Honeypots, IDSs, and Firewalls 383
Honeypots
One of the more interesting systems you will encounter is a honeypot. A honeypot may
sound like something out of a Winnie the Pooh book, but it is actually a device or system
used to attract and trap attackers that are trying to gain access to a system. However,
honeypots are far from being just a booby trap; they have also been used as research tools,
as decoys, and just to gain information. They are not designed to address any specific
security problem.
Because of the way honeypots are positioned, it is safe to assume that any and all
interactions with the device are anything but benign in nature.
High vs. Low Interaction
Honeypots are not all created equal. There are two main categories: high- and low-
interaction varieties.
Low-interaction honeypots rely on the emulation of service and programs that would
be found on a vulnerable system. If attacked, the system detects the activity and throws an
error that can be reviewed by an administrator.
High-interaction honeypots are more complex than low-interaction ones in that they are
no longer a single system that looks vulnerable but an entire network typically known as a
honeynet. Any activity that happens in this tightly controlled and monitored environment
is reported. One other difference in this setup is that in lieu of emulation, real systems with
real applications are present.
Run Silent, Run Deep: Evasion Techniques
Each of the devices covered in this chapter is designed to stop or slow down an attack.
Since you, as a penetration tester, are trying to test a system, you must be able to get
around these devices if possible or at least know how to attempt to do so. In this section
we discuss the various mechanisms available, how they work, and what devices they are
designed to deal with.
Denial of Service vs. IDS
Another mechanism for getting around an IDS is to attack the IDS directly or exploit a
weakness in the system via a DoS attack. A DoS or DDoS attack overwhelms or disables
a target in such a way as to make it temporarily or permanently unavailable. Through the
consumption of vital system resources, the overall performance of the target is adversely
impacted, making it less able, or completely unable, to respond to legitimate traffic, or at
least not function to the best of its ability.
If we target an IDS with a DoS attack, something interesting happens: The IDS
functions erratically or not at all. To understand this, think of what an IDS is doing and
how many resources it needs to do so. An IDS is sniffing traffic and comparing that traffic
to rules, which takes a considerable amount of resources to perform. If these resources can
be consumed by another event, then it can have the effect of changing the behavior of the