At the very lowest interaction, we have a tool known as a network telescope, or darknet. This is IP address space which is advertised but does not have any hosts connected to it. Instead of faking a network using a tool such as honeyd, the operator just observes traffic going to this network segment. Since there are no real machines on it, scans of the address space are very easy to spot. The network telescope may also show evidence of 'backscatter' as some of its addresses are forged by machines elsewhere on the Internet, and the telescope receives the RST or SYN+ACK packets (in the case of TCP) or replies or ICMP unreachable messages (in the case of UDP).

Probably the most famous is CAIDA's network telescope which accounts for around 1 in every 256 IP addresses in terms of size. Data from it has been used to analyse the spread of worms such as Witty and Slammer. (See also descriptions of Witty and SQL Slammer/Sapphire.)

Looking for trouble: Client honeypots

One relatively new distinction is between traditional (server) honeypots, such as Niels Provos' honeyd, and client honeypots. Instead of passively waiting for an attack, client honeypots will actively search out malicious servers; typically this has centered on web servers that deliver client-side browser exploits, but is certainly not limited to such. Recently, client honeypots have expanded to investigate attacks on office applications.

Examples of client honeypots are the MITRE HoneyClient, Shelia, Honeymonkey, and CaptureHPC. These client honeypots all work on the same principle. We start with a dedicated system, which is usually based on some virtualization technology so it can be automatically reset into clean state after a successful infection. They interact with potentially malicious servers and monitor the system for unauthorized state changes that occur during or after the interaction with the server. If, for example, we observe extra files in C:\Windows\system32 and additional registry keys in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run, we know that the server we have just interacted with must have been malicious and manipulated our machine to run some code upon the next system restart. Unauthorized state changes that can occur on a machine range from the mentioned changes on the file system and registry to changes to network connections, memory, processes, et cetera.

Since we originally wrote this article, Capture HPC is now in version 2.0 and allows the use of different clients, such as Firefox, RealPlayer, Microsoft Word, etc, as well as an option to collect pushed malware and log tcpdump captures of the interactions between client and webserver. A paper on initial results using this tool is now available as Know Your Enemy: Malicious Web Servers.

Client honeypots need to interact with servers in order to determine whether they are malicious or not. With high interaction client honeypots, this is quite expensive, and therefore selection of what servers to interact with can greatly increase the success rate of finding malicious servers on a network. There are several sources one can use: a crawler is probably the most traditional way to access a large quantity of web servers. Combined with link scoring, a method implemented by HoneyClient, and filtering, this method can yield good results. Alternatively, one can mine links directly from known bad sources, such as spam email messages. Search engine integration, in which keywords are submitted to obtain links to from specific content areas (for example adult content) also yields good results

Distinction of the interaction level also applies to client honeypots. Client honeypots that drive a vulnerable client to interact with servers and classify a server as malicious based on state changes are high interaction client honeypots. On the other hand, a low interaction client honeypot uses a simulated client, such as wget in place of Internet Explorer, and assesses the malicious nature of a server via static analysis, such as signatures. The danger of spreading infections, which is very real on high interaction client honeypots, is greatly reduced with these low interaction client honeypots, because vulnerable clients are only emulated. SpyBye and HoneyC are available low interaction client honeypots that perform simple rule based and signature matching to detect client-side attacks.

Increased speed and lower resource consumption are the greatest advantage of these low interaction client honeypots. However, since they are usually rule and signature based, they are not able to detect previously unseen attacks (0-days). High interaction client honeypots are better to detect these sort of attacks since they do not need to have prior knowledge of the attack in order to detect it. Microsoft is said to have identified and patched several 0-day flaws in Internet Explorer based on results from their farm of high interaction Honeymonkey machines.

Niche players: Application-specific honeypots

As well as general purpose honeypots which provide or mimic vulnerable systems, there are application or protocol specific honeypots. There are many honeypots designed to catch spam by masquerading as open email relays or open proxies. Jackpot is written in Java and pretends to be a misconfigured SMTP server which allows relaying. Instead however, it presents a list of messages to the user, who can then pass the spammer's test message and hold the rest of the spam run. (Usually, spammers will attempt to deliver a test email to verify the host in question is actually an open relay.)

Another example is Proxypot -- although this appears to be no longer maintained. See Fighting Spammers With Honeypots: Part 1 and Part 2 for more details on using honeypots to block, or discover more about spam.

Another protocol which has been given attention recently is HTTP, specifically web application honeypots. The Google Hack Honeypot provides various different modules, one of which looks like a misconfigured version of PHPShell. PHPShell allows an administrator to execute shell commands via a web interface, but access to it should be restricted using a password at the very least. In the Google Hack Database, there is a search which will match on unprotected PHPShell applications and the GHH module attempts to reproduce this interface. GHH has a central web interface which allows the operator to monitor commands users are trying to execute.