IP Addressing and Network Emulation Honeyd can be assigned one or more IP

the same segment as Honeyd, he will not notice anything particularly suspicious. IP Addressing and Network Emulation Honeyd can be assigned one or more IP addresses using Honeyd’s bind command. With the help of the Arpd program (currently available only in the Unix version), Honeyd can respond for any unassigned IP address in your environment. IP addresses are bound to one or more OS personalities when defining templates, as described in the next section. Honeyd can emulate entire IP networks, composed of one or more subnets spread among many routers, each with its own latency and packet loss rate. The Windows version of Honeyd is limited to a rooted tree network topology model, where there is one entry point and one exit point, but most real net- works follow this model anyway. ■ Note The newer Unix version of Honeyd supports asymmetric routes using trinary tree algorithms. It also lets you define GRE tunneling for layering one protocol over another. CHAPTER 5 ■ HONEYD INSTALLATION 128

When a packet heads for a destination IP address, it enters at the root (gateway) IP address and transverses networks and virtual routers until it reaches its final destination. Honeyd accumulates packet loss and latency (as defined in the Honeyd configuration file) from source to destination to determine whether a packet gets delivered (or dropped) and its delivery speed. Some honeypot administrators purposely slow down packets to and from the honeypot in order to slow down the hacker. This makes the job of the honeypot administrator a bit easier, because there is less information to deal with. Network emulation is done well enough to fool traceroute and pathping (Windows 2000 and above) type utilities. ■ Tip You can get sophisticated enough with Honeyd’s virtual networks to set up virtual router hosts matching your network layout. That way, when the hacker is mapping your network topology, you can offer up emulated router hosts for the hacker to attack. Honeyd OS Personalities To summarize, Honeyd can emulate IP packet information, sequence numbers, UDP packet headers, TCP packet headers, TCP flags, TCP window size, and ICMP responses. It can assist with ARP replies and represent one or more IP addresses, potentially making up entire virtual networks. Honeyd refers to all these IP stack characteristic emulations as OS personalities . Honeyd’s annotate command ties other handling characteristics, such as how Honeyd should handle frag- ments, to a particular personality. Before Honeyd sends any packet, it is analyzed and manipulated by the underlying personality to make sure it accurately mimics the forged OS. One instance of Honeyd can emulate one or more personalities. You can add your own custom emulations, but to find out what OSs Honeyd supports by default, open and view Honeyd’s Nmap.prints file. It contains 17 different versions of Windows, from Windows 3.1 with Trumpet Winsock 2.0 to Windows XP and Windows Server 2003. Currently, Honeyd has the following Windows person- alities defined: • Windows 3.1 with Trumpet Winsock 2.0 revision B • Windows for Workgroups 3.11 / TCP/IP-32 3.11b stack or Win98 • Windows NT4 / Win95 / Win98