Honeypots mailing list archives

Re: Heisenberg in the honeypot

From: Christian Kreibich <christian () whoop org>
Date: Sun, 20 Jun 2004 03:12:51 -0700

Hi,

On Fri, 2004-06-18 at 05:47, H Carvey wrote:

This is a question that's been banging around inside my head for a while...

It's been said that honeypots can be used to "know your enemy"...but setting up a honeypot and having someone attack 
it, you get to see how attacks are performed, what steps a particular attacker takes once on the system, etc.

So my question is...has anyone considered the Heisenberg Uncertainty Principle, with regards to honeypots?  
Specifically, honeypots are used to capture/"observe" attacks, and the HUP states that by the very act of observing 
something, we inherently alter that event/object.  As the HUP applies to honeypots, please bear with me...


well I guess the HUP mostly applies in the sense that most honeypots out
there probably have one Heisenbug or another :)

Honeypots and honeynets for detecting activity have been around for a while now, and are essentially public 
knowledge.  While it may not be publicly known exactly *where* these systems are, many know that they're out there.  
So...if someone has a 0-day exploit or a new technique that they've developed, would one think that they'd fire it 
off against a system that *could be* a honeypot, thereby exposing that new exploit/technique?  Or would they 
specifically target machines that they know are NOT honeypots?


If you have a zero-day exploit and no conscience, you'll probably either

- write a worm that uses it (thus hitting pots and nonpots
indiscriminately) or
- save it for when you'll really need it, in which case you could be
clueful enough to potentially detect the pot and are not the right type
of customer for the low-interaction stuff anyway.

The next question, I guess, would be...what kind of things are we really seeing in the honeypots?  Worms are pretty 
indiscriminate, as are skript kiddies.  So, are we (or perhaps more appropriately, the honeypots) seeing new things?  
If so, where are such things documented?


I think several people have posted links to "what we've seen" kind of
documents on this list ...

Cheers,
Christian.
-- 
________________________________________________________________________
                                          http://www.cl.cam.ac.uk/~cpk25
                                                    http://www.whoop.org

Current thread:

Heisenberg in the honeypot H Carvey (Jun 19)
- Re: Heisenberg in the honeypot Qv6 (Jun 21)
  - Re: Heisenberg in the honeypot Harlan Carvey (Jun 21)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 21)
    - Re: Heisenberg in the honeypot Ranjeet Shetye (Jun 21)
  - Re: Heisenberg in the honeypot MrDemeanour (Jun 21)
- Re: Heisenberg in the honeypot Christian Kreibich (Jun 21)
- Re: Heisenberg in the honeypot Robert Judy (Jun 21)
  - Re: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - Re: Heisenberg in the honeypot Valdis . Kletnieks (Jun 22)
    - Minefields Lance Spitzner (Jun 22)
    - Re: Minefields MrDemeanour (Jun 23)
- RE: Heisenberg in the honeypot Chuck Fullerton (Jun 22)
  - RE: Heisenberg in the honeypot Harlan Carvey (Jun 21)
    - RE: Heisenberg in the honeypot Chuck Fullerton (Jun 21)
    - RE: Heisenberg in the honeypot Harlan Carvey (Jun 22)
    - Re: Heisenberg in the honeypot James Riden (Jun 22)

(Thread continues...)