Honeypots mailing list archives
Re: Question about Dynamic Honeypots.
From: Richard Stevens <mail () richardstevens de>
Date: Mon, 22 Sep 2003 21:13:48 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
I have also another question? i think that there will be another feature for future honeypot/nets, they must plug into networks and attract all anomaly/malicous traffics to ourself. At the least it must redirect the attacks traffic to itself. I am be so
this sounds interesting but why would you want to do that. I suppose you are thinking about a honeynet placed somewhere near production machines, not a seperate installation independant of production. Now, to redirect all malicious traffic, you'd have to identify it first. Otherwise there's nothing to redirect. The identification has to be 100% accurate, otherwise you'd interfere with production traffic --> not good and probably worse than a few attacks coming through since not all attacks do work. All this would have to work without being detectable, which sounds quite hard to do. I wonder, if you actually found a way to identify malicious traffic with a precision that high, why not simply block it and leave a honeynet in a classic way to cope with the remaining/new attacks for analysis and identification? What exactly would be the goal of the redirection? You already know that the redirected traffic is malicious, you know what it is. Imho you could only learn which combinations of the known traffic are used by attackers. While this could be interesting, you could probably gather all that by analyzing the logs of your firewall or blocking mechanisms. Please don't get me wrong, the idea sounds interesting but I'm probably not imaginative enough to get ideas about what benefit you'd get. Since you already know a lot about the attacks, it seems a bit like watching script kiddies but with a lot more work and complexety to achieve this. Regards, Richard -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/b0nsCfA4EwqVdIQRAvWPAKCLf6cm1Ad30RZ+K/m+SHYOR9nSRQCeJ3yK fyOtcVrtsorNruZbw6j7eg0= =aZmb -----END PGP SIGNATURE-----
Current thread:
- Question about Dynamic Honeypots. Mahdi samadi (Sep 22)
- Re: Question about Dynamic Honeypots. Patrick Dolan (Sep 22)
- Re: Question about Dynamic Honeypots. Richard Stevens (Sep 22)
- Re: Question about Dynamic Honeypots. Jack Whitsitt (jofny) (Sep 22)
- Project: Multiple service-instances on single h-pot Daniel Roth (Sep 22)
- Re: Project: Multiple service-instances on single h-pot oudot (Sep 22)
- Re: Project: Multiple service-instances on single h-pot Daniel Roth (Sep 22)
- Re: Project: Multiple service-instances on single h-pot oudot (Sep 22)
- Re: Question about Dynamic Honeypots. Plamen Tonev (Sep 22)
- Re: Question about Dynamic Honeypots. oudot (Sep 22)