I once visited an Amish farm where green plastic 2-liter 7-Up bottles dangled from the lower branches of the fruit trees. The bottles were filled about halfway with some sort of liquid. Upon closer inspection, I could see a banana peel floating inside each one.
I asked the Amish farm owner about these odd contraptions and it turns out they were homemade bug traps, filled with a vinegar-sugar and banana peel solution designed to lure troublesome insects.
“They fly in and they are done for,” the Amish man said, eyeing a bunch of floating wasps and hornets inside. The bugs would be soaked with vinegar and sugar — unable to escape.
That’s the basic concept behind honeypot technology. Create an irresistible lure and watch the hackers arrive in droves.
Now imagine if you were able to not only catch the bugs, but you could learn what their intentions were and what nest they came from. Armed with that information, you could deter far more insects.
That is precisely what a team of researchers has done at the University of Illinois and their work has positive implications for MSPs seeking to protect clients from brute-force and other attacks.
Creating a honeypot
Graduate student Phuong Cao created a honeypot that mimicked a server farm of 65,536 machines. Unlike other honeypots that can sometimes be turned against the networks they are supposed to help defend, Cao’s honeypot records and rejects any attack. This minimalist approach extracts the needed data and sends the attackers away.
“This honeypot covers a very wide space and because of this, the attacker can think there is an enormous set of machines here. As such, it attracts a lot of potential attackers. When they attack, we extract their addresses. Now we have a whole reserve, a library, of these addresses,” explains Ravi Iyer, CSL and Electrical and Computer Engineering (ECE) professor at the University of Illinois, and Cao’s advisor.
Once recorded, the addresses can be used to launch simulated attacks to test vulnerabilities and can also be blacklisted, which effectively renders them harmless. Hackers are always going to try to find a way to thwart the good guys, but for now, the honeypot has the upper hand.
“They (the hackers) don’t think of everything. There is a whole set of parameters that the honeypot collects and there is some fingerprint that is left behind. The attackers will get smarter in due course, so we will have to also get smarter. It’s a cat and mouse game and we are currently ahead,” details Iyer.
Constructing one’s own honeypot from scratch can be time-consuming and its effectiveness depends on the sophistication.
“Honeypots can be very effective, but it depends on the experience of the hacker and the depth of the honeypot. A honeypot that only has a few layers can be found quickly,” says Arthur Salmon, Director of Cybersecurity at the University of Southern Nevada and owner of MSP Rex Technologies.
“A more effective honeypot has several layers and mimics a real network, including equipment that would be found on a real network and incorporates things such as data traffic,” Salmon explains.
That is where Cao’s honeypot shines, because it acts as a deterrent and a research tool. The more you can learn about your attackers, the more effective you can be with your generated response.
405 million attacks
Cao’s honeypot has drawn 405 million attack attempts. From that, his team has been able to see that the majority are coming from Cloud and VPN service providers and ISPs. The honeypot can also sort out of the sophistication of the attack.
“It can characterize sophistication of the attack. We see bot attacks every day and they are not very smart, they just use a basic password. If the attacker uses a sophisticated password and a user name that matches with an employee, that would be a serious alert indicating an attack,” explains Cao.
Cao’s research paper about honeypots was accepted by the prestigious USENIX Symposium on Networked Systems Design and Implementation (NSDI), which accepts very few papers for publication. For an in-the-weeds read about honeypot technology and how Cao designed it, check out his paper here.
Cao’s paper and research have generated a lot of buzz in cyber circles. He’s had interest from hospitals and finance facilities about using the honeypot. However, one factor that can inhibit implementing honeypot technology is the cost of development.
MSPs can use this honeypot
“Yes, you can learn how hackers are getting in, but at what cost? The main advantage is understanding the methodology that an attacker is using to gain access. The disadvantages are the costs and how useful this information will be in preventing further attacks,” Salmon says.
Perhaps the best news of all for MSPs is that Cao’s honeypot is available free for anyone to use. It is written in Go programming language and accessible here. If you have a client whose system is under constant attack and you want to learn more about where and why, Cao’s honeypot would be a great watch to catch and quarantine the attackers. I
“People build small honeypots, but soon attackers find out that they are not useful and move on,” observes Iyer. Still, Cao’s is a giant honeypot and Iyer notes that, “sharing between trustworthy parties and commercial interests will benefit everyone.”
Like the homemade Amish bug traps, Cao’s honeypot is irresistible. Instead of vinegar and sugar, it uses enticing coding. I never figured out why the Amish traps had the banana peel. Perhaps buried somewhere in Cao’s honeypot is a cyber equivalent.
Photo: r.classen / Shutterstock
