Creating a Honeypot Server

Introduction

A honeypot is a computer used for deception. It could be a system designed to masquerade as a valuable system and accept and log requests to it before dropping them without responding. Alternatively, honeypots could interact with an attacker, providing services that waste their time or direct them to additional honeypots.

We’ve already developed code that logs all requests of a particular type to a system. Now, we’ll create a honeypot DNS server that directs clients to a particular IP address.

Monitoring for DNS requests

A server can be built in a couple of different ways. One option is to bind to a socket, listen for requests, and send responses. This is how most applications communicate over the network.

Another option using Scapy is to use the sniff function to monitor network traffic and then send packets in response. This is useful if a honeypot wants to spoof multiple different protocols or respond to requests to a port used by another application.

We’ve used sniff to monitor network traffic and we’ve developed code to dynamically build packets in response to requests. The following code sample puts these together to build a honeypot DNS server: