The most trusted source for computer security training, certification and research.

Intrusion Detection FAQ: What is a honeypot and how is it used?

A honeypot is a simply a system program or file that has absolutely no purpose in production. Therefore, we can always assume that if the honeypot is accessed, it is for some reason unrelated to your organization purpose.

The workhorse of all honeypots is honeyd. It simulates an entire environment and is available from http://www.honeyd.org/.

Another type of honeypot is called a Proxypot, which is a proxy server with no access control. The open proxy honeypot allows internet clients to connect and make requests to the proxy server for connection to internet hosts, even those that are behind the proxy server. This allows server traffic to be examined to detect various threats including distributed password account quessing, nessus web vulnerability scans, and proxy chaining.

There is also a honeypot program is called the Deception Tool Kit, which can be downloaded from http://www.all.net/dtk/index.html. You can configure the responses for each port.

Honeypots are probably one of the last security tools an organization should implement. This is primarily because of the concern that somebody may use the honeypot to attack other systems.


Ben's insight into legal issues and teaching style makes this potentially dry material exciting. His stories and examples add to the printed material
-Karl Kurrle, Golf Savings Bank

SEC503 Skyscraper - general

Contact us: (301) 654-SANS(7267)
Monday - Friday 9am-8pm EST/EDT