Distributed Honeynets Project

Staff

Albert Gonzalez
Chris Lee
Will McCammon

Links

Honeynet Project
Snort
Prelude
CERT
Samhain
The Coroner's Toolkit

Introduction

Honeynets are typically employed by large corporations by redirecting non-production traffic to a heavily monitored subnet of honeypots at a remote location. This reduces overhead for the corporation by avoiding management of the honeypots themselves and by separating illegitimate traffic from the production environment. Any subsequent attacks are carried out on the honeypots with analysis and reporting performed by third party consultants.

While this kind of technology is well within the reach of deep-pocketed capital businesses, most smaller businesses and organizations simply do not have the means to employ such a defense. In fact, smaller organizations and individuals may be tempted to implement a few honeypots thinking that they are protected by simple alerts. But truth of the matter is that the information that they glean from such a limited installation base is not useful in the grand scheme of network defense. It’s not the individual attack data that influences network policy, but rather meta-data that helps outline principal vulnerabilities through statistical analysis and trending. Only then can we say with certainty that there is such and such probability of this kind of attack occurring versus that one.

Because we want to analyze meta-data instead of individual alerts, we need to build an open infrastructure for honeynets that allows for collaboration between network administrators and data analysts. In order to achieve this end, we need a robust network infrastructure that allows untrusting parties to work together and learn about global attacks while ensuring data integrity and maintaining proprietary secrets. While projects such as airCERT and The Honeynet Project have built common tools for IDS data collection and analysis, they have not provided a complete package and plan for collaboration.

The Distributed Honeynets Project was established to help network administrators implement a coordinated Intrusion Detection System by using open source software with the benefit of collaborative data analysis and pooling of network alerts. Other goals for the project include:

• Lowering barriers of entry for participants by creating software distribution sets that meet the needs of the individual as well as the collective
• Educating network administrators about threat levels based on actual attacks rather than directed by computer security media propaganda
• Establishing communication between network professionals that enable them to provide evidence for the apprehension and prosecution of attackers at large