Honeypots mailing list archives
Re: An Idea for Discussion for HoneyView
From: "Matt Bruce" <mbruce () insl co uk>
Date: Thu, 1 May 2003 15:08:35 +0100
Hi Karl, Karl Hable <develop () kh-soft de> wrote:
So .. i got the idea to let a cron-job traceroute all new ip-adresses an store the routing-information also in honeyview's database.
A disadvantage to this approach is that you cease to be passive. If the blackhat accessing your system is running something as simple as a personal firewall product, then s/he will be alerted to ICMP traffic originating from your subnet. Aside from echo-reply, and perhaps ident (outdated response to SMTP), I wouldn't expect there to be any traffic originating at the honeynet to the blackhat. One possible way to avoid this would be to examine the TTL of his/her source traffic and trace to TTL-1, but you are assuming that your traffic will travel along the same route as their traffic. I think one of Lance's papers provides the pros and cons of this approach. Another way might be to perform the traceroute from another, unrelated network or traceroute website (e.g. www.traceroute.org). Then you just get lost amongst the noise. But be careful to read the T&Cs of whatever site you use to see what they consider "abuse". Myself, I prefer to satisfy myself with out-of-band information on interesting traffic sources: performing WHOIS lookups (e.g. http://www.geektools.com/cgi-bin/proxy.cgi or plain old nslookup/dig) and the like against the address. Not the best for granularity or discovering source repetition, but at lease they don't discover my activities. :) Cheers, Matt
Current thread:
- An Idea for Discussion for HoneyView Karl Hable (May 01)
- Re: An Idea for Discussion for HoneyView Matt Bruce (May 01)
- Re: An Idea for Discussion for HoneyView Pascal Charest (May 01)
- Re: An Idea for Discussion for HoneyView Valdis . Kletnieks (May 01)