Honeypots mailing list archives
Re: http fake service
From: gminick <gminick () hacker pl>
Date: Sun, 9 Feb 2003 17:08:34 +0100
On Sun, Feb 09, 2003 at 01:50:13AM -0800, dhanu bahirat wrote:
I am doing a project on honeypot. I am writing a production honeypot, giving fake services. I studied many honeypots like honeyd, tiny honeypot, dtk, etc. Now I am planning to write a http fake service.
[...]
What is actually expected in providing the fake http service.
I don't get it. Could you explain to me what are you trying to achieve by that - as you call it 'fake http service' ? You want to run a honeypot, so, wouldn't it be better to provide a real service ? a real server which can be exploited ? A 'http service' is something more than just a tcp server listening on port 80 and logging requests. It needs an implementation of a protocol. And here's the place where I'm stick, because you're providing a service which is really hard to break since nobody has its code, nobody knows anything about that server, there's no worm which will exploit your server (well, a possibility for the same error is really small) - it's just a way to make attacker more suspicious. Worms as well as script kiddies uses network scanners to search for targets, but there's a difference, worms are attacking everything which is opened (we can say, worms are blind); script kiddies are attacking vulnerable services. First, they're taking a look at name and version of your server, and then if they can, they're trying to attack. But now, what we got is a fake http service, worms just can't break-in with their exploits, script kiddies can't compare signature of your server to any known exploit (well, as long as you aren't responding with some 'Apache-2.....' or another 'MS ISS....' ;)), so I just don't see, what's the deal with that http server. By providing unknown services you're making real stronghold from your honeypot, aren't you ? :) ...or maybe that's just me needing to refresh knowledge about honeypots. Hmm... it's a bit long, so, once more, a general question: what are you trying to achieve by providing that kind of service? -- [ ] gminick (at) underground.org.pl http://gminick.linuxsecurity.pl/ [ ] [ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ]
Current thread:
- http fake service dhanu bahirat (Feb 09)
- Re: http fake service gminick (Feb 09)
- RE: http fake service Alberto Gonzalez (Feb 09)
- Re: http fake service gminick (Feb 09)
- RE: http fake service Alberto Gonzalez (Feb 09)
- Re: http fake service gminick (Feb 09)