Bruce Schneier on Wed, 27 Jun 2001 05:56:25 +0200 (CEST)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Nettime-bold] Honeypots and the Honeynet Project

[via: Felix Stalder <>]

CRYPTO-GRAM June 15, 2001
Back issues are available at


       Honeypots and the Honeynet Project

 In warfare, information is power. The better you understand your enemy,
the more able you are to defeat him. In the war against malicious hackers,
network intruders, and the other black-hat denizens of cyberspace, the good
guys have suprisingly little information. Most security professionals, even
those designing security products, are ignorant of the tools, tactics, and
motivations of the enemy. And this state of affairs is to the enemy's

The Honeynet Project was initiated to shine a light into this darkness.
This team of researchers has built an entire computer network and
completely wired it with sensors. Then it put the network up on the
Internet, giving it a suitably enticing name and content, and recorded what
happened. (The actual IP address is not published, and changes regularly.)
Hackers' actions are recorded as they happen: how they try to break in,
when they are successful, what they do when they succeed.

The results are fascinating. A random computer on the Internet is scanned
dozens of times a day. The life expectancy of a default installation of Red
Hat 6.2 server, or the time before someone successfully hacks it, is less
than 72 hours. A common home user setup, with Windows 98 and file sharing
enabled, was hacked five times in four days. Systems are subjected to
NetBIOS scans an average of 17 times a day. And the fastest time for a
server being hacked: 15 minutes after plugging it into the network.

The moral of all of this is that there are a staggering number of people
out there trying to break into *your* computer network, every day of the
year, and that they succeed surprisingly often. It's a hostile jungle out
there, and network administrators that don't take drastic measures to
protect themselves are toast.

The Honeynet Project is more than a decoy network of computers; it is an
ongoing research project into the modus operandi of predatory hackers. The
project currently has about half a dozen honeynets in operation. Want to
try this in your own network? Several companies sell commercial versions,
much simpler, of what the Honeynet Project is doing. Called "honeypots,"
they are designed to be installed on an organization's network as a decoy.
In theory, hackers find the honeypot and waste their time with it, leaving
the real network alone.

I am not sold on this as a commercial product. Honeynets and honeypots need
to be tended; they're not the kind of product you can expect to work out of
the box. Commercial honeypots only mimic an operating system or computer
network; they're hard to install correctly and much easier to detect than
the Honeynet Project's creations. And what's the point? You'd be smarter to
monitor activity on your real network and leave off the honeypot. If you're
interested in learning about hackers and how they work, by all means
purchase a honeypot and take the time to use it properly. But if you're
just interested in protecting your own network, you'd be better off
spending the time on other things.

The Honeynet Project, on the other hand, is pure research. And I am a major
fan. The stuff they produce is invaluable, and there's no other practical
way to get it. When an airplane falls out of the sky, everyone knows about
it. There is a very public investigation, and any airline manufacturer can
visit the National Traffic Safety Board and read the multi-hundred-page
reports on all recent airline crashes. And any airline can use that
information to design better aircraft. When a network is hacked, it almost
always remains a secret. More often than not, the victim has no idea he's
been hacked. If he does know, there is enormous market pressure on him not
to go public with the fact. And if he does go public, he almost never
releases detailed information about how the hack happened and what the
results were.

This paucity of real information makes it much harder to design good
security products. The Honeynet Project team is working to change that. I
urge everyone involved in computer security to visit their Web site. Great
stuff, and it's all real.


The "Know Your Enemy" series of essays:


** *** ***** ******* *********** *************


Copyright (c) 2001 by Counterpane Internet Security, Inc.

Nettime-bold mailing list