RE: Does it really take so long to get a bite?

["Greg van der Gaast" <greg.van.der.gaast () ordina nl>]

As far as the Sparc honeypots are concerned, they are definitely
attacked as well. My Sun Blade at home gets some hits directed at
relatively recent solaris exploits. Considering how hugely popular some
solaris exploits (specifically sparc) have been in the past (STATD
anyone?) I'm pretty sure these systems will come under attack. Trouble
is that many of these exploits needed to be compiled on sparc solaris
systems which not nearly as many script kiddies have access to.

A more secure system obviously has less chance of being compromised.
Having such a system on a home connection would mean fewer hostile hits.
Reason for this is that if someone is going to have to make an effort to
break into something, they'll at least want it to be interesting. If Joe
Hacker has to break in to a relatively secure box, he'd rather spend his
energy breaking into, say, Ford Motor Company's R&D department than your
personal PC on some consumer ADSL provider...

Regards,

Greg van der Gaast 
Lead Consultant
Ordina Public West SDS Security


-----Oorspronkelijk bericht-----
Van: Chris Reining [mailto:creining () packetfu org] 
Verzonden: Sunday, December 08, 2002 8:38 PM
Aan: Lance Spitzner
CC: honeypots () securityfocus com
Onderwerp: Re: Does it really take so long to get a bite?

> As many folks have disscussed, it depends on a variety of variables.
> Two years ago, RH 6.2 would have been hacked in hours.    However,
> folks have moved onto new 'exploit-du-jour', so what was highly
'hackable'
> two years ago may take weeks or even months.  When the OpenSSH exploit
> was released, it was possible for RH 6.2 or even RH 7.2 boxes to last
> longer then an unpatched OpenBSD box.  So, TTL is often based on what
> the favored exploit happens to be at that time.
>
> Also, keep in mind, the harder your honeypot is to break into, the
more
> you can learn.  However, the harder it is to break into your honeypot,
> the more value you have to give it.  If the bad guys just want
systems,
> they will skip your harden honeypot and go for the easy kill.  All
> depends on the type of clientle you wish to attrack.
I am wondering if hardened honeypots will ever get compromised? Let's
say that I run a honeypot with only one accessible service running. This
service is exploitable by code that's in the public domain, but would
require the attacker to search for it. What are the odds of compromise?
And better yet, let's say this honeypot is on residential internet
service. Does that factor play any role?

Have other honeypotters run a hardened system only to give up months
later after no compromise?
 
> One of the interesting things the Honeynet Project has seen is
different
> operating systems attrack different clientle.  Linux hackers tend to
be
> a different community then Solaris, OpenBSD, or Window hackers.  We do
> not have enough data to come to any conclusions, but something to keep
> your eyes open for :)

What about Sparc hackers? Do they exist? I ran a Sparcstation honeypot
for awhile and had the odd x86 exploit thrown at it but never
compromised. I have heard stories of Sparc honeypots up for years w/o
being hacked.

Chris