Problem solve Get help with specific problems with your technologies, process and projects.

Can honeypots for network security detect a P2P botnet?

Honeypots can be a great network security tool, but are they capable of detecting a P2P botnet? In this expert response, Nick Lewis details how and what kind of threats a honeypot can identify.

Can a honeypot be used to detect an advanced hybrid peer-to-peer botnet, or any sort of botnet, for that matter?
Honeypots for network security are systems on the Internet or on networks that are set up exclusively to listen for and attract rogue connections .

Honeypots have many different uses, and detection of botnets is one of the possible uses.

It might be difficult, however, for a honeypot to detect a P2P botnet. An advanced P2P botnet uses encryption and only talks to registered peers, whereas standard botnets use centralized IRC connections for command and control. It would be unlikely that the honeypot could detect such an advanced P2P botnet connection if it weren't a registered peer and implicitly granted access to the botnet network. If the P2P botnet used IP scanning of semi-random IPs on the Internet to identify peers, however, a honeypot could detect this scan connection potentially as a P2P botnet, though it would still have to wait for the botnet to scan for it.

If the honeypot has been customized to emulate a node or another peer in the botnet, then it can be used to analyze the botnet's operations. However, this is a technically complex process that's not recommended for the average security pro. The honeypot could be registered manually or joined in some way to the botnet to analyze the operations of the botnet. This type of advanced analysis has been done by security researchers from UC Berkley (.pdf) targeting the MegaD botnet . The researchers reverse engineered the protocol used by MegaD and setup a honeypot to observe the operations of the botnet. This type of analysis is used in the technical part of the takedown of a botnet, but requires significant efforts and may not be an effective use.

This was last published in November 2010

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.