Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: http fake service

From: gminick <gminick () hacker pl>
Date: Sun, 9 Feb 2003 17:08:34 +0100
On Sun, Feb 09, 2003 at 01:50:13AM -0800, dhanu bahirat wrote:

  I am doing a project on honeypot. I am writing a
production honeypot, giving fake services. I studied
many honeypots like honeyd, tiny honeypot, dtk, etc. 
Now I am planning to write a http fake service. 

[...]

What is actually expected in providing the fake http
service.

I don't get it. Could you explain to me what are you trying to
achieve by that - as you call it 'fake http service' ?

You want to run a honeypot, so, wouldn't it be better to provide
a real service ? a real server which can be exploited ?

A 'http service' is something more than just a tcp server listening
on port 80 and logging requests. It needs an implementation of a 
protocol. And here's the place where I'm stick, because you're 
providing a service which is really hard to break since nobody has
its code, nobody knows anything about that server, there's no worm
which will exploit your server (well, a possibility for the same error
is really small) - it's just a way to make attacker more suspicious.
Worms as well as script kiddies uses network scanners to search for
targets, but there's a difference, worms are attacking everything
which is opened (we can say, worms are blind); script kiddies are attacking 
vulnerable services. First, they're taking a look at name and version
of your server, and then if they can, they're trying to attack.
But now, what we got is a fake http service, worms just can't break-in
with their exploits, script kiddies can't compare signature of your
server to any known exploit (well, as long as you aren't responding
with some 'Apache-2.....' or another 'MS ISS....' ;)), so I just
don't see, what's the deal with that http server. 
By providing unknown services you're making real stronghold from your
honeypot, aren't you ? :) ...or maybe that's just me needing to refresh
knowledge about honeypots.
Hmm... it's a bit long, so, once more, a general question: what are you
trying to achieve by providing that kind of service?

-- 
[ ] gminick (at) underground.org.pl  http://gminick.linuxsecurity.pl/ [ ]
[ "Po prostu lubie poranna samotnosc, bo wtedy kawa smakuje najlepiej." ]
Previous By Date Next
Previous By Thread Next

Current thread: