Foreword: Giving the Hackers a Kick Where It Hurts
I'm an unabashed Lance Spitzner fan. This is the guy whose cell phone voice message says
"I'm busy geeking out right now, but leave a message, and I'll get back to you as soon as I
" I don't know when he actually stops geeking out long enough to sleep. I sometimes
wonder if there are actually two of him. His enthusiasm for what he's doing bleeds over
into all aspects of his life. Ideas for cool stuff erupt from him like a volcano and swirl
around him, sucking in casual bystanders and students alike. It's somewhat intimidating to
share a stage with him at a conference. He makes just about everyone else look
uninteresting and tepid by comparison. Lance is a man who loves what he's doing, and
what he loves doing is tracking hackers, sharing that information, and making a difference.
A lot of people like to reserve the term "hacker" for the techno-elite computer hobbyist-
those media darlings often described as "misunderstood whiz-kids" or similar nonsense.
One of the great by-products of Lance's work with honeypots and honeynets is that he's
helped give us a much clearer picture of the hacker in action: often technically
unsophisticated kids playing around with technologies they barely understand. In
the Honeynet Project demonstrated just how active and unskilled most hackers
are. What's that-you don't believe it? Set up your own honeypot or honeynet and see for
yourself. This book gives you the necessary tools and concepts to do it!
I think it's a great thing for the security community that Lance has written this book. In the
past, the hackers roamed our networks with supreme confidence in their anonymity. They
take advantage of systems they've compromised to chat with their buddies safely or to
launch attacks against other systems and sites without fear of detection. Now, however,
they may pause to wonder if their bases of operation are safe-whether they're actually
planning their attacks and deploying their tricks under a microscope.
Honeypots are going to become a critical weapon in the good guys' arsenals. They don't
catch only the lame hackers. Sometimes they catch the new tools and are able to reduce
their effectiveness in the wild by letting security practitioners quickly react before they
become widespread. They don't catch just the script kiddies outside your firewall but the
hackers who work for your own company. They don't catch just unimportant stuff;
sometimes they catch industrial spies. They can be time- and effort-consuming to set up
and operate, but they're fun, instructive, and a terrific way for a good guy to gain an
education on computer forensics in a real-world, low-risk environment.
Right now there are about a half-dozen commercial honeypot products on the market.
Lance covers several of them in this book, as well as "homemade" honeypots and
honeynets, focusing on how they operate, their value, how to implement them, and their
respective advantages. I predict that within one year, there will be dozens of commercial
honeypots. Within two years, there will be a hundred. This is all good news for the good
guys because it'll make it easier for us to deploy honeypots and harder for the bad guys to
recognize and avoid them all. When you're trying to defend against an unknown new form
of attack, the best defense is an unknown new form of defense. Honeypots will keep the
hackers on their toes and, I predict, will do a lot to shatter their sense of invulnerability.
This book is a great place to start learning about the currently available solutions.
In this book Lance also tackles the confusion surrounding the legality of honeypots. Lots of
practitioners I've talked to are scared to dabble in honeypots because they're afraid it may
be considered entrapment or somehow illegal. It's probably a good idea to read the chapter
on legal issues twice. It may suprise you. Welcome to the cutting edge of technology,
where innovation happens and the law is slow to catch up to new concepts. Meanwhile,
you can bet that with renewed concerns about state-sponsored industrial espionage and
terrorism the "big boys" will be setting up honeypots of their own. I'd hate to be a script
kiddy who chose to launch his next attack from a CIA honeypot system! When the big
boys come into the honeypot arena, you can bet that they'll make sure it's legal.
The sheer variety and options for mischief with honeypots are staggering. (There is even a
honeypot for spam e-mails.) You can use the concepts in this book to deploy just about any
kind of honeypot you can imagine. Would you like to build a honeypot for collecting
software pirates? I don't think that's been done yet. How about a honeypot that measures
which hacking tools are most popular by tracking hits against an index page? I don't think
that's been done yet, either. The possibilities are endless, and I found it difficult to read this
book without thinking, "What if . . . ?" over and over again.
I hope you enjoy this book and I hope it inspires you to exercise your own creativity and
learn what the bad guys are up to and then share it with the security community. Then
follow Lance's lead, and make a difference.
-Marcus J. Ranum
It began as an innocent probe. A strange IP address was examining an unused service on
my system. In this case, a computer based in Korea was attempting to connect to a rpc
service on my computer. There is no reason why anyone would want to access this service,
especially someone in Korea. Something was definitely up. Immediately following the
probe, my Intrusion Detection System screamed an alert: An exploit had just been
launched. My system was under assault! Seconds after the attack, an intruder broke into my
computer, executed several commands, and took total control of the system. My computer
had just been hacked! I was elated! I could not have been happier.
Welcome to the exciting world of honeypots, where we turn the tables on the bad guys.
Most of the security books you read today cover a variety of concepts and technologies, but
almost all of them are about keeping blackhats out. This book is different: It is about
keeping the bad guys in-about building computers you
to be hacked. Traditionally,
security has been purely defensive. There has been little an organization could do to take
the initiative and challenge the bad guys. Honeypots change the rules. They are a
technology that allows organizations to take the offensive.
Honeypots come in a variety of shapes and sizes-everything from a simple Windows
system emulating a few services to an entire network of productions systems waiting to be
hacked. Honeypots also have a variety of values-everything from a burglar alarm that
detects an intruder to a research tool that can be used to study the motives of the blackhat
community. Honeypots are unique in that they are not a single tool that solves a specific
problem. Instead, they are a highly flexible technology that can fulfill a variety of different
roles. It is up to you how you want to use and deploy these technologies.
In this book, we explain what a honeypot is, how it works, and the different values this
unique technology can have. We then go into detail on six different honeypot technologies.
We explain one step at a time how these honeypot solutions work, discuss their advantages
and disadvantages, and show you what a real attack looks like to each honeypot. Finally,
we cover deployment and maintenance issues of honeypots. The goal of this book is not to
just give you an understanding of honeypot concepts and architecture but to provide you
with the skills and experience to deploy the best honeypot solutions for your environment.
The examples in the book are based on real-world experiences, and almost all of the attacks
discussed actually happened. You will see the blackhat community at their best, and some
of them at their worst. Best of all, you will arm yourself with the skills and knowledge to
track these attackers and learn about them on your own.
I have been using honeypots for many years, and I find them absolutely fascinating. They
are an exciting technology that not only teaches you a great deal about blackhats but also
teaches you about yourself and security in general. I hope you enjoy this book as much as I
have enjoyed writing and learning about honeypot technologies.
This book is intended for the security professional. Anyone involved in protecting or
securing computer resources will find this resource valuable. It is the first publication
dedicated to honeypot technologies, a tool that more and more computer security
professionals will want to take advantage of once they understand its power and flexibility.
Due to honeypots' unique capabilities, other individuals and organizations will be
extremely interested in this book. Military organizations can apply these technologies to
Cyberwarfare. Universities and security research organizations will find tremendous value
in the material concerning research honeypots. Intelligence organizations can apply this
book to intelligence and counterintelligence activities. Members of law enforcement can
use this material for the capturing of criminal activities. Legal professionals will find
Chapter 15 to be one of the first definitive resources concerning the legal issues of
A CD-ROM accompanies this book and contains additional information related to the
topics in the book. It includes everything from whitepapers and source code to actual
evaluation copies of software and data captures of real attacks. This will give you the
hands-on opportunity to develop your skills with honeypot technologies.
This book has a Web site dedicated to it. The purpose of the Web site is to keep this
material updated. If any discrepancies or mistakes are found in the book, the Web site will
have updates and corrections. For example, if any of the URLs in the book have been
changed or removed, the Web site will provide the updated links. Also, new technologies
are always being developed and deployed. You should periodically visit the Web site to
stay current with the latest in honeypot technologies.
Each chapter ends with a references section. The purpose is to provide you with resources
to gain additional information about topics discussed in the book. Examples of references
include Web sites that focus on securing operating systems and books that specialize in
This book contains network diagrams demonstrating the deployment of honeypots. These
diagrams show both production systems and honeypots deployed together within a
networked environment. All production systems and honeypots are standardized, so you
can easily tell them apart. All production systems are simple black-and-white computer
objects, as in Figure A. These are systems you do not want to be hacked.
Figure A. Two production systems deployed on a network
In contrast, all honeypots can easily be identified by shading and the lines going through
the system, as in Figure B.
Figure B. Two honeypots deployed on a network
About the Author
Lance Spitzner is a geek who constantly plays with computers, especially network security.
He loves security because it is a constantly changing environment. His love for tactics first
began in the U.S. Army, where he served both as an enlisted infantryman in the National
Guard and as an armor officer in the Rapid Deployment Force. Following the Army he
received his graduate degree and became involved in the world of information security.
Now he fights the enemy with IPv4 packets instead of 120mm SABOT rounds.
His passion is researching honeypot technologies and using them to learn more about the
bad guys. He is also actively involved with the security community. He is founder of the
Honeynet Project, moderator of the honeypot mail list, coauthor of
Know Your Enemy, and author of several whitepapers. He has also spoken at various conferences and
organizations, including Blackhat, SANS, CanSecWest, the Pentagon, the FBI Academy,
West Point, National Security Agency, and Navy War College. He is a senior security
architect for Sun Microsystems Inc.
You could say that I did not really write this book. What I did was put together a great
many concepts and technologies that I have been fortunate enough to learn from other
people. Without their patience and help, not only this book but my career and education
would not have been possible.
My sincere thanks go to the following.
The people who took the time to teach me when I was a neophyte. Kevin Figiel, you were
priceless. You explained to me what Unix and a network are. I'll never forget my first day
at work when you sat down and explained to me my first network diagram. The entire New
Logic team, including Carlos Talbot, Jeff Vosburg, Corey Borin, and Robert Thomas, took
the considerable time and effort to explain to me what Unix is all about and introduce me
to the world of information security.
The folks at SANS, who have been big supporters since day one. I'll never forget how
excited I was to make my first presentation on honeypots and tracking hackers. Stephen
Northcut gave me my first chance to become involved with SANS. Alan Paller has been a
committed supporter of honeypots and the Honeynet Project. I would like to thank John
Green, who has helped with both the Forensic Challenge and Honeynet Research Alliance.
And finally, to the true boss at SANS, Zoe, the SANS goddess: Thank you so much for
taking care of all of us.
Two gentlemen who were extremely influential in guiding me in the ways of computer
security: Dan Farmer and Brad Powell. They are serious professionals from whom I have
learned a great deal, including the Zen of security.
Marcus Ranum, one of the few people who continually develops crazier ideas than even I
do. Your dedication to information security and innovative concepts is truly an inspiration.
The gents of SecurityFocus.com, to whom I owe more than a beer. Alfred Huger was one
of the very first people to publish my whitepapers and support me in my work on
honeypots. Other members, Elias Levy, Hal Flynn, and Ryan Russell, helped me in
researching, understanding, and deploying honeypot technologies. I would also like to
thank Elias for his commitment to the Honeynet Project as one of our directors.
The men of Foundstone, one of the very first supporters of the Honeynet Project and my
research into honeypot technologies. Saumil, you are the "yaar"! Thanks to J. D. Glazer,
Kevin Mandia, and Stuart McClure for their support, and to George Kurtz, the first director
for the Honeynet Project. Dave Wreski and the folks at linuxsecurity.com have been big
supporters of honeypot technologies, the Forensic Challenge, and the Honeynet Project.
Rob McMilan, Glen Sharlun, and other members of the Navy Postgraduate Program. This
organization was one of the first to actively work with the Honeynet Project on honeypot
technologies. They opened my eyes to all the different possibilities of honeypots.
Richard Salgado and members of the Department of Justice. They have repeatedly gone out
of their way to help the Project identify any legal issues with honeypot technologies.
The wonder weenies of the Honeynet Project. Specifically Jeff Stutzman and Max Kilger,
who can do more damage with numbers and data sets than anyone else I know. David
Dittrich, the most detail oriented person I know (in other words, anal). Your expertise in
forensics and DoS attacks has been crucial to my understanding of honeypots and threats.
David was also a major contributor to the chapter on honeypot legal issues. Marty Roesch,
the network pig himself. Snort has been absolutely critical to the history of honeypots.
Without it, we would know far less about the blackhat community. Dragos Ruiu and those
ever-sexy black leather pants. Frank Heidt, one of the few people I know who is more
intense than I am when dealing with security technologies. K2, vacuum, and rain forest
puppy. I'm not sure what I admire more-their dedicated professionalism or their cool
handles. Michael Clark, one of the first proponents of virtual Honeynets. Jed Hail, creator
of Hogwash, one of the first GenII technologies for data control. Eric Cole and Ed Skoudis,
SANS wonder twins. You two bums have been a huge help since I first began in the
security field. Fyodor, Mr. Nmap himself. Robin Wakefield, one of the few people crazy
enough to support the Honeynet Project from the beginning. Chris Brenton, one of the very
first members of the Honeynet Project. Anne Tennholder, a huge supporter of the
honeypots. Ofir Arkin-no man knows ICMP like Ofir. Max Vision, the master at decoding
worms and exploits. Dug Song, the most frightening man in the world when it comes to
coding layer two attacks. And the rest of the Honeynet Project: Dudes, without your skills,
experience, and input, our research into honeypot technologies would have never been
Bruce Schneier and Jennifer Grannick, two individuals crazy enough to support the
Honeynet on the Board of Directors. Bruce, your insight to the potential of honeypots is
setting the future for honeypot technologies. Jennifer, you have been an incredible leader in
the legal issues of honeypots. Jennifer was also a major contributor to the chapter on
honeypot legal issues.
The Honeynet Research Alliance, organizations daft enough to become involved in
honeypot research. The South Florida Honeynet Project is led by Richard La Bella. Your
devotion and motivation to Honeynet research is an inspiration to the security community.
To the teams in Greece, India, Brazil, and Mexico: It's great to see honeypots and
community support have a global perspective. And to all the other members of the
Alliance, thanks for your unique ideas and support. My fellow geeks at the GESS Security
Team at Sun Microsystems. With your support, guidance, and wisdom, I have a job I love
and continually learn from. To John Totah, the most paranoid and finest security
professional I know. To Donna, the kernel hacker goddess. Rob, Joel, Audrey, and Robin,
you have been guiding me from the start. To Brad Powell, the reason I joined Sun. To Ed,
my boss, for putting up with all my crazy antics over the past three years. And to the rest of
the team-hang in there, guys!
My fellow publisher and editors. You have always been and continue to be there for me.
Karen Gettman, Emily Frey, Tracy Russ, Gioconda Mateu, and Mary Cotillo, and the rest
of the A-W team, thanks for all the support. (I promise not to ask for too many copies of
the book.) To Laurie McGuire, who was tasked with the grueling job of going through each
chapter of the book and cleaning up the mess I created: I learned a great deal from you on
how to write in a clean and concise manner. Char Sample, Richard Bejtlich, Sean R.
Brown, Michael Clark, Marcus Leech, and Marcus Ranum-thanks for taking the time to
review the book, find all my boneheaded mistakes, and make great suggestions for
Those folks I forgot to mention by name. You may have sent me an e-mail, posted on a
mail list, or published a whitepaper on a Web site. Your contributions have helped me
Finally, my family. My parents were always there for me. Without their support and
guidance-not to mention their babysitting skills-this book would have never been written.
Thanks also to Busia, Grandpa, Ciocia, and the rest of my family. Most importantly, I
would like to thank my wonderful wife, Ania, and our son, Adam. Without Ania's patience
and support, I never would have been able to write this book. I would like to thank Adam
for all of his unique input when he was at the keyboard helping me write this book. His
keystroke combinations still defy me to this day (not bad for a 16-month-old!).