Honeypots mailing list archives

Re: Commercial anti-honeypot tool [2]

From: Valdis.Kletnieks () vt edu
Date: Mon, 12 Jan 2004 16:49:09 -0500

On Mon, 12 Jan 2004 17:05:55 +0100, Larissa Fricker <lft () netsec ch>  said:

The names and mail contents are random data to avoid the
honeypot identifying Hon.eypot Hun.ter.


Wouldn't it be easy for a honeypot to detect "Hon.eypot Hun.ter"
simply by looking for SOCKS clients that make connection requests
back to their own IP on port 25? For these connections, the
honeypot could provide full SOCKS functionality.


You're making the assumption that the injecting IP address and the destination
IP address are in the same address range.  There's nothing that says that the
thing can't at least in theory come from 66.112.34.98 or someplace, and ask
to connect to 12.34.98.64, which is running a packet forwarder back to the 66. address.

Attachment: _bin
Description:

Current thread:

Commercial anti-honeypot tool [2] Larissa Fricker (Jan 12)
- Re: [mailinglists] Commercial anti-honeypot tool [2] KeyFocus (Jan 12)
- Re: Commercial anti-honeypot tool [2] Valdis . Kletnieks (Jan 12)
  - Re: Commercial anti-honeypot tool KeyFocus (Jan 12)