Got Hacked? Get even: Using Honeypots, Honeynets, and Sinkholes to Hack the Hackers

If you’ve ever been hacked, you know the feeling of being violated that comes with it. In the simplest and most common scenario, someone has gotten into your email, read your address book, and sent out spam to all of your contacts. Suddenly, ex-girlfriends or boyfriends, ex-employers that you may have hated, or just people you never want to hear from get an email from you with some innocuous messages such as, “How are you?”, with maybe some link attached to it. Sure, most will realize spam when they see it, but some won’t and you end up having to explain that it wasn’t really you and maybe you squirm while you have to add some reason why you haven’t remained in contact. Of course, you’re angry, but what can you do?

Generally, most people do nothing. After all, they were most likely attacked by some inhuman botnet. But behind every botnet lies a human face and someone profiting at your expense. They care little about what problems they may have caused in their rampage through the internet. Wouldn’t it be nice to get back at these vermin? Well, it is possible to, at least in some ways, fight back. In some cases, you may even be able to track them down and give them the gift that they would never forget; jail time. However, for most people, it would require a certain amount of IT know-how to get such revenge. For a business with an IT department or a good IT person, the odds are better.

Before I’m accused of oversimplifying, let me state upfront that this is exactly what I want to do. So, first of all, what is a honeypot? Well, it’s just what the name implies; an attractive place. In terms of cyber security, it is a place that hackers would be attracted to. Why? Because it appears to be a place that has little protection from a cyber attack. It looks like something real, but isn’t. Honeypots are often set up on false or virtual private servers. You can buy a VPS for a small amount of money and then you’d have something that, to a hacker, would look just like a normal server. You would then have to install some honeypot software (this can be free) that will make your server look even more real. Then, you wait.

Often, within seconds, your server will be under attack. The attackers will begin testing for vulnerabilities. You want to have vulnerabilities but you can’t make the honeypot look too easy to compromise or you might scare the attackers away. Once they find a vulnerability, they will break into the server and try to look for something to steal. Even if they can’t find anything, they will try to set up shop within the server. All the while, you are able to watch what they are doing without them even knowing it. The software will have set up fake files with attractive names, fake passwords and usernames, and even fake connections that lead nowhere but make the attackers think they are spreading through a network. Logs are made of all of their activities.

Thomas Brewster described how he got a group of pentesters (people who test the vulnerability of a computer, server, or web site) to set up some honeypots. The pentesters set up VPS honeypots in four parts of the world that were known centers for cybercrime, China, Russia, Kazakhstan, and Singapore. As expected, they were under attack within seconds, as the sites were scanned for their built-in vulnerabilities. Brewster reports that, “After just five minutes, the Chinese honeypot had attracted 19 separate hackers, who had tried 1,000 different ways to break into the server and exploit it.” By the next day, 431 malicious IP addresses were connected to the server and the number rose to 3,879 by the end of the month. All total, these attacks loaded 36 different types of malware onto the server. Many of the attacks on the Kazakh and Singapore servers were also traced back to China. In fact, 58% of the 9,529 attacks on these three servers showed Chinese origins. Of course, some of these could just have been using Chinese sites as a disguise. However, this does seem to match information found in the 2013 Verizon Data Breach Investigations Report as is seen in the chart below.

honey countries

If you want a sobering look at real-time cyber attacks, take a look at this.

Here is an analysis of a typical Chinese attack that they experienced. First of all, the server was set up to accept any password. The attacker logged in through the server’s FTP service. They then typed in “dir” to get a list of directories on the server. Again, some honeypot software will place attractive directories here; however, this particular server had none so the attacker simply uploaded a malware file which enabled a keylogger. The keylogger would then send any activity back to the attacker. (bank account numbers, passwords, etc.) Other attacks attempted to set up botnets or otherwise compromise the system. In these particular attacks, the pentesters arranged to have the hackers taunted while they asked for certain types of access (Hacker types: “run x”; Honeypot responds: “No way!”). Honeypots recently caught Chinese hackers from the subsequently indicted APT1 team when they tried to break into what they thought was a municipal water supply system. Unfortunately, honeypots often only delay the hackers. When they realize they are foiled, they simply move onto the next victim because, as this study found, there are always victims with poor security just waiting to be victimized.

One step up from the honeypot, and somewhat related to it, is the honeynet. It is simply a fake network set up with vulnerabilities that would attract an attacker. Once an attacker is trapped in the network, their methods can be tracked and analyzed. Their attempts at contacting remote addresses or communications with the network from outside the network can be registered and used to identify them. Sometimes honeynets are set up simply to lure attackers away from the actual network and then trap them within it and away from normal network activity.

If you know that a particular IP address or domain name regularly participates in the proliferation of malware, you can deflect the attacker from your address and into a sinkhole. A sinkhole is just a false IP address where the malware can go and then be analyzed. It is possible that the attacker is so in name only. They may be part of a botnet and not even realize they are being used. Sometimes these innocent victims can be informed of how they are being used and have their names removed from blacklisted sites. Hopefully, they will then shore up problems in their security.

Unfortunately, these defenses can have a negative side. A dedicated hacker can use a reverse honeypot attack to baffle security teams. While attacking a server, for example, they could purposely leave seemingly incriminating information to mislead investigators. They may even encrypt these false leads to give the investigators more work, so that, while they are analyzing this false information, the hacker is happily pursuing another path.

Still despite this drawback, it may give you or your company some satisfaction to at least delay, disrupt, irritate, or, ultimately, bring down hackers. The Honeynet Project is a group of volunteers who have joined together to fight against and understand hacker activity and make the internet a safer place. I suppose if every company used these techniques, that would probably be the result. For now, it’s just good to know that you are not really as powerless as you may think you are.

Why not give your IT department a break? Using Inzero hardware -separated architecture makes the construction of honeypots unnecessary since no intruder can cross the barrier between your network with its users and connected devices and your sensitive information. For details, contact Inzero at




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s