The idea behind the IT security concept known as the honeypot is all about luring hackers into a server or network so they can be tracked. The Web Application Security Consortium (WASC) has its own particular brand of honey to attract would-be attackers — a blend of open source and open proxies.
The WASC is now entering Phase Three of its Distributed Open Proxy Honeypot Project, including more participants, sensors and analytical reporting as the project moves into wide deployment. The aim remains the same, however: providing security researchers and law enforcement with a new resource in the battle against Web attacks.
“Ultimately what we’re trying to identify is Web-based attacks — how are they are actually happening — because it’s very hard to get real details,” WASC Honeypot Project Leader Ryan Barnett told InternetNews.com.
Barnett, who also serves as director of application security research for Breach Security, described the first two phases of the Open Proxy Honeypot Project as learning phases.
In Phase Three, the project will now have as many as 60 sensors deployed, up from the current 14. Barnett also noted that there will be more people and technology involved on the analysis side to better identify and report about attack traffic.
That’s a critical upgrade, considering the important work the project’s supporters aim to accomplish — and the unique way they’re going about it.
In the typical, Web-based honeypot scenario, the honeypot masquerades as a target for attack. Barnett said that as a result, most honeypots typically attract the attention of automated programs that scan IP ranges and happen to hit the honeypot’s address.
The Open Proxy Honeypot Project is somewhat different.
“It’s just an open proxy server that is open, and people can send traffic through it,” Barnett said.
An open proxy is a relay on a Web server that enables a third party to route any traffic they wish through it. Attackers will often use open proxies in a bid to mask their own identities. So by having an open proxy as a honeypot, the WASC effort is providing attackers with a host for relaying their attacks — or so the attackers will be led to believe.
“The idea is we get a bird’s eye view of what’s happening because we know the bad guys want to hide where they are coming from,” Barnett said. “We’re not the target of the attack — we’re just a conduit.”
Open source is at the heart of the setup. The Open Proxy Honeypot uses the open source mod_security Web application firewall (WAF) to monitor, identify and report the attack traffic. Apache Web servers often use the mod_security WAF to defend against malicious Web traffic by monitoring traffic and applying rules to mitigate application risks.
Barnett’s company, Breach Security, is one of the principal sponsors of the mod_security project and Breach also offers a commercial version as well.
“I think the idea of using open source mod_security is attractive because it’s not just tied to a commercial product that people can’t use,” Barnett said. “The project participants get a VMware image that has Ubuntu Linux, the Apache Web server and mod_security. The only requirement is that the participants have something that can run the virtual image.”
How the Open Proxy Honeypot Project uses mod_security is also quite different than its typical purpose — stopping attack traffic. Barnett noted that normally, mod_security examines predominantly legitimate traffic in which attacks represent a needle in the haystack.
“With the honeypot, it’s revered,” Barnett said. “Where instead of looking for the needle in the haystack, everything is needles and you’re just trying to classify it all correctly.”