Honeypots mailing list archives
Re: Does it really take so long to get a bite?
From: Lance Spitzner <lance () honeynet org>
Date: Sat, 7 Dec 2002 22:35:42 -0600 (CST)
On Sat, 7 Dec 2002, Chris Reining wrote:
I had an OpenBSD 3.1 honeypot running a vulnerable version of SSH that was compomised in 2 days...Watching the logs, the chkrootkit, the ids, the network traffic, etc, show us nothing! lots and LOTS of scans, mostly for nbname. How long does it take to get a hit? Previous reading and anecdotes said that some boxes are compromised within 15 mins of being hooked up to the network.I had a vanilla Redhat 6.2 box that took over 3 weeks to get compromised by an autorooter. I think that the TTL of a honeypot depends entirely on different variables like the ISP (from what I've seen, different ISPs/netblocks get scanned at different frequencies) and the latest and greatest exploit that the kiddies have. For instance, after a major software vulnerability is discovered and an exploit released there will be a sharp increase in scanning for vulnerable systems which will slowly decline over time.
As many folks have disscussed, it depends on a variety of variables. Two years ago, RH 6.2 would have been hacked in hours. However, folks have moved onto new 'exploit-du-jour', so what was highly 'hackable' two years ago may take weeks or even months. When the OpenSSH exploit was released, it was possible for RH 6.2 or even RH 7.2 boxes to last longer then an unpatched OpenBSD box. So, TTL is often based on what the favored exploit happens to be at that time. Also, keep in mind, the harder your honeypot is to break into, the more you can learn. However, the harder it is to break into your honeypot, the more value you have to give it. If the bad guys just want systems, they will skip your harden honeypot and go for the easy kill. All depends on the type of clientle you wish to attrack. One of the interesting things the Honeynet Project has seen is different operating systems attrack different clientle. Linux hackers tend to be a different community then Solaris, OpenBSD, or Window hackers. We do not have enough data to come to any conclusions, but something to keep your eyes open for :) lance
Current thread:
- Does it really take so long to get a bite? marc (Dec 07)
- RE: Does it really take so long to get a bite? Andrew Hintz (Drew) (Dec 07)
- Re: Does it really take so long to get a bite? Chris Reining (Dec 07)
- Re: Does it really take so long to get a bite? ktimm (Dec 07)
- Re: Does it really take so long to get a bite? Lance Spitzner (Dec 07)
- Re: Does it really take so long to get a bite? Mike Clark (Dec 08)
- Re: Does it really take so long to get a bite? Chris Reining (Dec 08)
- Re: Does it really take so long to get a bite? Mike Clark (Dec 09)
- Re: Does it really take so long to get a bite? Brian Hatch (Dec 09)
- Re: Does it really take so long to get a bite? Robert G. Ferrell (Dec 09)
- RE: Does it really take so long to get a bite? Greg van der Gaast (Dec 09)
- Re: Does it really take so long to get a bite? Anton A. Chuvakin (Dec 09)
- Re: Does it really take so long to get a bite? marc (Dec 09)
- Re: Does it really take so long to get a bite? Brian Hatch (Dec 10)
- Re: Does it really take so long to get a bite? TageTora (Dec 12)