Dionaea is a low-interaction honeypot that simulates network services to attract attackers. The document discusses Dionaea's old and new simulated services, including FTP, HTTP, MongoDB, MQTT, MSSQL, MySQL, PPTP, SIP, SMB, TFTP, and UPnP. It also mentions how Dionaea detected the WannaCry attack by emulating the vulnerable SMB service exploited by WannaCry. Honeypots are useful because they allow monitoring of attacker behaviors that cannot be detected by intrusion detection systems.
2. Honeypot
• A Honeypot is
– systems that are designed to be exploited, whether through
emulated vulnerabilities, real vulnerabilities, or weaknesses.
“Generally it consists of a computer, data, or a network
site that appears to be part of a network, but is actually
isolated and monitored, and which seems to contain
information or a resource of value to attackers.”
Source: Malware Analyst Cookbook
3. Honeypot
• Two types of Honeypot:
– Low Interaction
• Simulate most frequent services requested by attackers
• E.g. Dionaea, Kippo, Honeytrap
– High Interaction
• Imitate the activities of the real systems that host a variety of services
• E.g. HiHAT
• Virtual Machine is commonly used for ease of maintenance
4. Honeypot – Why?
• We have used IDS in the past
– What we have learned:
• Only known attacks are detected
• Unknown attacks are not detected
• Many false positives (if not properly tuned)
• We use honeypot to:
– Understand what is the attacker is doing, i.e. behavior of the attack
– Both Low interaction & High Interaction have their own advantages
and disadvantages