Rather than try to block a hacker (with a firewall) or find a hacker (with an intrusion-detection system), some people prefer the more labor-intensive method of using a honeypot instead. A honeypot can serve two purposes. First, it can lure a hacker away from the important data on your computer and isolate the hacker from causing any damage. Second, a honeypot can allow you to study a hacker's methods and techniques so that you can better learn how certain attacks work and how you might be able to defend yourself against them in the future.

Honeypots typically run on a single computer that mimics the activity and breadth of an entire network, even down to emulating the details of a specific operating system, such as Linux, Windows, Mac OS, Solaris, or HP-UX. Although a honeypot looks and behaves just like a real network, it often offers several easily exploitable flaws to encourage the hackers to waste their time exploiting this fictional network.

To learn more about honeypots, visit the Honeynet Project (http://project.honeynet.org), which has been running honeypots and studying hacker techniques for years. The Distributed Honeypot Project (http://www.lucidic.net) plans to create a network of honeypots around the Internet so that system administrators can share the latest hacking techniques. For a list of different honeypots available, visit Talisker (http://www.networkintrusion.co.uk).

The friendly folks at Science Applications International Corporation (SAIC) (http://www.saic.com) have even set up a wireless honeypot near Washington, D.C., to learn the latest war-driving hacking techniques (see Chapter 11).

To learn about the various honeypots currently used by businesses, visit these sites:

Tiny Honeypot




Symantec ManTrap


The Deception Toolkit


Many honeypots are freeware and include source code so you can study how they work and even contribute some ideas of your own.

Because honeypots take time to set up and maintain, most individuals aren't likely to run a honeypot on their personal computer. If you have the time, though, you may want to try running a Trojan horse honeypot-the next time someone tries to access your computer using a remote access Trojan horse, your honeypot can trick the hacker into thinking he has secret access to your computer when he's really isolated from your data and you're watching his activities every step of the way (see Figure 18-3).

Click To expand Figure 18-3: NetBuster can create a honeypot to trap hackers trying to access your computer with the NetBus remote access Trojan.

Here are some of the many Trojan horse honeypot programs available:





Tambu Dummy Server


The Saint