Honeypots mailing list archives
Re: Trapping attackers when trying to leave a honeypot
From: George Washington Dunlap III <dunlapg () umich edu>
Date: Fri, 5 Sep 2003 13:29:23 -0400 (EDT)
On Fri, 5 Sep 2003, Nicolas STAMPF wrote:
If I were in charge of a firewall, I'd block that outgoing connection from the honeypot to outside if it were not "production" necessary. As this has already been said here, configuring hosts just like real ones is the best way to catch attackers.
Yes, I guess my view is somewhat skewed by the environment I've been in for the last eight years -- a university, where all the computers have static IPs and are exposed directly to the wilds of the internet. I also rather misread your first e-mail; you weren't talking about simulating the rest of the internet, but rather the rest of your own net. I guess the question is, what's the difference between what you describe and a honeynet? I.e., just set up a network of honeypots and let the attacker muck around in there? If you're simulating computers that he can get to from the outside, then he can still do some cross-examination stuff, though perhaps more limited because of your firewall. And if everyone's setup is different enough, it means each attacker will have to craft is cross-examination to your particular system, and there's always the hope that he'll forget or screw it up somehow. Peace, -George -- +-------------------+---------------------------------------- | dunlapg () umich edu | http://www-personal.umich.edu/~dunlapg +-------------------+---------------------------------------- | ...there be many, many ancient systems in the world, and it | is the decree of the dreaded god Murphy that thy next | employment just might be on one. While thou sleepest, he | plotteth against thee. Awake and take care. | - Henry Spencer, "The Ten Commandments for C Programmers" +------------------------------------------------------------ | Outlaw Junk Email! Support HR 1748 (www.cauce.org)
Current thread:
- Trapping attackers when trying to leave a honeypot Nicolas STAMPF (Sep 04)
- Re: Trapping attackers when trying to leave a honeypot George Washington Dunlap III (Sep 04)
- Re: Trapping attackers when trying to leave a honeypot Nicolas STAMPF (Sep 05)
- Re: Trapping attackers when trying to leave a honeypot Valdis . Kletnieks (Sep 05)
- Re: Trapping attackers when trying to leave a honeypot George Washington Dunlap III (Sep 05)
- Re: Trapping attackers when trying to leave a honeypot Nicolas STAMPF (Sep 05)
- Re: Trapping attackers when trying to leave a honeypot George Washington Dunlap III (Sep 04)