Channels ▼

Being Prepared for Intrusion

Dan Farmer and Wietse Venema

, April 01, 2001

Apr01: Caution: Honey Pot

Caution: Honey Pot

A honey pot machine is a trap for intruders. In "An Evening with Berferd," Bill Cheswick describes how he and his colleagues set up their jail machine, also known as "roach motel." They monitored an intruder in an environment where he could do no harm, while, at the same time, lured him away from more precious resources.

In The Cuckoo's Egg: Tracking a Spy Through the Maze of Computer Espionage (Pocket Books, 2000, ISBN 0743411463), Cliff Stoll describes how he invented a complete governmental project with realistic-looking documents and memoranda. The intruder(s) spent long hours examining and downloading the information, giving Cliff plenty of opportunity for his tracing efforts.

The machine that features in this article is part of Lance Spitzner's Honeynet project ( While we examined the data that he kindly made available to us, we could not fail to notice how tricky it can be to operate a honey pot. We point out here the real or potential pitfalls that were most obvious to us.

  • Downstream liability. It may be exciting to lure an intruder into your honey pot, but other people will be less amused when they find out that you are providing the intruder with a launchpad for attacks on their systems. Unless you have the resources to watch your honey pot around the clock in real time, you have to severely limit its ability to connect to other systems.
  • History keeps coming back. As we discussed in previous articles, computer systems can be like the tar pits of old, with the bones, carcasses, and fossilized remains of the past in the unallocated storage areas. We found files from several operating systems that were installed previously, including firewall configuration information and other items that could be of interest to an intruder.

  • With a network honey pot machine, erasing past history is simply a matter of writing zeros over the entire disk before installing the operating system. This also has the benefit that disk image copies compress better, and that deleted files are easier to find.

  • Information leaks. A not so obvious pitfall is using the honey pot machine for real work. Even a remote login from the honey pot into a sensitive machine can be enough to expose information to intruders. If you let sensitive information into the honey pot via whatever means, then it may stick forever in unallocated storage space or in swap space until you explicitly erase it.

  • False evidence. It can be really tempting to use the honey pot machine for your own break-ins and other security exercises. After all, the machine exists solely for the purpose of being broken into. The problem with using a honey pot machine for target practice is that you're literally shooting yourself in the foot — by producing massive amounts of false evidence. It quickly becomes difficult to distinguish between the acts of random (or not-so-random) intruders and the acts of your own personnel.

— D.F. and W.V.

Related Reading

More Insights

Currently we allow the following HTML tags in comments:

Single tags

These tags can be used alone and don't need an ending tag.

<br> Defines a single line break

<hr> Defines a horizontal line

Matching tags

These require an ending tag - e.g. <i>italic text</i>

<a> Defines an anchor

<b> Defines bold text

<big> Defines big text

<blockquote> Defines a long quotation

<caption> Defines a table caption

<cite> Defines a citation

<code> Defines computer code text

<em> Defines emphasized text

<fieldset> Defines a border around elements in a form

<h1> This is heading 1

<h2> This is heading 2

<h3> This is heading 3

<h4> This is heading 4

<h5> This is heading 5

<h6> This is heading 6

<i> Defines italic text

<p> Defines a paragraph

<pre> Defines preformatted text

<q> Defines a short quotation

<samp> Defines sample computer code text

<small> Defines small text

<span> Defines a section in a document

<s> Defines strikethrough text

<strike> Defines strikethrough text

<strong> Defines strong text

<sub> Defines subscripted text

<sup> Defines superscripted text

<u> Defines underlined text

Dr. Dobb's encourages readers to engage in spirited, healthy debate, including taking us to task. However, Dr. Dobb's moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing or spam. Dr. Dobb's further reserves the right to disable the profile of any commenter participating in said activities.

Disqus Tips To upload an avatar photo, first complete your Disqus profile. | View the list of supported HTML tags you can use to style comments. | Please read our commenting policy.