RE: Detection of attacks with the help of honeypots

["Bruno MAC Castro" <bcastro () dei uc pt>]

Hi Hess,

Just my 0.02$...

I am sure that each one of us as a personal idea about the HoneyPot
concept. I can resume you about my idea about the main goals of a
HoneyPot:

1. Learn
The main goal of a Honeypot is to learn hacker's techniques and tools.
Only that way, we (System administrators and Security agents) can
improve our forensics and defense techniques.

2. Improve our systems
If a hacker (or cracker) gets in our system it's because something is
not right! Without knowing how he did it, that would be our only
conclusion after the brake in. A Honeypot gives us the vital information
for a system administrator: our system holes! That way you will only
need to close (or configure) the corrupted service or apply some patch,
etc... Until a new "hole" is found...

3. Legal Information
A HoneyPot will gather all "step-by-step" information regarding the
hacker's hacking process. So, maybe you will gather enough information
to build an legal accusation against the "script kiddie"... just
maybe... not easy!

4. Hide the vital systems
A HoneyPot can be used as a security measure. Only that! It will never
(maybe too radical! :-) ) be a security defense solution. How can it be
a security measure? Well, a hacker will be looking for the first and the
easiest way to break in. If a HoneyPot is installed on a company network
(ISP, bank, etc) it will be the easiest target for sure... and will get
all hacker's attention! That way, he will be "interested" on the
HoneyPot and not on our real system. 
I think this will be HoneyPot's future as a security solution...  
 
Hope that it helped...
Best Regards,
Bruno

______________________________________
Bruno Miguel Abrantes de Campos e Castro
Mail To:
bcastro () portugalmail pt
bcastro () dei uc pt
______________________________________

-----Original Message-----
From: hess () ftmail ee tu-berlin de [mailto:hess () ftmail ee tu-berlin de]
On Behalf Of Andreas Hess
Sent: quarta-feira, 6 de Novembro de 2002 8:33
To: honeypots
Subject: Detection of attacks with the help of honeypots

Hi,

I am relatively new to the concept of honeypots, thus I've got a general
question.
As far as I've understood the concept, honeypots could amongst other
things be used for the detection of attacks.
An attack could be identified by:

1.) communication between a remote host and the honeypot - as this is
always suspicious, as a honest person would never contact a honeypot
2.) analysing log-files of the honeypot
3.) certain reactions of a honeypot.

Are there honeypots which are capable to differentiate between regular
and irregular requests?
What happens if somebody floods a honeypot with a huge amount of regular
requests? This is a kind of attack versus the honeypot but would not
affect a real system. 
Is the current approach a mixture of the three given possibilities or
how does it work?

Thank you very much for helping!

Regards Andreas