Weekend Project: Use HoneyD on Linux to Fool Attackers

For the security conscious, there is always room for another weapon against attackers. Firewalls, intrusion detection systems, packet sniffers — all are important pieces of the puzzle. So too is Honeyd, the "honeypot daemon." Honeyd simulates the existence of an array of server and client machines on your network, including typical traffic between them. The phantom machines can be configured to mimic the signature and behavior of real operating systems, which will trick intruders into poking at them — and revealing themselves to your security staff.

Current versions of Honeyd can imitate the appearance of more than 1,000 OSes and their variants, and the profiles used to mimic the targets are gleaned from the Nmap security scanner. That does not make them indistinguishable from reality, but it is as close as you can come; Nmap sets the gold standard for OS detection and fingerprinting. Honeyd's creators say they have tested the program with a phantom network of 65,536 virtual hosts running on a single machine. You probably won't need that many unless you run a gigantic enterprise network, but it is nice to know the program has been thoroughly stress-tested.

In practice, Honeyd trips up attackers in two ways. First, it slows them down by vastly increasing the amount of work they must do to correctly identify the real target machines on your network. The Nmap scans and traffic logs will be much larger, and take much longer to sort through. Think of this as akin to the way medieval castles were built with multiple rings of walls, with the gates at different positions around the perimeter. The more you slow down the attacker, the better your chances of catching him or her through your other methods.