World Library  
Flag as Inappropriate
Email this Article

Honeypot (computing)

Article Id: WHEBN0000287952
Reproduction Date:

Title: Honeypot (computing)  
Author: World Heritage Encyclopedia
Language: English
Subject: DNSBL, Honeyd, Organizational Systems Security Analyst, Intrusion detection system, Malware
Collection: Computer Network Security, Spamming
Publisher: World Heritage Encyclopedia

Honeypot (computing)

In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems. Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site but is actually isolated and monitored, and that seems to contain information or a resource of value to attackers, which are then blocked. This is similar to the police baiting a criminal and then conducting undercover surveillance, and finally punishing the criminal.

Honeypot diagram to help understand the topic


  • Types 1
    • Malware honeypots 1.1
    • Spam versions 1.2
    • Email trap 1.3
    • Database honeypot 1.4
  • Detection 2
  • Honeynets 3
  • Metaphor 4
  • See also 5
  • References and notes 6
  • Further reading 7
  • External links 8


Honeypots can be classified based on their deployment (use/action) and based on their level of involvement. Based on deployment, honeypots may be classified as:

  1. production honeypots
  2. research honeypots

Production honeypots are easy to use, capture only limited information, and are used primarily by companies or corporations. Production honeypots are placed inside the production network with other production servers by an organization to improve their overall state of security. Normally, production honeypots are low-interaction honeypots, which are easier to deploy. They give less information about the attacks or attackers than research honeypots.

Research honeypots are run to gather information about the motives and tactics of the

  • Distributed Open Proxy Honeypots Project: WASC
  • SANS Institute: What is a Honey Pot?
  • SANS Institute: Fundamental Honeypotting
  • Simwood eSMS SIP Honeypot Project
  • PodCast – Episode #2: "HoneyMonkeys" from Security Now!
  • Project Honeypot
  • The Honeynet Project

External links

  • Lance Spitzner (2002). Honeypots tracking hackers.  

Further reading

  1. ^ Lance Spitzner (2002). Honeypots tracking hackers.  
  2. ^ "Cryptocurrency-Stealing Malware Landscape". Dell SecureWorks. 26 February 2014. Retrieved 13 May 2014. 
  3. ^ "Bitcoin Vigil: Detecting Malware Through Bitcoin". cryptocoins news. May 5, 2014. 
  4. ^ Edwards, M. "Antispam Honeypots Give Spammers Headaches". Windows IT Pro. Retrieved 11 March 2015. 
  5. ^ "Sophos reveals latest spam relaying countries". Help Net Security. Help Net Security. 24 July 2006. Retrieved 14 June 2013. 
  6. ^ "Honeypot Software, Honeypot Products, Deception Software". Intrusion Detection, Honeypots and Incident Handling Resources. 2013. Retrieved 14 June 2013. 
  7. ^ dustintrammell (27 February 2013). "spamhole – The Fake Open SMTP Relay Beta". SourceForge. Dice Holdings, Inc. Retrieved 14 June 2013. 
  8. ^ Ec-Council (5 July 2009). Certified Ethical Hacker: Securing Network Infrastructure in Certified Ethical Hacking. Cengage Learning. pp. 3–.  
  9. ^ Kaushik, Gaurav; Tyagi, Rashmi (2012). "Honeypot : Decoy Server or System Setup Together Information Regarding an Attacker" (PDF). VSRD International Journal of Computer Science & Information Technology 2: 155–166. 
  10. ^ "Secure Your Database Using Honeypot Architecture". August 13, 2010. Archived from the original on March 8, 2012. 
  11. ^ "Deception Toolkit". 2013. Retrieved 14 June 2013. 
  12. ^ Nicholas Weaver, Vern Paxson, Stuart Staniford (2003). "Wormholes and a Honeyfarm: Automatically Detecting Novel Worms" (PowerPoint). Wormholes and a Honeyfarm: Automatically Detecting Novel Worms. The ICSI Networking and Security Group. Retrieved 14 June 2013. 
  13. ^ Honeynets a Honeynet Definition (PDF) by Ryan Talabis from
  14. ^ "Know Your Enemy: GenII Honeynets Easier to deploy, harder to detect, safer to maintain.". Honeynet Project. Honeynet Project. 12 May 2005. Retrieved 14 June 2013. 
  15. ^ """The word for "bear. Retrieved 12 Sep 2014. 

References and notes

See also

The metaphor of a bear being attracted to and stealing honey is common in many traditions, including Germanic and Slavic. Bears were at one time called "honey eaters" instead of by their true name for fear of attracting the threatening animals. The tradition of bears stealing honey has been passed down through stories and folklore, including the well known Winnie the Pooh.[15]


"A honeynet is a network of high interaction honeypots that simulates a production network and configured such that all activity is monitored, recorded and in a degree, discreetly regulated."

The concept of the honeynet first began in 1999 when Lance Spitzner, founder of the Honeynet Project, published the paper "To Build a Honeypot":[14]

Two or more honeypots on a network form a honeynet. Typically, a honeynet is used for monitoring a larger and/or more diverse network in which one honeypot may not be sufficient. Honeynets and honeypots are usually implemented as parts of larger network intrusion detection systems. A honeyfarm is a centralized collection of honeypots and analysis tools.[12][13]


Just as honeypots are weapons against spammers, honeypot detection systems are spammer-employed counter-weapons. As detection systems would likely use unique characteristics of specific honeypots to identify them, a great deal of honeypots in use makes the set of unique characteristics larger and more daunting to those seeking to detect and thereby identify them. This is an unusual circumstance in software: a situation in which "versionitis" (a large number of versions of the same software, all differing slightly from each other) can be beneficial. There's also an advantage in having some easy-to-detect honeypots deployed. Fred Cohen, the inventor of the Deception Toolkit, even argues that every system running his honeypot should have a deception port that adversaries can use to detect the honeypot.[11] Cohen believes that this might deter adversaries.


Databases often get attacked by intruders using SQL Injection. As such activities are not recognized by basic firewalls, companies often use database firewalls for protection. Some of the available SQL database firewalls provide/support honeypot architectures so that the intruder runs against a trap database while the web application remains functional.[10]

Database honeypot

An amalgam of these techniques is Project Honey Pot, a distributed, open source project that uses honeypot pages installed on websites around the world. These honeypot pages disseminate uniquely tagged spamtrap email addresses and spammers can then be tracked—the corresponding spam mail is subsequently sent to these spamtrap e-mail addresses.

An email address that is not used for any other purpose than to receive spam can also be considered a spam honeypot. Compared with the term "spamtrap", the term "honeypot" might be more suitable for systems and techniques that are used to detect or counterattacks and probes. With a spamtrap, spam arrives at its destination "legitimately"—exactly as non-spam email would arrive.

Email trap

Open relay honeypots include Jackpot, written in Java by Jack Cleaver;, written in Python by Karl A. Krueger;[6] and spamhole (honeypot)|spamhole, written in C.[7] The Bubblegum Proxypot is an open source honeypot (or "proxypot").[8][9]

Spam still flows through open relays, but the volume is much smaller than in 2001 to 2002. While most spam originates in the U.S.,[5] spammers hop through open relays across political boundaries to mask their origin. Honeypot operators may use intercepted relay tests to recognize and thwart attempts to relay spam through their honeypots. "Thwart" may mean "accept the relay spam but decline to deliver it." Honeypot operators may discover other details concerning the spam and the spammer by examining the captured spam messages.

This in itself is indicative of the power of honeypots as anti-spam tools. In the early days of anti-spam honeypots, spammers, with little concern for hiding their location, felt safe testing for vulnerabilities and sending spam directly from their own systems. Honeypots made the abuse riskier and more difficult.

These honeypots can reveal the apparent IP address of the abuse and provide bulk spam capture (which enables operators to determine spammers' URLs and response mechanisms). For open relay honeypots, it is possible to determine the e-mail addresses ("dropboxes") spammers use as targets for their test messages, which are the tool they use to detect open relays. It is then simple to deceive the spammer: transmit any illicit relay e-mail received addressed to that dropbox e-mail address. That tells the spammer the honeypot is a genuine abusable open relay, and they often respond by sending large quantities of relay spam to that honeypot, which stops it.[4] The apparent source may be another abused system—spammers and other abusers may use a chain of abused systems to make detection of the original starting point of the abuse traffic difficult.

Spammers abuse vulnerable resources such as open mail relays and open proxies. Some system administrators have created honeypot programs that masquerade as these abusable resources to discover spammer activity. There are several capabilities such honeypots provide to these administrators and the existence of such fake abusable systems makes abuse more difficult or risky. Honeypots can be a powerful countermeasure to abuse from those who rely on very high volume abuse (e.g., spammers).

Spam versions

Malware honeypots are used to detect malware by exploiting the known replication and attack vectors of malware. Replication vectors such as USB flash drives can easily be verified for evidence of modifications, either through manual means or utilizing special-purpose honeypots that emulate drives. Malware increasingly is used to search for and steal cryptocurrencies,[2] which provides opportunities for services such as Bitcoin Vigil to create and monitor honeypots by using small amount of money to provide early warning alerts of malware infection.[3]

Malware honeypots

Low-interaction honeypots simulate only the services frequently requested by attackers. Since they consume relatively few resources, multiple virtual machines can easily be hosted on one physical system, the virtual systems have a short response time, and less code is required, reducing the complexity of the virtual system's security. Example: Honeyd.

High-interaction honeypots imitate the activities of the production systems that host a variety of services and, therefore, an attacker may be allowed a lot of services to waste his time. By employing virtual machines, multiple honeypots can be hosted on a single physical machine. Therefore, even if the honeypot is compromised, it can be restored more quickly. In general, high-interaction honeypots provide more security by being difficult to detect, but they are expensive to maintain. If virtual machines are not available, one physical computer must be maintained for each honeypot, which can be exorbitantly expensive. Example: Honeynet.

Pure honeypots are full-fledged production systems. The activities of the attacker are monitored by using a casual tap that has been installed on the honeypot's link to the network. No other software needs to be installed. Even though a pure honeypot is useful, stealthiness of the defense mechanisms can be ensured by a more controlled mechanism.

  1. pure honeypots
  2. high-interaction honeypots
  3. low-interaction honeypots

Based on design criteria, honeypots can be classified as:

Research honeypots are complex to deploy and maintain, capture extensive information, and are used primarily by research, military, or government organizations. [1]

This article was sourced from Creative Commons Attribution-ShareAlike License; additional terms may apply. World Heritage Encyclopedia content is assembled from numerous content providers, Open Access Publishing, and in compliance with The Fair Access to Science and Technology Research Act (FASTR), Wikimedia Foundation, Inc., Public Library of Science, The Encyclopedia of Life, Open Book Publishers (OBP), PubMed, U.S. National Library of Medicine, National Center for Biotechnology Information, U.S. National Library of Medicine, National Institutes of Health (NIH), U.S. Department of Health & Human Services, and, which sources content from all federal, state, local, tribal, and territorial government publication portals (.gov, .mil, .edu). Funding for and content contributors is made possible from the U.S. Congress, E-Government Act of 2002.
Crowd sourced content that is contributed to World Heritage Encyclopedia is peer reviewed and edited by our editorial staff to ensure quality scholarly research articles.
By using this site, you agree to the Terms of Use and Privacy Policy. World Heritage Encyclopedia™ is a registered trademark of the World Public Library Association, a non-profit organization.

Copyright © World Library Foundation. All rights reserved. eBooks from Project Gutenberg are sponsored by the World Library Foundation,
a 501c(4) Member's Support Non-Profit Organization, and is NOT affiliated with any governmental agency or department.