Honeypot Tutorials – Modes & Working of Honeypot


Overview :

For every business organization on Internet, viruses, worms, and crackers are but a few security threats. Above all we cannot tell as to when, where and how our data or any other valuable information will be compromised. The only thing we can do to ensure the safety of our data is to take preventive measures. Honeypots are one such preventive software that are employed in a network to study the trail of unauthorized access and at the same time alert the network administrator of a possible intrusion. Actually, it is a trap set to detect attempts at unauthorized use of information system. The attacker always thinks that he is extracting some useful information but in turn a honeypot installed system attracts him away from the critical resources and traps him by following his trail. The value of a Honeypot lies in unauthorized and illicit use of that resource.

The Idea behind honeypot is to set up a ‘decoy’ system that has non-hardened operating system or one that appears to have much vulnerability for easy access to its resources. A Honeypot can detect attacks by capturing polymorphic code, capturing a variety of attacks, working with encrypted data and acquiring signatures. Honeypots are valuable surveillance and network forensic tool but at the same time it can carry risks to a network, and must be handled with care. It requires a considerable amount of network administration and understanding of protocol and security.

Honeypots work in two modes:

Research mode: As the name suggest in this mode the software tries to characterize the environment on attacker motivations, attack trends and emerging threats.
Production mode: This is the place where all the prevention work is being carried out. At this time the honeypot is used to prevent, detect and respond to attacks. The prevention is accomplished through deterrence and by diverting an attacker to interact with the ‘decoy’ rather than critical files.

Now the question arises how does Honeypots work?

Honey pots are generally based on a real server, real operating system, and with data that appears to be real. One of the main differences is the location of the machine in relation to the actual servers. The most important activity of a honeypot is to capture the data, the ability to log, alert, and capture everything the bad guy is doing. Most honeypot solutions, such as Honeyd or Specter, have their own logging and alerting capabilities. This gathered information can prove to be quiet critical against the attacker.


  • Relevant data set:  Although Honeypots collect small amount of data but almost all of this data is real attack or unauthorized activity.
  • Reduced false positive: With most detection technologies (IDS, IPS) a large percentage of alerts are false warnings, while with Honeypots this is not the case.
  • Cost effective: Honeypot only interacts with malicious activity and do not require high performance resource.
  • Simplicity: Honeypots are very simple to understand, deploy and maintain.


Limited view: Honeypots only see activities that interact with them and do not capture attack, directed against other existing systems.
Risk of being compromised: A Honeypot may be used as a platform to launch further attacks.
At the end it would not be wrong to say that honeypots are good resources to track attackers, and its value lies in being attacked. But at the same time due to the listed disadvantages above Honeypots cannot replace any security mechanisms; they can only work to enhance the overall security.