Security Incidents mailing list archives
Re: Cracked; rootkit - entrapment question?
From: rfp () WIRETRIP NET (rain forest puppy)
Date: Thu, 2 Mar 2000 05:58:26 -0600
Just my $.02 on the subject, but I think administrators are using the concept of a honeypot as some personal vindictive revenge tool. It is not. For those of you who think honeypots are there to 'lure' hackers, and to 'learn their attack tactics' by 'enticing them to log in', you've been watching too many Bond flicks. Maybe it's the inner hacker within you trying to get out, but, um, NO. You have so many entrapment legalities to deal with, and arguably you won't learn anything. The best one I hear is 'entice him with juicy, but fake, data'. Um, how the hell is he supposed to know what data is on the box without breaking in? Therefore, where is the enticement? Come on, if HackerX breaks into your box and gains root, he's in. So now you spot him, what are you going to learn? What 'tactics' are you going see? He's already in, he's not going to re-run his exploits. You can collect logs for 'evidence', but arguably the validity of the logs must be questioned if the attacker was given full access to the system. You're in the big catch-22 loop. How should a honeypot be used? Let's say I have a NT server. My site gets 6 gigs of hits a day. Looking through a day's worth of logs is horrendous, and a task only given the the 'new guy'. It's easy for stuff to slip between the cracks. Enter honeypot. That webserver is 10.0.0.4. I put honeypots at 10.0.0.3 and 10.0.0.5. There should be *no* DNS entries for the honeypot; the point is to otherwise make the honeypots unused. Therefore, absolutely *ANY* traffic to those honeypots (which could be 1 system with 2 IP aliases) should immediatley considered SUSPICIOUS! Why? Because they have absolutely no production use. Now, if I have IIS with RDS running, and I see some schmoe hit RDS, I now should immediately go to my real webserver (10.0.0.4) and grep for his IP. See, the honeypots can serve as a precursor warning of attack. Anyone who accesses the honeypots should be considered suspicious, and their corresponding accesses to production systems should then immediately be evaluated. Now, what if the attacker focuses just on the web server itself, and didn't hit the honeypot(s)? Then the issue becomes mute in either case. One thing a honeypot does provide: time to call the FBI, CERT, SANS, local law enforcement, tiger team, media reporter, or ex-lover, while the cracker is digging in. Plus, you have an immediate IP to shun. - rain forest puppy rfp () wiretrip net www.wiretrip.net/rfp/
Current thread:
- Re: Cracked; rootkit - entrapment question?, (continued)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 02)
- E-mail attatchment xum mux (Mar 02)
- Re: Cracked; rootkit - entrapment question? Ryan Russell (Mar 02)
- Re: Cracked; rootkit - entrapment question? David Brumley (Mar 02)
- Re: Cracked; rootkit - entrapment question? Lance Spitzner (Mar 02)
- Re: Cracked; rootkit - entrapment question? Paul L Schmehl (Mar 02)
- Re: Cracked; rootkit - entrapment question? Mike Fratto (Mar 02)
- Re: Cracked; rootkit - entrapment question? Simple Nomad (Mar 02)
- Re: Cracked; rootkit - entrapment question? Dave Dittrich (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? rain forest puppy (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jordan Ritter (Mar 03)
- Re: Cracked; rootkit - entrapment question? CL: Nelson, Jeff (Mar 02)
- Re: Cracked; rootkit - entrapment question? Jon Lewis (Mar 02)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 02)
- Re: Cracked; rootkit - entrapment question? Granquist, Lamont (Mar 03)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 07)
- Mail Server attack Joel Michael (Mar 07)
- Re: Mail Server attack Omachonu Ogali (Mar 08)
- Re: Mail Server attack Joel Michael (Mar 08)
- Re: Cracked; rootkit - entrapment question? Craig H. Rowland (Mar 09)
- Re: Cracked; rootkit - entrapment question? 1Lt Rob Lee (Mar 02)