Honeypots mailing list archives
Re: SecurityFocus new honeypot article announcement
From: bp1974 () comcast net
Date: Wed, 29 Oct 2003 18:14:55 +0000
I think we are getting too involved in the "exact" meaning of these words/ In their most basic sense, both honeypots and tarpits belong to a class of exotic systems (be it a monilithic host or a network) that are designed to foil/thwart the intruder either by blackholing the incoming attacks (tarpit) or by observing the attacker in a controlled environment (honeypot). In my opinion, the value of the honeypot lies in its apparent vulnerablity to the outside world. A sticky honeypot (or tarpit) is something that will slow the attacker down. Being a relatively new technology, a tarpit can be integrated into a honeypot (or honeynet) but eventually organizations would isolate the two. This is because a honeypot may be required to go offline for the sake of attack analysis and incident response. But the same cannot hold true for a tarpit. Balaji
On Mon, 27 Oct 2003, Michael Sierchio wrote:A very simple elucidation, though -- tarpits are devised specifically to slow down an attack by crafted protocol tricks (rapidly decreasing window size, etc.) and honeypots are designed to provide an environment to observe them by posing as attractive targets.From my personal opinion, I would have to disagree. Your definition above is based on what honeypots do. I do not consider that the definition of a honeypot. Honeypots can do MANY different things, they can lure, deceive, detect, gather information, used for incident response, etc. Attempting to define a honeypot on what it does most likely will not work. A honeypot is nothing more then a tool that can do many different things for you, you just apply what you want to get done. One of the things the maillist has attempted to do is define honeypots. "A honeypot is an information system resource whose value lies in unauthorized or illicit use of that resource" In the case of this definition, tarpitting could fall under as a honeypot. For example, in the case of LaBrea, attackers interact with unused IP space. That attempt is considered unauthorized, so LaBrea would tarpit them. Tarpitting is nothing more then one more service a honeypot can provide. lance
Current thread:
- SecurityFocus new honeypot article announcement Lance Spitzner (Oct 23)
- Re: SecurityFocus new honeypot article announcement Michael Sierchio (Oct 24)
- Re: SecurityFocus new honeypot article announcement oudot laurent (Oct 27)
- Re: SecurityFocus new honeypot article announcement Michael Sierchio (Oct 27)
- Re: SecurityFocus new honeypot article announcement oudot laurent (Oct 28)
- Re: SecurityFocus new honeypot article announcement Lance Spitzner (Oct 28)
- Re: SecurityFocus new honeypot article announcement oudot laurent (Oct 27)
- Re: SecurityFocus new honeypot article announcement Michael Sierchio (Oct 24)
- <Possible follow-ups>
- Re: SecurityFocus new honeypot article announcement bp1974 (Oct 30)