Honeypots mailing list archives
Re: Dynamic honeypots question??
From: Valdis.Kletnieks () vt edu
Date: Mon, 29 Sep 2003 01:41:54 -0400
On Sun, 28 Sep 2003 13:05:48 -0000, Kostas K <acezerocool () yahoo com> said:
Since the honeypot will provide a plug-n-play solution by using passive OS fingerprinting analysis etc how can we be so sure that during this process the attacker won't interfere with it, realise that the machine he/she attacks is a honeypot. Furthemore how feasible would be to build this network while being offline?
If your attacker can detect that you're using passive OS fingerprinting, which doesn't send them any packets, you have *bigger* problems. ;) But let's think this through. We're making an assumption that the attacker is *somewhere* on the skill continuum. Now if they're a script kiddie, they probably won't even notice *active* fingerprinting. If they're a clued attacker, they've learned (hopefully) enough about target selection that your honeypot won't be visited by them at all, unless it's as a steppingstone machine to the real target. Or phrased differently, if the attacker is smart enough to notice fingerprinting, why did he fall for your honeypot at all? Why/how did he select it as a target, and what's his motivation for being there in the first place? A bigger concern would be "How do *I* know my attacker hasn't jiggered his TCP stack?" (see http://sourceforge.net/projects/ippersonality/ for an example). And of course, if you're being hit from another steppingstone, all you will manage to do is fingerprint the steppingstone.... :)
Attachment:
_bin
Description:
Current thread:
- Dynamic honeypots question?? Kostas K (Sep 28)
- Re: Dynamic honeypots question?? Valdis . Kletnieks (Sep 29)
- RE: Dynamic honeypots question?? Charles Strasburger (Sep 29)
- <Possible follow-ups>
- Re: Dynamic honeypots question?? Kostas K (Sep 30)