Re: Dynamic honeypots question??

[Valdis.Kletnieks () vt edu]

On Sun, 28 Sep 2003 13:05:48 -0000, Kostas K <acezerocool () yahoo com>  said:

> Since the honeypot will provide a plug-n-play solution by using passive OS
> fingerprinting analysis etc how can we be so sure that during this process the
> attacker won't interfere with it, realise that the machine he/she attacks is a
> honeypot. Furthemore how feasible would be to build this network while being
> offline?

If your attacker can detect that you're using passive OS fingerprinting, which
doesn't send them any packets, you have *bigger* problems. ;)

But let's think this through.  We're making an assumption that the attacker is
*somewhere* on the skill continuum.  Now if they're a script kiddie, they
probably won't even notice *active* fingerprinting.  If they're a clued
attacker, they've learned (hopefully) enough about target selection that your
honeypot won't be visited by them at all, unless it's as a steppingstone
machine to the real target.

Or phrased differently, if the attacker is smart enough to notice fingerprinting,
why did he fall for your honeypot at all?  Why/how did he select it as a target,
and what's his motivation for being there in the first place?

A bigger concern would be "How do *I* know my attacker hasn't jiggered his
TCP stack?" (see http://sourceforge.net/projects/ippersonality/ for an example).

And of course, if you're being hit from another steppingstone, all you will manage
to do is fingerprint the steppingstone.... :)

Attachment: _bin
Description: