Re: An Idea for Discussion for HoneyView

["Matt Bruce" <mbruce () insl co uk>]

Hi Karl,

Karl Hable <develop () kh-soft de> wrote:
> So .. i got the idea to let a cron-job traceroute all
> new ip-adresses an store the routing-information also
> in honeyview's database.

A disadvantage to this approach is that you cease to be passive. If the
blackhat accessing your system is running something as simple as a personal
firewall product, then s/he will be alerted to ICMP traffic originating from
your subnet. Aside from echo-reply, and perhaps ident (outdated response to
SMTP), I wouldn't expect there to be any traffic originating at the honeynet
to the blackhat.

One possible way to avoid this would be to examine the TTL of his/her source
traffic and trace to TTL-1, but you are assuming that your traffic will
travel along the same route as their traffic. I think one of Lance's papers
provides the pros and cons of this approach.

Another way might be to perform the traceroute from another, unrelated
network or traceroute website (e.g. www.traceroute.org). Then you just get
lost amongst the noise. But be careful to read the T&Cs of whatever site you
use to see what they consider "abuse".

Myself, I prefer to satisfy myself with out-of-band information on
interesting traffic sources: performing WHOIS lookups (e.g.
http://www.geektools.com/cgi-bin/proxy.cgi or plain old nslookup/dig) and
the like against the address. Not the best for granularity or discovering
source repetition, but at lease they don't discover my activities. :)

Cheers,
Matt