Honeypots mailing list archives
Re: Introducing the Tactical Honeynet Deployment Project
From: Valdis.Kletnieks () vt edu
Date: Mon, 01 Sep 2003 11:19:37 -0400
On Mon, 01 Sep 2003 08:00:12 PDT, Greg Tracy <greg () sixx com> said:
Makes sense. But aren't black hats also on the lookout for easy prey/insecure hosts from which they can launch other targeted attacks?
And since we're assuming that said blackhat is clued and intelligent, we have to assume that when looking for a "bounce" host, he'll be trying to fly "under the wire" and using the same things the skript kiddies are using. You're not going to see hide nor hair of his 0day till he uses it on his final target. And assuming there's 10 million DSL and cable-modem users in the US, hoping that a black hat will pick your honeypot accidentally is about as much of a long shot as Linus's waiting for the Great Pumpkin to choose HIS pumpkin patch because it's the most sincere one anyplace...
And a good honeypot should look like a production server to pull them away from the true targets, right? I would think that df and ps should turn up exactly what would look right for the machine it's supposed to be. Or am I way off base?
One quick 'df' tells me if I'm on our production Oracle server or our test Oracle server, because the test server has only one terabyte of disk on it. Similarly for 'ps'... It's incredibly time-intensive to make a simulation that really holds up - you need to nail 'df' and 'ps'. You need to fix 'ls'. Oh, and remember 'find'. And 'cd'. And..... And the worst part is that if you *do* have a honeypot that simulates all this, the instant the black hat spots an inconsistency, he *knows* it's a honeypot - and his best bet at that point is to drop a thermonuclear device and split.
Attachment:
_bin
Description:
Current thread:
- Introducing the Tactical Honeynet Deployment Project Michael Anuzis (Aug 30)
- Re: Introducing the Tactical Honeynet Deployment Project greg (Aug 31)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Greg Tracy (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Damian Menscher (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Lance Spitzner (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project greg (Aug 31)
- Re: Introducing the Tactical Honeynet Deployment Project Tom Britten (Sep 01)
- Re: Introducing the Tactical Honeynet Deployment Project Chris Brenton (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Tom Britten (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Chris Brenton (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Tom Britten (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Thomas Jones (Sep 02)
- Re: Introducing the Tactical Honeynet Deployment Project Valdis . Kletnieks (Sep 02)