots, Mantrap, and
Honeynets. This paper is not meant to be a comprehensive review of these
products. I only highlight some of their features. Instead, I hope to cover the
different types of honeypots, how they work, and demonstrate the value they
add and the risks involved. If you wish to learn more about the capabilities
of these solutions, I highly recommend you try them out on your own in a
controlled, lab environment.

Specter

Specter is a commercial product 'low interaction'

production honeypot. It can emulate a far greater range of services and
functionality. In addition, not only can it emulate services, but emulate a
variety of operating systems. It is easy to implement and low risk. Specter
works by installing on a Windows system. The risk is reduced as there is no
real operating system for the attacker to interact with. For example, Specter
can emulate a webserver or telent server of the operating system of ours
choice. When an attacker connects, it is then prompted with an http header
or login banner. The attacker can then attempt to gather web pages or login
to the system. This activity is captured and recorded by Specter, however
there is little else the attacker can do. There is no real application for the
attacker to interact with, instead just some limited, emulated functionality.
Specters value lies in detection. It can quickly and easily determine who is
looking for what. As a honeypot, it reduces both false positives and false
negatives, simplifying the detection process. Specter also support a variety
of alerting and logging mechanisms. One of the unique features of Specter is
that it also allows for information gathering, or the automated ability to
gather more information about the attacker. Some of this information

12
 13

gathering is relatively passive, such as DNS lookups. However, some of

this research is active, such as port scanning the attacker. While this
intelligence functionality may be of value, many times you do not want the
attacker to know he is being watched. Be careful when implementing any
active, automated responses to the attacker.

Homemade Honeypots

Another common honeypot is

homemade. These honeypots tend to be low interaction. Their purpose is
usually to capture specific activity, such as Worms or scanning activity.
These can be used as production or research honeypots, depending on their
purpose. Once again, there is not much for the attacker to interact with,
however the risk is reduced because there is less damage the attacker can do.
One common example is creating a service that listens on port 80 (http)
capturing all traffic to and from the port. This is commonly done to capture
Worm attacks. One such implementation would be using netcat, as follows:

Homemade honeypots can be modified to do (and emulate) much more,

requiring a higher level of invovlement, and incurring a higher level of risk.
For example, FreeBSD has a jail functionality, allowing an administrator to
create a controlled environment within the operating system. The attacker
can then interact with this controlled environment. The value here is the
more the attacker can do, the more can be potentially learned. However, care
must be taken, as the more functionality the attacker can interact with, the
more can go wrong, with the honeypot potentially compromised.

Mantrap

Mantrap is a commercial honeypot. Instead of

emulating services, Mantrap creates up to four sub-systems, often called
'jails'. These 'jails' are logically discrete operating systems separated from a
master operating system. This makes the honeypot far more flexible, as it
can do much more. The attacker has a full operating system to interact with,
and a variety of applications to attack. All of this activity is then captured
and recorded. Not only can we detect port scans and telnet logins, but we
can capture rootkits, application level attacks, IRC chat session, and a

13
 14

variety of other threats. However, just as far more can be learned, so can
more go wrong. Once compromised, the attacker can use that fully
functional operating system to attack others. Care must be taken to mitigate
this risk. As such, I would categorize this as a mid-high level of interaction.
Also, these honeypots can be used as either a production honeypot (used
both in detection and reaction) or a research honeypot to learn more about
threats. There are limitations to this solution. The biggest one is you are
limited to what the vendor supplies you. Currently, Mantrap only exists on
Solaris operating system.

How honeypots works?

According to the Lance Spitzener

definition of the security it lies in the three regions.

1> Prevention

2 >Detection

3 >Reaction

Prevention
Honeypots add little value to prevention, honeypots
will not help keep the bad guys out. What will keep the bad guys out are
best practices, such as disabling unneeded or insecure services, using strong
authentication mechanisms. It is the best practices and procedures such as
these that will keep the bad guys out. A honeypot, a system to be
compromised, will not help keep the bad guys out. In fact, if incorrectly
implemented, a honeypot may make it easier for an attacker to get in.

Some individuals have discussed the value of deception as a method to deter

attackers. The concept is to have attackers spend time and resource attacking
honeypots, as opposed to attacking production systems. The attacker is
deceived into attacking the honeypot, protecting production resources from
attack. While this may prevent attacks on production systems, most
organizations are much better off spending their limited time and resources
on securing their systems, as opposed to deception. Deception may

14
 15

contribute to prevention, but organization will most likely get greater

prevention putting the same time and effort into security best practices.

Also, deception fails against two of the most common attacks today;
automated toolkits and worms. Today, more and more attacks are
automated. These automated tools will probe, attack, and exploit anything
they can find vulnerable. Yes, these tools will attack a honeypot, but they
will also just as quickly attack every other system in our organization. If we
have a coffee pot with an IP stack, it will be attacked. Deception will not
prevent these attacks, as there is no consciously acting individual to deceive.
Organizations are better off focusing their resources on security best
practices.

Detection
While honeypots add little value to prevention, for many
organizations, it is extremely difficult to detect attacks. Often organizations
are so overwhelmed with production activity, such as gigabytes of system
logging, that it can be extremely difficult to detect when a system is
attacked, or even when successfully compromised. Intrusion Detection
Systems (IDS) are one solution designed for detecting attacks. However,
IDS administrators can be overwhelmed with false positives. False positives
are alerts that were generated when the sensor recognized the configured
signature of an "attack", but in reality was just valid traffic. The problem
here is that system administrators may receive so many alerts on a daily
basis that they cannot respond to all of them. Also, they often become
conditioned to ignore these false positive alerts as they come in day after
day, similar to the story of "the boy who cried wolf". The very IDS sensors
that they were depending on to alert them to attacks can become ineffective
unless these false positives are reduced. This does not mean that honeypots
will never have false positives, only that they will be dramatically fewer
than with most IDS implementations.

Another risk is false negatives, when IDS systems fail to detect a valid
attack. Many IDS systems, whether they are signature based, protocol
verification, etc, can potentially miss new or unknown attacks. It is likely
that a new attack will go undetected by currently IDS methodologies. Also,
new IDS evasion methods are constantly being developed and distributed.

15
 16

Honeypots address false negatives as they are not easily evaded or defeated
by new exploits. In fact, one of their primary benefits is that they can most
likely detect when a compromise occurs via a new or unknown attack by
virtue of system activity, not signatures. Administrators also do not have to
worry about updating a signature database or patching anamoly detection
engines. Honeypots happily capture any attacks thrown their way. As
discussed earlier though, this only works if the honeypot itself is attacked.

Honeypots can simplify the detection process. Since honeypots have no

production activity, all connections to and from the honeypot are suspect by
nature. By definition, anytime a connection is made to your honeypot, this is
most likely an unauthorized probe, scan, or attack. Anytime the honeypot
initiates a connection, this most likely means the system was successfully
compromised. This helps reduce both false positives and false negatives
greatly simplifying the detection process. By no means should honeypots
replace your IDS systems or be your sole method of detection. However,
they can be a powerful tool to complement your detection capabilities.

Reaction
Though not commonly considered, honeypots also add value
to reaction. Often when a system within an organization is compromised, so
much production activity has occurred after the fact that the data has
become polluted. Incident response team cannot determine what happened
when users and system activity have polluted the collected data. For
example, I have often come onto sites to assist in incident response, only to
discover that hundreds of users had continued to use the compromised
system. Evidence is far more difficult to gather in such an environment.

The second challenge many organizations face after an incident is that

compromised systems frequently cannot be taken off-line. The production
services they offer cannot be eliminated. As such, incident response teams
cannot conduct a proper or full forensic analysis.

Honeypots can add value by reducing or eliminating both problems. They

offer a system with reduced data pollution, and an expendable system that
can be taken off-line. For example, let’s say an organization had three web
servers, all of which were compromised by an attacker. However,
management has only allowed us to go in and clean up specific holes. As
such, we can never learn in detail what failed, what damage was done, is

16
 17

there attacker still had internal access, and if we were truly successful in
cleanup.

However, if one of those three systems was a honeypot, we would now have
a system we could take off-line and conduct a full forensic analysis. Based
on that analysis, we could learn not only how the bad guy got in, but what
he did once he was in there. These lessons could then be applied to the
remaining web servers, allowing us to better identify and recover from the
attack.

Research
As discussed at the beginning, there are two categories for
honeypots; production and research. We have already discussed how
production honeypots can add value to an organization. We will now discuss
how research honeypots add value.

One of the greatest challenges the security community faces is lack of

information on the enemy. Questions like who is the threat, why do they
attack, how do they attack, what are their tools, and possibly when will they
attack? It is questions like these the security community often cannot
answer. For centuries military organizations have focused on information
gathering to understand and protect against an enemy. To defend against a
threat, you have to first know about it. However, in the information security
world we have little such information.

Honeypots can add value in research by giving us a platform to study the

threat. What better way to learn about the bad guys then to watch them in
action, to record step-by-step as they attack and compromise a system. Of
even more value is watching what they do after they compromise a system,
such as communicating with other black hats or uploading a new tool kit. It
is this potential of research that is one of the most unique characteristics of
honeypots. Also, research honeypots are excellent tools for capturing
automated attacks, such as auto rooters or Worms. Since these attacks target
entire network blocks, research honeypots can quickly capture these attacks
for analysis.

Advantages of honeypots

17
 18

There are so many advantages of using honeypots as security

agents it will make the security arrangement strong by the use of
various IDS and fire walls. Some of them are very powerful and
strong.

• Small data sets of high value: Honeypots collect small amounts

of information. Instead of logging a one GB of data a day, they
can log only one MB of data a day. Instead of generating
10,000 alerts a day, they can generate only 10 alerts a day.
Remember, honeypots only capture bad activity, any interaction
with a honeypot is most likely unauthorized or malicious activity.
As such, honeypots reduce 'noise' by collection only small data
sets, but information of high value, as it is only the bad guys.
This means it’s much easier (and cheaper) to analyze the data
a honeypot collects and derives value from it.
• New tools and tactics: Honeypots are designed to capture
anything thrown at them, including tools or tactics never seen
before.
• Minimal resources: Honeypots require minimal resources, they
only capture bad activity. This means an old Pentium computer
with 128MB of RAM can easily handle an entire class B
network sitting off an OC-12 network.
• Encryption or IPv6: Unlike most security technologies (such as
IDS systems) honeypots work fine in encrypted or IPv6
environments. It does not matter what the bad guys throw at a
honeypot, the honeypot will detect and capture it.
• Information: Honeypots can collect in-depth information that
few, if any other technologies can match.
• Simplicity: Finally, honeypots are conceptually very simple.
There are no fancy algorithms to develop, state tables to
maintain, or signatures to update. The simpler a technology, the
less likely there will be mistakes or misconfigurations.

Disadvantages of honeypots

Like any technology, honeypots

also have their weaknesses. It is because of this they do not replace
any current technology, but work with existing technologies.

18
 19

• Limited view: Honeypots can only track and capture activity that
directly interacts with them. Honeypots will not capture attacks
against other systems, unless the attacker or threat interacts
with the honeypots also.
• Risk: All security technologies have risk. Firewalls have risk of
being penetrated, encryption has the risk of being broken, IDS
sensors have the risk of failing to detect attacks. Honeypots are
no different, they have risk also. Specifically, honeypots have
the risk of being taken over by the bad guy and being used to
harm other systems. This risk varies for different honeypots.
Depending on the type of honeypot, it can have no more risk
then an IDS sensor, while some honeypots have a great deal of
risk.

Differences between High and Low interaction honeypots

There is even an easy

deployment of Honeyd on Linux computers. Low-interaction
honeypots have the advantage of being easier to deploy and little
risk, as they contain the activity of the attacker. Once you have had
an opportunity to work with low-interaction solutions, you can take the
skills and understanding you have developed and work with high-
interaction solutions. To help you better understand honeypots, below
is a chart summarizing what we just covered.

Low-interaction High-interaction

19
 20

Solution emulates No emulation, real

operating systems and operating systems and
services. services are provided.
• Easy to install and
deploy. Usually • Can capture far more
requires simply information, including
installing and new tools,
configuring communications, or
2software on a attacker keystrokes.
computer. • Can be complex to
• Minimal risk, as the install or deploy
emulated services (commercial versions
control what tend to be much
attackers can and simpler).
cannot do. • Increased risk, as
• Captures limited attackers are
amounts of provided real
information, mainly operating systems to
transactional data interact with
and some limited
interaction.

Finally, no paper on honeypots would be complete without a

discussion about legal issues. There are many misconnects about the
legal issues of honeypots. Instead of briefly covering the legal issues
in this paper, I will be releasing a new paper at the end of May, 2003
dedicated to the legal issues of honeypot technologies.

What are the legal issues of honeypots?

As a new technology, people often ask

what the legal issues of honeypots are. While honeypots are not
specifically addressed in federal statutes or regulation, the following
issues can be seen as a starting point. For specific information, refer
to the paper Honeypots: Are They Illegal?

20
 21

• Liability: We can potentially be held liable if your honeypot is

used to attack or harm other systems or organizations. This risk
is the greatest with high-interaction honeypots.

• Privacy: Honeypots can capture extensive amounts of

information about attackers, which can potentially violate their
privacy, such as IRC chats or emails. This could violate the
privacy of the attacker, or more likely people he is
communicating with. Once again, this risk is primarily with high-
interaction honeypots.

• Entrapment: For some odd reason, many people are concerned

with the issue of entrapment. Entrapment is a legal defense
used to avoid a conviction, you cannot be charged with
entrapment. Most legal experts believe that entrapment is not
an issue for honeypots

Conclusion

The purpose of this seminar report is to define what honeypots are

and their value to the security community. We identified two different
types of honeypots, low-interaction and high-interaction honeypots.
Interaction defines how much activity a honeypot allows an attacker.
The value of these solutions is both for production or research
purposes. Honeypots can be used for production purposes by
preventing, detecting, or responding to attacks. Honeypots can also
be used for research, gathering information on threats so we can
better understand and defend against them. If you are interested in
learning more about honeypots, you may want to consider the book,
the first and only book dedicated to honeypot technologies.

21
 22

References

http://www.tracking-hackers.com/papers/honeypots.html

http://www.securityfocus.com/infocus/1757

http://www.securitywizardry.com/honeypots.html

http://en.wikipedia.org/wiki/Honeypot

http://www.honeynet.org/papers/honeynet/

22