Virtual Honeypots From Botnet Tracking to Intrusion Detection

by ;
  • ISBN13:


  • ISBN10:


  • Edition: 1st
  • Format: Paperback
  • Copyright: 2007-07-16
  • Publisher: Addison-Wesley Professional
  • Purchase Benefits
  • Free Shipping On Orders Over $35!
    Your order must be $35 or more to qualify for free economy shipping. Bulk sales, PO's, Marketplace items, eBooks and apparel do not qualify for this offer.
  • Get Rewarded for Ordering Your Textbooks! Enroll Now
List Price: $64.99 Save up to $9.75
  • Buy New
    Add to Cart Free Shipping


Supplemental Materials

What is included with this book?

  • The New copy of this book will include any supplemental materials advertised. Please check the title of the book to determine if it should include any access cards, study guides, lab manuals, CDs, etc.
  • The eBook copy of this book is not guaranteed to include any supplemental materials. Typically, only the book itself is included. This is true even if the title states it includes any access cards, study guides, lab manuals, CDs, etc.


Praise forVirtual Honeypots "A power-packed resource of technical, insightful information that unveils the world of honeypots in front of the reader's eyes." -Lenny Zeltser, Information Security Practice Leader at Gemini Systems "This is one of the must-read security books of the year." -Cyrus Peikari, CEO, Airscanner Mobile Security, author, security warrior "This book clearly ranks as one of the most authoritative in the field of honeypots. It is comprehensive and well written. The authors provide us with an insider's look at virtual honeypots and even help us in setting up and understanding an otherwise very complex technology." -Stefan Kelm, Secorvo Security Consulting "Virtual Honeypots is the best reference for honeypots today. Security experts Niels Provos and Thorsten Holz cover a large breadth of cutting-edge topics, from low-interaction honeypots to botnets and malware. If you want to learn about the latest types of honeypots, how they work, and what they can do for you, this is the resource you need." -Lance Spitzner, Founder, Honeynet Project "Whether gathering intelligence for research and defense, quarantining malware outbreaks within the enterprise, or tending hacker ant farms at home for fun, you'll find many practical techniques in the black art of deception detailed in this book. Honeypot magic revealed!" -Doug Song, Chief Security Architect, Arbor Networks "Seeking the safest paths through the unknown sunny islands called honeypots? Trying to avoid greedy pirates catching treasures deeper and deeper beyond your ports? With this book, any reader will definitely get the right map to handle current cyber-threats. Designed by two famous white hats, Niels Provos and Thorsten Holz, it carefully teaches everything from the concepts to practical real-life examples with virtual honeypots. The main strength of this book relies in how it covers so many uses of honeypots: improving intrusion detection systems, slowing down and following incoming attackers, catching and analyzing 0-days or malwares or botnets, and so on. Sailing the high seas of our cyber-society or surfing the Net, from students to experts, it's a must-read for people really aware of computer security, who would like to fight against black-hats flags with advanced modern tools like honeypots." -Laurent Oudot, Computer Security Expert, CEA "Provos and Holz have written the book that the bad guys don't want you to read. This detailed and comprehensive look at honeypots provides step-by-step instructions on tripping up attackers and learning their tricks while lulling them into a false sense of security. Whether you are a practitioner, an educator, or a student, this book has a tremendous amount to offer. The underlying theory of honeypots is covered, but the majority of the text is a 'how-to' guide on setting up honeypots, configuring them, and getting the most out of these traps, while keeping actual systems safe. Not since the invention of the firewall has a tool as useful as this provided security specialists with an edge in the never-ending arms race to secure computer systems. Virtual Honeypots is a must-read and belongs on the bookshelf of anyone who is serious about security." -Aviel D. Rubin, Ph.D., Computer Science Professor and Technical Director of the Information Security Institute at Johns Hopkins University, and President and Founder, Independent Security Evaluators "An awesome coverage of modern honeypot technologies, both conceptual and practical." -Anton Chuvakin "Honeypots have grown from simple geek tools to key components in research and threat monitoring a

Author Biography

Niels Provos is a senior staff engBieer at Google Thorsten Holz is one of the founders of the German Honeynet Project and a member of the Steering Committee of the Honeynet Research alliance

Table of Contents

Prefacep. xiii
Acknowledgmentsp. xxi
About the Authorsp. xxiii
Honeypot and Networking Backgroundp. 1
Brief TCP/IP Introductionp. 1
Honeypot Backgroundp. 7
High-Interaction Honeypotsp. 9
Low-Interaction Ploneypotsp. 10
Physical Honeypotsp. 11
Virtual Honeypotsp. 11
Legal Aspectsp. 12
Tools of the Tradep. 13
Tcpdumpp. 13
Wiresharkp. 15
Nmapp. 16
High-Interaction Honeypotsp. 19
Advantages and Disadvantagesp. 20
VMwarep. 22
Different VMware Versionsp. 25
Virtual Network with VMwarep. 26
Setting Up a Virtual High-Interaction Honeypotp. 29
Creating a Virtual Honeypotp. 33
Adding Additional Monitoring Softwarep. 37
Connecting the Virtual Honeypot to the Internetp. 39
Building a Virtual High-Interaction Honeynetp. 40
User-Mode Linuxp. 41
Overviewp. 41
Installation and Setupp. 42
Runtime Flags and Configurationp. 46
Monitoring UML-Based Honeypotsp. 50
Connecting the Virtual Honeypot to the Internetp. 51
Building a Virtual High-Interaction Honeynetp. 52
Argosp. 52
Overviewp. 53
Installation and Setup for Argos Honeypotsp. 54
Safeguarding Your Honeypotsp. 62
Honeywallp. 63
Summaryp. 69
Low-Interaction Honeypotsp. 71
Advantages and Disadvantagesp. 72
Deception Toolkitp. 73
LaBreap. 74
Installation and Setupp. 75
Observationsp. 81
Tiny Honeypotp. 81
Installationp. 82
Capture Logsp. 83
Session Logsp. 85
NetfilterLogsp. 85
Observationsp. 86
GHH - Google Hack Honeypotp. 87
General Installationp. 87
Installing the Transparent Linkp. 91
Access Loggingp. 92
PHP-HoP - A Web-Based Deception Frameworkp. 94
Installationp. 95
HipHopp. 96
PhpMyAdminp. 97
Securing Your Low-Interaction Honeypotsp. 98
Chroot Jailp. 98
Systracep. 101
Summaryp. 103
Honeyd - The Basicsp. 105
Overviewp. 106
Featuresp. 107
Installation and Setupp. 108
Design Overviewp. 109
Interaction Only via the Networkp. 111
Multiple IP Addressesp. 111
Deceiving Fingerprinting Toolsp. 111
Receiving Network Datap. 112
Runtime Flagsp. 114
Configurationp. 115
Createp. 117
Setp. 117
Addp. 121
Bindp. 123
Deletep. 124
Includep. 125
Experiments with Honeydp. 125
Experimenting with Honeyd Locallyp. 125
Integrating Virtual Honeypots into Production Networksp. 128
Servicesp. 129
Loggingp. 131
Packet-Level Loggingp. 131
Service-Level Loggingp. 133
Summaryp. 134
Honeyd - Advanced Topicsp. 135
Advanced Configurationp. 136
Setp. 136
Tarpitp. 137
Annotatep. 138
Emulating Servicesp. 139
Scripting Languagesp. 139
SMTPp. 139
Subsystemsp. 142
Optimizing Subsystemsp. 145
Internal Python Servicesp. 146
Dynamic Templatesp. 148
Routing Topologyp. 150
Honeydstatsp. 154
Honeydctlp. 156
Honeycombp. 158
Performancep. 160
Summaryp. 161
Collecting Malware with Honeypotsp. 163
A Primer on Malicious Softwarep. 164
Nepenthes - A Honeypot Solution to Collect Malwarep. 165
Architecture of Nepenthesp. 167
Limitationsp. 176
Installation and Setupp. 177
Configurationp. 179
Command Line Flagsp. 181
Assigning Multiple IP Addressesp. 183
Flexible Deploymentp. 185
Capturing New Exploitsp. 186
Implementing Vulnerability Modulesp. 187
Resultsp. 188
Lessons Learnedp. 196
Honeytrapp. 197
Overviewp. 197
Installation and Configurationp. 200
Running Honeytrapp. 203
Other Honeypot Solutions for Learning About Malwarep. 204
Muliipotp. 204
HoneyBOTp. 205
Billy Goatp. 205
Learning About Malicious Network Trafficp. 206
Summaryp. 207
Hybrid Systemsp. 209
Collapsarp. 211
Potemkinp. 214
RoiePlayerp. 220
Research Summaryp. 224
Building Your Own Hybrid Honeypot Systemp. 224
NAT and High-Interaction Honeypotsp. 224
Honeyd and High-Interaction Honeypotp. 228
Summaryp. 230
Client Honeypotsp. 231
Learning More About CHent-Side Threatsp. 232
A Closer Look at MS04-040p. 233
Other Types of Client-Side Attacksp. 236
Toward Client Honeypotsp. 238
Low-Interaction Client Honeypotsp. 241
Learning About Malicious Websitesp. 241
HoneyCp. 246
High-Interaction Client Honeypotsp. 253
Design of High-Interacrion Client Honeypotsp. 254
HoneyClientp. 258
Capture-HPCp. 260
HoneyMonkeyp. 262
Other Approachesp. 263
Studying Spyware on the Internetp. 264
SpyByep. 267
SiteAdvisorp. 270
Further Researchp. 271
Summaryp. 272
Detecting Honeypotsp. 273
Detecting Low-Interaction Honeypotsp. 274
Detecting High-Interaction Honeypotsp. 280
Detecting and Disabling Sebekp. 281
Detecting the Honeywallp. 285
Circumventing Honeynet Loggingp. 286
VMware and Other Virtual Machinesp. 289
QEMUp. 297
User-Mode Linuxp. 298
Detecting Rootkitsp. 302
Summaryp. 305
Case Studiesp. 307
Blast-o-Mat: Using Nepenthes to Detect Infected Clientsp. 308
Motivationp. 309
Nepenthes as Part of an Intrusion Detection Systemp. 311
Mitigation of Infected Systemsp. 312
A Modern Trojan: Haxdoorp. 316
Lessons Learned with Blast-o-Matp. 320
Lightweight IDS Based on Nepenthesp. 321
SURFnetIDSp. 325
Search Wormsp. 327
Red Hat S.O Compromisep. 332
Attack Summaryp. 334
Attack Timelinep. 335
Tools Involvedp. 338
Attack Evaluationp. 343
Windows 2000 Compromisep. 343
Attack Summaryp. 344
Attack Timelinep. 345
Tools Involvedp. 347
Attack Evaluationp. 350
SUSE 9.1 Compromisep. 351
Attack Summaryp. 351
Attack Timelinep. 352
Tools Involvedp. 354
Attack Evaluationp. 356
Summaryp. 357
Tracking Botnetp. 359
Bot and Botnet 1O1p. 360
Examples of Botsp. 362
Spywarein the Form of Botsp. 366
Botnet Control Structurep. 369
DDoS Attacks Caused by Botnetsp. 372
Tracking Botnetsp. 373
Observing Botnetsp. 375
Case Studiesp. 376
Mocbot and MS06-040p. 381
Other Observationsp. 384
Defending Against Botsp. 387
Summaryp. 390
Analyzing Malware with CWSandboxp. 391
CWSandbox Overviewp. 392
Behavior-Based Malware Analysisp. 394
Code Analysisp. 394
Behavior Analysisp. 395
API Hookingp. 396
Code Injectionp. 400
CWSandbox - System Descriptionp. 401
Architecturep. 402
Resultsp. 405
Example Analysis Reportp. 406
Large-Scale Analysisp. 411
Summaryp. 413
Bibliographyp. 415
Indexp. 423
Table of Contents provided by Ingram. All Rights Reserved.


This book is about understanding computer security through experiment. Before now, you probably thought that if your computer was compromised, it was the end of the world. But we are going to show you how to look at the bright side of break-ins and teach you to appreciate the insights to be gained from botnets, worms, and malware. In every incident there is a lesson to be learned. Once you know about the many different kinds of honeypots, you can turn the tables on Internet-born attackers. This book discusses a vast range of deployment scenarios for honeypots, ranging from tracking botnets to capturing malware. We also encourage you to take the perspective of adversaries by analyzing how attackers might go about detecting your countermeasures. But first let us set the context appropriately. Computer networks connect hundreds of thousands of computer systems across the world. We know the sum of all these networks as the Internet. Originally designed for research and military use, the Internet became enormously popular after Tim Berners-Lee invented the HyperText Transfer Protocol (HTTP) in 1990 and created the World Wide Web as we know it. As more of us started using the Net, almost all of our social problems transferred into the electronic realm as well. For example, it was human curiosity that created the first Internet worm. (Technically, the first network worm was created in 1982 by Shoch and Hupp of Xerox's PARC, who developed worms such as the Vampire worm, which would seek out underutilized computers and have them solve complex computing tasks 81. However, in most minds, Internet worms started with Morris, who, among many other contributions, also invented the buffer overfiow.) Scanning networks for the number of installed computers or their respective configuration is another sign of our curiosity. In fact, receiving a constant stream of network probes is nowadays considered normal and expected. Unfortunately, many of these activities are no longer benign. Darker elements of society have figured out that the Internet provides new opportunities to turn a quick profit. Underground activities range from sending millions of spam e-mails, identity theft, and credit card fraud to extortion via distributed denial of service attacks. As the Internet becomes increasingly popular, its security is also more important for keeping our electronic world healthy and functioning. Yet, despite decades of research and experience, we are still unable to make secure computer systems or even measure their security. Exploitation of newly discovered vulnerabilities often catches us by surprise. Exploit automation and massively global scanning for vulnerabilities make it easy for adversaries to compromise computer systems as soon as they can locate its weaknesses 91. To learn which vulnerabilities are being used by adversaries (and they might even be some of which we are unaware), we could install a computer systems on a network and then observe what happens to it. If the system serves no other purpose, then every attempt to contact it seems suspect. If the system is attacked, we have learned something new. We call such a system a honeypot. Its compromise allows us to study which vulnerability was used to break into it or what an adversary does once he gained complete control over it. A honeypot can be any kind of computing system. It may run any operating system and any number of services. The services we configure determine the attack vectors open to an adversary. In this book, we often talk about nefarious computer users who want to break into our honeypots. Many readers might expect that we would call these computer users hackers, a term adapted and distorted beyond recognition by the press. However, the authors prefer the traditional definition of the word: A hacker is a person who finds clever technical solutions to problems. Although there is no shortage of good hackers out there, the supply of people

Rewards Program

Write a Review