Wednesday, March 01, 2006

Honeyd, the virtual honeypot

A fun paper by Googler Niels Provos, "A Virtual Honeypot Framework", has the clever idea of creating simulated networks and network hosts to detect hacking attempts:
One way to get early warnings of new vulnerabilities is to install and monitor computer systems on a network that we expect to be broken into. Every attempt to contact these systems via the network is suspect.

We call such a system a honeypot. If a honeypot is compromised, we study the vulnerability that was used to compromise it.

A physical honeypot is a real machine with its own IP address. A virtual honeypot is simulated by another machine that responds to network traffic ... Virtual honeypots are attractive because they require fewer computer systems, which reduces maintenance costs.
Honeyd is pretty clever, cheaply simulating network structures and the network stacks of various versions of operating systems.

Of course, you could do something like this with virtual machines -- running several operating systems and sandboxes on the same physical hardware -- but Honeyd is lightweight, allowing a single machine to present a complicated nest of many thousands of virtual targets to attackers.

By the way, if you like this kind of security goo as much as I do, you should check out Bruce Schneier's weblog, "Schneier on Security". It's a great resource.

No comments: