Honeynet.BR

IMPORTANT NOTICE

Since 2008 this project is no longer maintained.

These pages are still online for historical reasons. Use the information in these pages just for reference of past work developed while the project was still running.

The Honeynet.BR Project

In recent years there has been a ressurgence of interest in Honeytraps due mainly to the development of the concept of Honeynets by Lance Spitzner.

As part of its ongoing research activities in Information Systems Security, the Brazilian National Institute for Space Research (INPE) together with the CERT.br have implemented a research honeynet (Honeynet.BR) to collaborate with the international effort of intelligence gathering on the activities of the blackhat community.

The Honeynet.BR is a member of the Honeynet Research Alliance since June, 2002.

Project Description

Honeynet.BR is an active honeytrap. It has been setup as a teaching and research laboratory for the Information Systems Security track of INPE's Applied Computer Science graduate course.

Topology:

Honeynet.BR network architecture is shown here. It is basically a Honeynet GenII with some modifications. The network is composed of an administrative network and the honeynet itself. A short description of each part is given below.

Administrative Network:

This network is comprised of three main components:

firewall;
IDS;
computacional forensics machine;

The firewall consists of an OpenBSD operating in bridge mode running pf, logging all traffic and limitting outgoing bandwidth.

A program was developed to limit intruder activity by interacting with pf to dinamically change the firewall rules. This program, called sessionlimit, monitors the outgoing traffic in order to detect and stop malicious activity, such as portscans, originated from the honeynet.

The IDS operates with two network interfaces, one connected to the administrative network and the other to the honeynet. The latter is capturing all traffic and does not have an IP address. This machine also generates alerts and mail daily summaries to all members.

The computacional forensics machine is used to store and analyse partition images from the honeynet machines and tools left behind by intruders.

Honeynet:

The honeynet is composed of several machines running different operating systems and services. It has remote logging facilities and all traffic internal to the honeynet is captured by the IDS.

About Honeytraps

Generally, honeytraps are divided into two categories: passive and active.

Passive honeytraps are low interaction systems that allows only very limited interaction and no access to the systems. Examples of these type of honeytraps are NFR's Back Officer Friendly, Deception Toolkit, Specter and more recently Honeyd.

This type of honeytrap is very useful to detect attacks trends, do scans statistics, serve as an early warning or alarm system and detect unauthorized inside activities in production environment.

Active honeytraps usually allows full interaction between the attacker and hosts. The hosts can be connected to a LAN, this is the case of the honeynets, or they can be emulated in a single system (virtual honeynets). In the latter, one can make use of applications like VMware, UML (User-Mode-Linux) or Decoy Server (formerly ManTrap).

Honeynets allow us to observe the actions and techniques of attackers and capture tools used by the blackhat community. As an added bonus, in some circunstances, it allow us to monitor chats which help us to better understand their motivation and psychological profiles.

Team Members

Antonio Montes, Ph.D. (CenPRA)
Cristine Hoepers, Ph.D. (CERT.br)
Klaus Steding-Jessen, Ph.D. (CERT.br)
Marcelo H. P. C. Chaves, M.Sc. (CERT.br)

Project Coordination

CenPRA

Antonio Montes

CERT.br

Team's Mascot

Spotty, the Honeynet.BR's mascot. He loves to bite script kiddies... :-)