Re: Introducing the Tactical Honeynet Deployment Project

[Valdis.Kletnieks () vt edu]

On Mon, 01 Sep 2003 08:00:12 PDT, Greg Tracy <greg () sixx com>  said:

> Makes sense. But aren't black hats also on the lookout for easy 
> prey/insecure hosts from which they can launch other targeted attacks?

And since we're assuming that said blackhat is clued and intelligent, we have
to assume that when looking for a "bounce" host, he'll be trying to fly "under
the wire" and using the same things the skript kiddies are using. You're not
going to see hide nor hair of his 0day till he uses it on his final target.

And assuming there's 10 million DSL and cable-modem users in the US, 
hoping that a black hat will pick your honeypot accidentally is about as
much of a long shot as Linus's waiting for the Great Pumpkin to choose
HIS pumpkin patch because it's the most sincere one anyplace...

> And a good honeypot should look like a production server to pull them 
> away from the true targets, right? I would think that df and ps should 
> turn up exactly what would look right for the machine it's supposed to 
> be. Or am I way off base?

One quick 'df' tells me if I'm on our production Oracle server or our test Oracle
server, because the test server has only one terabyte of disk on it.  Similarly
for 'ps'...

It's incredibly time-intensive to make a simulation that really holds up - you
need to nail 'df' and 'ps'.  You need to fix 'ls'.  Oh, and remember 'find'. And 'cd'.
And.....

And the worst part is that if you *do* have a honeypot that simulates all this, the
instant the black hat spots an inconsistency, he *knows* it's a honeypot - and
his best bet at that point is to drop a thermonuclear device and split.

Attachment: _bin
Description: