Re: Does it really take so long to get a bite?

[Seth Arnold <sarnold () wirex com>]

On Sat, Dec 07, 2002 at 12:02:28PM -0600, Chris Reining wrote:
> I think that the TTL of a honeypot depends entirely on different
> variables like the ISP (from what I've seen, different ISPs/netblocks
> get scanned at different frequencies) and the latest and greatest
> exploit that the kiddies have. For instance, after a major software
> vulnerability is discovered and an exploit released there will be a
> sharp increase in scanning for vulnerable systems which will slowly
> decline over time.

I recommend reading the following paper, which tries to explore some of
these variables and how they effect the time before exploitation of
flaws:

@inproceedings(
    arbaugh01:analysis,
    author = "Hilary K. Browne and William A. Arbaugh and John McHugh and
William L. Fithen",
    title = "{A Trend Analysis of Exploitations}",
    booktitle = "Proceedings of the 2001 IEEE Security and Privacy Conference",
    address = "Oakland, CA",
    year = 2001,
    month = "May",
    pages = "214 - 229",
    note = "\url{ http://www.cs.umd.edu/~waa/pubs/CS-TR-4200.pdf }",
) 

Cheers :)


-- 
"Soldiers quartered in a populous town will always occasion two mobs
where they prevent one. They are wretched conservators of the peace."
-- John Adams

Attachment: _bin
Description: