Honeypots: Tracking Hackers

Author: Lance Spitzner
Pages: 480
Publisher: Addison-Wesley
ISBN: 0321108957

Available for download is chapter 4 entitled “The Value of Honeypots”.


What’s interesting with honeypots is the fact that they began to be widely used only in the past 2 years or so. I think that the majority of the people heard about honeypots thanks to the Honeynet Project and Lance Spitzner, whose excellent “Know Your Enemy” whitepaper series became a sort of a bestseller among the security community. And now, the man that started it all has written a book about it.

About the author

Lance Spitzner is a geek who constantly plays with computers, especially network security. His passion is researching honeypot technologies and using them to learn more about the enemy. He is founder of the Honeynet Project, moderator of the honeypot mailing list and besides this book – co-author of “Know Your Enemy” and author of several whitepapers. He works as a senior security architect for Sun Microsystems, Inc.

An interview with the author, Lance Spitzner, is available here.

A book like no other

This biggest difference between this and other security books is the fact that this one teaches you not to keep hackers at bay, but it teaches you to make them stay and learn from their activities. All of this takes place in a honeypot, a controlled environment.

The book starts with the idea that you don’t know what honeypots are and you are slowly introduced to the concept. But don’t be fooled, previous knowledge is necessary in order to understand all of the things presented. What you’ll learn while reading this book is that honeypots don’t catch only script kiddies but they are great in tracking the activities of skilled blackhats and analyzing their behavior and tools. Sometimes honeyports discover new techniques and tools and by doing that they help the security community a great deal.

What honeypots are

The book starts with an in-depth explanation of what a honeypot is and how it works. Lance Spitzner describes his first attempt of using a honeypot and the first home-made honeypot he ever made. As he goes on, the reader has the opportunity to learn a lot from the author’s own mistakes.

We also learn that, despite their rather recent integration in the overall security architecture, honeypots are more than a decade old.


Before showing us how a honeypot works, Lance Spitzner writes about the attackers and by illustrating how they attack we start to learn more about the value of honeypots.

The motives of the attackers and some of their tools are covered. We are introduced to auto-rooters and mass-rooters, both illustrated with examples. There’s also a brief section dedicated to worms with the explanation of how damaging they can be. As examples the author notes CodeRed, CodeRed II and the Nimda worms.

When it comes to attackers, the author shows us how obviously skilled blackhats are the biggest threat and thus the most interesting to observe in caught in a honeypot.

History and definition

Now that we got all this info on the attackers Lance Spitzner moves on to depict the history and definition of honeypots.

We see the evolution of honeypots, the people important for their development, we learn how they work and we get all of that gift wrapped with some examples. Sounds great? It is.

The next step is the definition of the value of honeypots. We learn that their value depends on how they are built and used. Since they don’t address a specific problem, they are different from mechanisms such as firewalls. The author clearly illustrates the advantages and disadvantages of honeypots which clearly enables the reader to get “the big picture”.

The value of honeypots is also explained very well and allows the reader to understand them and their role in the overall security architecture.

Level of interaction

We learn to distinguish different types of honeypots by using a concept that the author calls level of interaction. This means that we categorize types of honeypots based on the level of interaction they offer to the attackers.

As honeypots become more complex, the attacker can do more damage but the honeypot collects more data. You have to figure out what you need and deploy a honeypot designed just for that.

Lance Spitzner discusses:

  • Low-interaction honeypots
  • Medium-interaction honeypots
  • High-interaction honeypots

and lists the tradeoffs of using each type. Not to any surprise, we also get an in-depth overview of the above mentioned types with their advantages and disadvantages listed.

Inside the honeypots we go…

What follows all this info you may wonder? We dwell right into the honeypots. We are presented with six honeypots, all with different applications, on different operating systems and, of course, with different interaction levels.

The presented honeypots are:

  • BackOfficer Friendly
  • Specter
  • Honeyd
  • Homemade
  • ManTrap
  • Honeynets
  • All the above mentioned honeypots are explained in great detail, each one gets it’s own chapter. We learn about their installation, configuration, deployment, information gathering and alerting capabilities. Furthermore, the author presents us with the risks associated with the deployment of every presented honeypot.

    Since honeynets are the most high-interaction solution possible, they are explained with even more examples than the others.

    Get it working, will you?

    Enough with the analysis, it’s time to implement your honeypot. What you have to do is use all the knowledge accumulated so far and select the optimal honeypot for your needs. Fear not as the author will skillfully guide you through all the steps of implementing a honeypot.

    Once you’ve implemented your honeypot, you’ll need to maintain it. When it comes to maintenance, the author divided the subject into four areas:

    • Alert detection
    • Response policies
    • Data Analysis
    • Updates

    Is there an abundance of details? Of course.

    Now you got your honeypot running and you’re maintaining it. What more could you need? This is the time to bring together everything presented so far and apply it to several very detailed theoretical examples.

    Legal issues and future predictions

    In case you were wondering wether the deployment of a honeypot was legal, there’s a chapter dedicated to legal issues that will probably answer most of your question. Note that all the legal information is based on the law of the USA.

    What could be a better closing for the book than a chapter dedicated to the future of honeypots? What does the future hold according to Lance Spitzner? Get the book and find out.

    My 2 cents

    This book definitely shows that honeypots are not something obscure anymore. Both their implementation and usage has evolved and they became an important learning method.

    Through the book we are presented with a variety of real-life examples. This, along with the numerous references and a CD-ROM packed with whitepapers, source code and data captures of real attacks, makes this book really complete.

    If you’re serious about setting up a honeypot than this is THE book to read. It will give you all the necessary concepts, guidelines and tools to get you started.


    Subscribe to the Help Net Security breaking news e-mail alerts:


    Don't miss