Honeypots mailing list archives
Re: Commercial anti-honeypot tool
From: "KeyFocus" <support () keyfocus net>
Date: Tue, 13 Jan 2004 01:10:21 -0000
Wouldn't it be easy for a honeypot to detect "Hon.eypot Hun.ter" simply by looking for SOCKS clients that make connection requests back to their own IP on port 25? For these connections, the honeypot could provide full SOCKS functionality.
You're making the assumption that the injecting IP address and the
destination
IP address are in the same address range. There's nothing that says that
the
thing can't at least in theory come from 66.112.34.98 or someplace, and ask to connect to 12.34.98.64, which is running a packet forwarder back to the
66. address. Well thats the way it works in the current version of H.H. Once they smarten up and do what you say they will be much harder to detect. - Tom
Current thread:
- Commercial anti-honeypot tool [2] Larissa Fricker (Jan 12)
- Re: [mailinglists] Commercial anti-honeypot tool [2] KeyFocus (Jan 12)
- Re: Commercial anti-honeypot tool [2] Valdis . Kletnieks (Jan 12)
- Re: Commercial anti-honeypot tool KeyFocus (Jan 12)