Nettime mailing list archives

<nettime> Honeypots and the Honeynet Project
nettime's roving reporter on Wed, 27 Jun 2001 19:53:50 +0200 (CEST)

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

<nettime> Honeypots and the Honeynet Project

[via: Felix Stalder <felix {AT} openflows.org>]

From: Bruce Schneier <schneier {AT} counterpane.com>
CRYPTO-GRAM June 15, 2001
Back issues are available at


       Honeypots and the Honeynet Project

 In warfare, information is power. The better you understand your enemy,
the more able you are to defeat him. In the war against malicious hackers,
network intruders, and the other black-hat denizens of cyberspace, the
good guys have suprisingly little information. Most security
professionals, even those designing security products, are ignorant of the
tools, tactics, and motivations of the enemy. And this state of affairs is
to the enemy's advantage.

The Honeynet Project was initiated to shine a light into this darkness.
This team of researchers has built an entire computer network and
completely wired it with sensors. Then it put the network up on the
Internet, giving it a suitably enticing name and content, and recorded
what happened. (The actual IP address is not published, and changes
regularly.) Hackers' actions are recorded as they happen: how they try to
break in, when they are successful, what they do when they succeed.

The results are fascinating. A random computer on the Internet is scanned
dozens of times a day. The life expectancy of a default installation of
Red Hat 6.2 server, or the time before someone successfully hacks it, is
less than 72 hours. A common home user setup, with Windows 98 and file
sharing enabled, was hacked five times in four days. Systems are subjected
to NetBIOS scans an average of 17 times a day. And the fastest time for a
server being hacked: 15 minutes after plugging it into the network.

The moral of all of this is that there are a staggering number of people
out there trying to break into *your* computer network, every day of the
year, and that they succeed surprisingly often. It's a hostile jungle out
there, and network administrators that don't take drastic measures to
protect themselves are toast.

The Honeynet Project is more than a decoy network of computers; it is an
ongoing research project into the modus operandi of predatory hackers. The
project currently has about half a dozen honeynets in operation. Want to
try this in your own network? Several companies sell commercial versions,
much simpler, of what the Honeynet Project is doing. Called "honeypots,"
they are designed to be installed on an organization's network as a decoy.
In theory, hackers find the honeypot and waste their time with it, leaving
the real network alone.

I am not sold on this as a commercial product. Honeynets and honeypots
need to be tended; they're not the kind of product you can expect to work
out of the box. Commercial honeypots only mimic an operating system or
computer network; they're hard to install correctly and much easier to
detect than the Honeynet Project's creations. And what's the point? You'd
be smarter to monitor activity on your real network and leave off the
honeypot. If you're interested in learning about hackers and how they
work, by all means purchase a honeypot and take the time to use it
properly. But if you're just interested in protecting your own network,
you'd be better off spending the time on other things.

The Honeynet Project, on the other hand, is pure research. And I am a
major fan. The stuff they produce is invaluable, and there's no other
practical way to get it. When an airplane falls out of the sky, everyone
knows about it. There is a very public investigation, and any airline
manufacturer can visit the National Traffic Safety Board and read the
multi-hundred-page reports on all recent airline crashes. And any airline
can use that information to design better aircraft. When a network is
hacked, it almost always remains a secret. More often than not, the victim
has no idea he's been hacked. If he does know, there is enormous market
pressure on him not to go public with the fact. And if he does go public,
he almost never releases detailed information about how the hack happened
and what the results were.

This paucity of real information makes it much harder to design good
security products. The Honeynet Project team is working to change that. I
urge everyone involved in computer security to visit their Web site. Great
stuff, and it's all real.


The "Know Your Enemy" series of essays:


** *** ***** ******* *********** *************


Copyright (c) 2001 by Counterpane Internet Security, Inc.

#  distributed via <nettime>: no commercial use without permission
#  <nettime> is a moderated mailing list for net criticism,
#  collaborative text filtering and cultural politics of the nets
#  more info: majordomo {AT} bbs.thing.net and "info nettime-l" in the msg body
#  archive: http://www.nettime.org contact: nettime {AT} bbs.thing.net