What is a honeypot and how does it work
avatar

Iveta Vistorskyte

Jun 01, 2021 6 min read

In today’s data-driven world, many businesses rely on large amounts of public data to make important decisions. Such data is often obtained from websites across the internet through a process known as web scraping.

However, web scraping does face some challenges. One of such challenges is honeypot traps. This article will go over what honeypots are, where they are used, and how you can avoid them during web scraping.

What is a honeypot?

A honeypot is a decoy system designed to look like a legitimate compromised system to attract cybercriminals. Honeypot system is deployed to entice attackers while diverting them from their actual targets. Security teams often use honeypots to investigate malicious activity so that they can better mitigate vulnerabilities.

Types of honeypots

Honeypots can vary in complexity depending on the needs of the organization deploying them. There are three main tiers of honeypots: pure honeypots, low-interaction honeypots, and high-interaction honeypots.

Pure honeypots

Pure honeypots are full-scale production systems that contain what may appear to be sensitive or confidential data. These systems monitor the attacker’s activities through a bug tap that is installed on the link connecting the honeypot to the network. While pure honeypots can be complex, they provide a lot of valuable information about attacks.

Low-interaction honeypots

Low-interaction honeypots simulate only the systems and services that attackers most commonly target. As a result, they are not very resource-intensive and are easier to deploy and maintain. These honeypots gather information about the type of attack and where it originated from. They are commonly used as early detection mechanisms by security teams.

High-interaction honeypots

High-interaction honeypots are complex systems that run a variety of services, just like real production systems. These kinds of honeypots are used to provide attackers with many potential targets to infiltrate, allowing researchers to observe their techniques and behaviors while collecting extensive cybersecurity insights.

These honeypots can be quite resource-intensive and expensive to maintain. However, they provide a lot of valuable insights. Virtual machines often host multiple high-interaction honeypots on a single machine and ensure that attackers do not get access to the real production system.

How do honeypots work?

Honeypots can be divided into two broad categories based on their objective: production honeypots and research honeypots. A production honeypot is deployed alongside real production servers. This honeypot detects intrusions into the system and deflects the attacker’s attention from the primary system.

Research honeypots, on the other hand, gather information about cybercriminal attacks. These honeypots provide useful data about attacker trends that security teams can analyze and study to improve their defense mechanisms.

How do honeypots work

Where are honeypot traps used?

Honeypot traps are used in a variety of ways and for different purposes. Some common honeypot traps include malware honeypots, spam traps, client honeypots, database honeypots, and honeynets.

Malware honeypots

Malware honeypots use known replication and attack vectors to invite malware attacks. For instance, malware honeypots can be used to emulate USB flash drives. If a machine is attacked by malware that infects USB drives, the honeypot will lure the malware into infecting the emulated USB drive. A team of experts can then analyze the malware to close vulnerabilities or create anti-malware software.

Spam honeypots

Spam honeypots are used to detect and block spammers who abuse open mail relays and open proxies. These servers accept mail indiscriminately and forward them to their destinations. Honeypot programs can be used to masquerade as such open mail relays and proxies to detect abuse from spammers.

Spam honeypots can reveal the IP address of the spammer, allowing the honeypot operator to block email messages from that address. The honeypot operator can also contact the ISP of the abuser to have their accounts canceled. Spam honeypots can be quite effective as they make spam abuse riskier and more difficult.

Database honeypot

A database honeypot is a decoy database set up to attract database-specific attacks such as SQL injection. Such attacks often slip by firewalls. Organizations use database firewalls that support honeypot systems to divert the attacker from the actual database.

Client honeypots

Client honeypots pose as clients and search for malicious servers that attack clients. These kinds of honeypots are used to observe how such malicious servers modify the client servers during attacks. They are typically run in virtualized environments.

Honeynet definition

A honeynet is a network of honeypots. Honeynets are designed to look like real networks and often contain multiple systems. They are used for monitoring large, complex networks where just one honeypot may be insufficient. 

In a honeynet, a “honeywall” gateway monitors the traffic coming into the network and leads it to the honeypot instances. The honeynet gathers information about the attackers while diverting them from the actual network. With the aid of a honeynet, different types of cybersecurity attacks, such as distributed denial of service (DDoS) attacks and ransomware attacks, can be studied. 

Honeynets are often implemented as part of a larger intrusion detection system. They are designed to contain all inbound and outbound traffic to protect the rest of the organization’s corporate network.

Honeypot traps are used for different purposes
Honeypot traps are used for different purposes

Honeypot traps and web scraping

In addition to the aforementioned applications of honeypots, websites use honeypot traps to detect and prevent malicious web scraping activity, e.g., theft of copyrighted content. Honeypot traps typically cannot distinguish good bots from malicious ones. Therefore, good web scraping bots that collect only publicly available data can be caught as well. 

Such honeypot traps are sometimes called spider honeypots. Web pages usually contain links that only web crawlers can access. When the crawler scrapes data from such links, the site immediately detects web scraping activity.

Beware of honeypot traps

It is essential to detect if a website uses honeypot traps because collecting public data from such websites is not advisable. Websites with honeypot traps can easily detect your web scraper and track your web scraping activity. In this case, they can take action against you, leading to being blocked and not getting the required public data.

You should know that some honeypot links, which are used to bait crawlers, have the CSS style of “display: none.” Others are disguised by having them blend in with the background color. It is crucial to ensure that your crawler only follows properly visible links. It is also important to follow web scraping best practices to reduce your chances of getting blocked. You have to respect the rules of the website you intend to scrape data from.

Conclusion

Honeypot traps are effective techniques for detecting and thwarting malicious work from cybercriminals. However, they can pose a challenge for legitimate web scraping processes. If you are looking to only scrape public data for use cases like price monitoring, market research, and similar, you will have to watch out for spider honeypot traps and avoid them.

If you are interested in the data gathering process, we suggest you check out how to set the right approach to web scraping. Furthermore, if you are interested in other web scraping challenges, check out our article about CAPTCHAs or how HTTP cookies affect web scraping.

avatar

About Iveta Vistorskyte

Iveta Vistorskyte is a Content Manager at Oxylabs. Growing up as a writer and a challenge seeker, she decided to welcome herself to the tech-side, and instantly became interested in this field. When she is not at work, you'll probably find her just chillin' while listening to her favorite music or playing board games with friends.

All information on Oxylabs Blog is provided on an "as is" basis and for informational purposes only. We make no representation and disclaim all liability with respect to your use of any information contained on Oxylabs Blog or any third-party websites that may be linked therein. Before engaging in scraping activities of any kind you should consult your legal advisors and carefully read the particular website's terms of service or receive a scraping license.

Related articles

Most Common HTTP Headers

Most Common HTTP Headers

Sep 20, 2021

5 min read