Transparent Linking
Content:
--------
| I. | Background of Transparent Linking |
| II. | Link Types |
| III. | Test Setup |
| IV. | Test Results and Conclusion |
I. Background of Transparent Linking
------------------------------------
This section explains why transparent links -sometimes also referred to as "invisible links"- are essential for the deployment of web-based honeypots and discusses the problems that arise.
With the growing popularity of web applications attackers also realized search engines like Google as very powerful tools which they could use for their evil activities. Search engines provide the possibility for attackers to look for exactly that type and version of an application they are interested in. Instead of performing random scans, they can precisely focus their efforts on targets which match to their criteria. Therefore attackers are able to conduct the attacks in a much more efficient way.
In order to attract attackers with our honeypot we need to catch their attention and interest. As most attacks on web-based applications use search engines in order to find their victims, we want our honeypot to be listed by the indices of the search engines. Once the honeypot is indexed, all attackers that use search engines can recognize the system, which results in more traffic being driven to the honeypot.
The next question would be how to add the honeypot to the index of a search engine. Nowadays the search index gets constructed automatically with the help of so called web spiders. Web spiders are programs which crawl the World Wide Web in a methodical and automated manner with the intent of creating an index about the crawled contents.
Usually search engine companies do not allow to manipulate the result of the search index manually, independent from the aim to help research and to improve security. As a manual extension is not possible, we have to use the behaviour of the web spiders in order to complement the search index with information about our honeypot.
This results in two major problems:
One has to keep in mind that transparent links represent an issue where web-based honeypots strongly differ from non web-based honeypots: Usually every access to a honeypot is considered to be an illicit use of that resource. Instead, web-based honeypots need to be indexed by web-spiders in order to catch a reasonable amount of interest and to work properly as we explained. Hence, in this point web-based honeypots pursue a different concept than other honeypots. Nevertheless, the main value for both types of honeypots lies in the unauthorized or illicit use of that resource.
Experience shows, that a high position in the ranking is not required in order to attract malicious tools, which are acting in an automated way in order to find their targets. However, if a web spider does not follow a specific link at all, of course it is useless for this purpose.
continue: Link Types
With the growing popularity of web applications attackers also realized search engines like Google as very powerful tools which they could use for their evil activities. Search engines provide the possibility for attackers to look for exactly that type and version of an application they are interested in. Instead of performing random scans, they can precisely focus their efforts on targets which match to their criteria. Therefore attackers are able to conduct the attacks in a much more efficient way.
In order to attract attackers with our honeypot we need to catch their attention and interest. As most attacks on web-based applications use search engines in order to find their victims, we want our honeypot to be listed by the indices of the search engines. Once the honeypot is indexed, all attackers that use search engines can recognize the system, which results in more traffic being driven to the honeypot.
The next question would be how to add the honeypot to the index of a search engine. Nowadays the search index gets constructed automatically with the help of so called web spiders. Web spiders are programs which crawl the World Wide Web in a methodical and automated manner with the intent of creating an index about the crawled contents.
Usually search engine companies do not allow to manipulate the result of the search index manually, independent from the aim to help research and to improve security. As a manual extension is not possible, we have to use the behaviour of the web spiders in order to complement the search index with information about our honeypot.
This results in two major problems:
- Unfortunately the details about the exact behaviour of the web spiders are usually
kept secret as well, in order to avoid abuse or distortion. Neither the exact
construction criteria for the ranking of the index are public, nor information
about if and how the content of a web page gets rated. Whereas different ways
exist in order to create a link to a honeypot, it is even unknown which kind of
link will be crawled and indexed by a web spider at all.
- However, we also cannot just place arbitrary links to our honeypot on a website. This is due to the fact that not only web spiders or attackers may follow the link, but probably also many benign users who are just surfing the webpage. By following the link these users would cause many false positives in our logfiles and incidentally also increase the chance that an attacker reveals the true purpose of this link for our honeypot.
One has to keep in mind that transparent links represent an issue where web-based honeypots strongly differ from non web-based honeypots: Usually every access to a honeypot is considered to be an illicit use of that resource. Instead, web-based honeypots need to be indexed by web-spiders in order to catch a reasonable amount of interest and to work properly as we explained. Hence, in this point web-based honeypots pursue a different concept than other honeypots. Nevertheless, the main value for both types of honeypots lies in the unauthorized or illicit use of that resource.
Experience shows, that a high position in the ranking is not required in order to attract malicious tools, which are acting in an automated way in order to find their targets. However, if a web spider does not follow a specific link at all, of course it is useless for this purpose.
continue: Link Types
Navigation:
Home
Download
Screenshots
Transparent Linking
Installation
Contact:
