Forgot your password?
typodupeerror
Security Build

Recipe For Building a Cheap Raspberry Pi Honeypot Network 68

Posted by timothy
from the you-forgot-the-sledgehammer dept.
mask.of.sanity (1228908) writes "Honeypots are the perfect bait for corporate IT shops to detect hackers targeting and already within their networks and now a guide has been published to build a dirt cheap battalion of the devices from Raspberry Pis. "By running honeypots on our internal network, we are able to detect anomalous events. We gain awareness and insight into our network when network hosts interact with a Raspberry Pi honeypot sensor," the author explained."
This discussion has been archived. No new comments can be posted.

Recipe For Building a Cheap Raspberry Pi Honeypot Network

Comments Filter:
  • by rebelwarlock (1319465) on Saturday August 02, 2014 @03:41AM (#47587733)
    It's a computer. You can do a lot of things with a computer. Why do we need an article every time anyone uses it for anything?
    • by owlstead (636356)
      In this case I agree. It's: 1) install raspbian 2) install [dionaea](http://dionaea.carnivore.it/), the honeypot software. And...that's about it. Some general download and configuration options are present. It's easy to follow and read and therefore probably a good blog entry, but not exactly news.
      • by BitZtream (692029)

        Its worse than that. The raspberry pi has bad ethernet and is woefully underpowered.

        Sure you can make it a honey pot, but it'll drop half the packets heading for it and even a slight flood its going to be overloaded.

        • Honeypot. Flood.

          You don't get it.

          You can put these on isolated segments, VLANs, whatever but importantly: wherever in the system you want to attract the bees.

          So long as it can send even one "ouch" packet, it's done its job, saved your ass, and saved you hours looking through even great syslog managers to find symptoms of internal infections.

          Do they cost? Not much. Aren't VMs cooler to use? No, because you want them randomly everywhere, not just in your VM farms. Yes, VM honeypots are a great idea. No, you c

    • by msauve (701917)
      It's timothy. He needs all the help he can get, and obviously found it useful.
  • by Anonymous Coward on Saturday August 02, 2014 @03:56AM (#47587749)

    Why not buy a cheap couple of hundred dollar PC and run as many VMs as could possibly fit. Install a really old Linux distribution (or early Windows) and the resource use is small. Many honey pots with less maintenance....

  • Instead of putting out bait to encourage people to have a go at fragile systems what about hardening the stuff you've got or put it in segments behind stuff you can harden? Putting out fragile honeypots can lead to wasting time on the merely curious who are no real threat to systems that are not fragile.
    • Who said anything about putting it out as bait?
      The article specifically talks about using it on an internal network.
      • Yes - bait on an internal network to catch people who see the "shiny" and act.
        The question to ask before deploying such things is to ask yourself (or you boss) what your job actually is. Is it to catch a number of people and meet some sort of "arrest quota" or is it to actually protect things? If it's the former then putting up fragile things to attract the attention of the weak willed may be a go, but if it's the latter you may well just be wasting time while the serious threats are getting into your ser
        • by oggiejnr (999258) on Saturday August 02, 2014 @08:03AM (#47588161)

          The aim of honeypots in this scenario isn't to bait out people but software. The first thing that a targeted piece of malware is likely to do is find other systems to infect and map out the internal network. If a computer in the accounts department is suddenly firing off CIFS requests at your honeypot it is an anomaly that should be investigated. It's much easier to find dodgy traffic if there isn't supposed to be any rather than looking for it in the corporate network as a whole.

          If it turns out it was a bored intern browsing the local network then the situation can be explained. If it was an opened dodgy e-mail or other attack vector then the machine can be wiped and connection logs gathered so that a clean-up operation can be attempted.

          • by dbIII (701233)
            So why a honeypot and not traffic monitoring?
            • Let's consider the last piece of malware I dealt with. It searched the network for shared storage and did nasty things on the storage. The REAL storage server is used by thousands of people, so it gets many, many requests per minute. Sorting out legitimate use of the storage vs something suspicious would be nearly impossible. The honeypot storage, on the other hand, gets NO legitimate traffic. Any traffic to the honeypot is worth investigation. That makes it a much more reliable way to find malware or ot

              • I should emphasize strange traffic being investigated doesn't mean anyone gets in trouble. The head of security cut off my network port once when he detected something weird. I explained what I was doing. He pointed out a security concern, and we agreed to a compromise configuration we could both live with.

              • by dbIII (701233)

                Do you have any idea how much traffic a corporate mail server can get?

                If your network is too large to comprehend then apply an engineering solution instead of a basket weaving solution and handle things in managable chunks. Since IT folk like to pretend they are engineers (which was to my benefit when I changed careers from engineering a couple of decades back) why not act like them? Suspicious stuff coming in or out of segments is one way of tracking, does that really compare with hoping something random

              • active directory

                I see now - fully trusted hosts, potential malware ridden with no way to keep it off other than hoping the antivirus updates arrive before the malware, and a closed system where you have to guess at the legitimate traffic to boot. I can see now why you grasp at straws such as honeypots and hope the malware is so badly written that they randomly get attacked before your real systems instead of the malware taking a look at what the machine it is on has connected to in the past.
                After they do

                • > > active directory

                  > I see now - fully trusted hosts, potential malware ridden with no way to keep it off other than hoping the antivirus
                  > updates arrive before the malware, and a closed system where you have to guess at the legitimate traffic to boot.

                  Yep, welcome to office networking. In a government office, throw in a few DOS terminals and other systems that haven't seen a security update since 1982.

                  • by dbIII (701233)
                    You've got me. While a honeypot doesn't seem that useful versus an active cracker my arguments fall down against dumb malware and script kiddies.
  • Do the other "thing" Raspberry Pis are semi "good" for (minus a slow XBMC system).
    Turn your raspberry Pi into a dedicated BitTorrent power house!

    Premade optimized image here:
    http://fuzon.co.uk/phpbb/viewt... [fuzon.co.uk]

    Honeypots, what a waste or an ARM.... ;)

  • by Fnord666 (889225)
    Or I could do the same thing with VMs and not tie up a bunch of physical resources in the process.
  • ... which is great because I get to learn something with y'all helping.

    This honeypot inside a network intrigues me. If I created a share on a server (or desktop) that was useless, would that serve as a honeypot looking to serve as a trip wire for malware that goes after shares?

    In a Windows environment, all I know to do is look at Event logs. I don't know how to get Security events to bark.

    I read the article(s) but it was a "whoosh," event.

    Thanks.

    • by dbIII (701233)
      No you understand fine - it is a "whoosh" event.
      Sexconker above put it far better than I could:

      It's like running a lumber yard and instead of putting fire alarms, smoke detectors, etc. in all of your buildings and monitoring them, you have a big unprotected building full of sawdust and small bits of wood next to your other buildings. Then you put a fire alarm on it so you know when there's a fire. It's fucking retarded.

The flow chart is a most thoroughly oversold piece of program documentation. -- Frederick Brooks, "The Mythical Man Month"

Working...