ABSTRACT
This entry focuses on operating a research honeypot, or a
“honeynet.” The term “honeynet,” as used in this entry,
originated in the Honeynet Project and means a network
of systems with fairly standard configurations connected to
the Internet. The only difference between such a network
and a regular production network is that all communication
is recorded and analyzed, and no attacks targeted at third
parties can escape the network. Sometimes, the system
software is slightly modified to help deal with encrypted
communication, often used by attackers. The systems are
never “weakened” for easier hacking, but are often
deployed in default configurations with a minimum of
security patches. They might or might not have known
security holes. The Honeynet Project defines such honey-
pots as “high-interaction” honeypots, meaning that attack-
ers interact with a deception system exactly as they would
with a real victim machine. On the other hand, various
honeypot and deception daemons are “low-interaction”
because they only provide an illusion to an attacker, and
one that can hold their attention for a short time only. Such
honeypots have value as an early attack indicator but do not
yield in-depth information about the attackers.